Ignore GDPR at your peril

9 February 2018
It’s tempting to see the new General Data Protection Regulation (GDPR) as more legislation that can be safely ignored. After the GDPR takes effect, and all the lawyers, consultants and event organisers have made their money, it will be business as usual, right?
 
Unfortunately the answer is no. For healthcare organisations, doing nothing before the 25 May deadline is risky bordering on reckless.
 
While it’s true that in many ways GDPR simply reinforces principles in existing data protection legislation, it also introduces some fundamental changes that anyone dealing with healthcare data, specifically personal medical information, needs to heed.
 
In 2015/16, 45% of all data security breaches reported to the Information Commissioner’s Office (ICO) involved the health care sector. In May 2016, the ICO handed out fines totalling £365,000 to NHS organisations.
 
Under the GDPR, maximum fines will increase from £500,000 to €20 million. If the biggest fine handed out to an NHS organisation to date - £325,000 to Brighton and Sussex University Hospitals NHS Trust – were scaled up under the new rules it could reach €15 million.
 
Speaking at a recent PCC event, David Hill, legal director at Hill Dickinson, said: “There’s money to be made creating a sense of alarm about GDPR, but there are some objective reasons we need to get to grips with it. If you do nothing, you will almost certainly be in breach.”
 
Since 2010 European lawmakers have been concerned by patchy implementation of data protection law. With each country free to enact its own legislation, there is no common understanding of fundamental concepts. For example, definitions of “personal information” vary from country to country.
 
A decision was taken to replace the current EU directive, with its wide scope for interpretation, with specific regulations which each country will need to enshrine in law.
 
Hill warned against the hope that GDPR could become irrelevant post-Brexit. Financial services companies and other organisations hoping to trade in Europe after the UK’s withdrawal will need to be GDPR compliant. Meanwhile new legislation implementing GDPR is currently making its way through the UK Parliament. “GDPR is here to stay,” Hill says.
 
“A lot is not new but is augmenting what is already there or making explicit what is now implicit,” said Hill.
 
AMONG THE CHANGES ARE:
 
  • New/amended definitions and scope
  • New/amended data protection principles
  • New/amended conditions for processing
  • New rules about consent
  • New/amended data subject rights
  • New obligations for data controllers and processors
  • More robust regulation and enforcement.
For health care organisations, where the data being processed is sensitive personal data – or what GDPR now terms “special category data” – the rules are set to become much tighter. Organisations cannot rely on inferred consent: it must be explicit.
 
Hill warns NHS bodies not to rely on consent where there is no genuine choice on offer. For example a patient undergoing a course of treatment should not be given a choice about whether the clinicians concerned can access their medical records. “It’s fine to say in effect we’re not asking for your consent because it’s part and parcel of the service,” Hill says.
 
“A way can always be found for any processing that is legitimate. For example, get the patient to sign to acknowledge what you propose to do with their data rather than obtain consent.”
 
The law makes no distinction between large and small organisations, so while trusts and other large NHS bodies may feel confident that they have the capacity to deal with new rules around record-keeping and the compulsory appointment of data protection officers, others, such as general practices may be concerned about another tsunami of bureaucracy heading their way.
 
Acknowledging that understanding and implementing the new arrangements could seem onerous, Hill said this was another area where it made sense for practices to join forces. For example, LMCs and federations could develop policies that can be shared by their practices. While every practice will be required to have a data protection officer (DPO), it is allowable to act as DPO for more than one organisation – again, this could be a role performed at federation level on behalf of a number of practices.
 
The PCC and Hill Dickinson event Implications of GDPR on the Health Care Sector is repeated on 12 April in Leeds. Other local events may also be run, subject to sufficient demand.
 
To book your place at the Leeds event: http://bit.ly/2Ex0nvP
 
For all other enquiries email enquiries@pcc-cic.org.uk with GPDR in the subject line.
Support updates Case studies

Latest News

The dementia care pathway

20 August 2018

The National Collaborating Centre for Mental Health (NCCMH) has published guidance to the dementia care pathway, one of several mental health care pathways developed to support the Five Year Forward View for Mental Health. The guidance is intended to improve delivery and quality of care and support for people with dementia and their families and carers.

Read More

National long-stays dashboard

20 August 2018

NHS Improvement is encouraging commissioners to use the long-stays dashboard as part of its drive to reduce hospital stays of three weeks or more. Around a fifth of hospital beds are occupied by long-stay patients. National bodies want to see the figure cut by a quarter, which would make 4000 more beds available nationally. CCG staff can get hold of the dashboard by emailing nhsi.longstaysdashboard@nhs.net.

Read More

NHS England launches open call for solutions for general practice premises policy

17 August 2018

The general practice premises policy review, led by NHS England and Department of Health and Social Care, has launched a call for solutions.

NHS England wants to hear a wide range of proposals, to ensure general practice premises are fit for the future. They are keen to hear about solutions designed to address specific issues, as well as those which would require more significant changes to policy. The call for solutions can be accessed on the NHS England Website and will be open until 5 September 2018.

Read More

Supporting children and young people with special educational needs and disabilities

17 August 2018

Find out how you can support children and young people with special educational needs and disabilities (SEND) by ensuring that their needs and requirements are met throughout their journeys in health and transition from childhood to adulthood.

The SEND quick guides do this by assisting health commissioners and providers with joint commissioning of services. They provide guidance on developing processes to ensure that children and young people with SEND are fully supported in the best ways possible.

Read More

What patient participation groups need to know about GP online services

17 August 2018

A guide on GP online services gives patient participation group (PPG) members some top tips on how to engage their practice in registering more patients for online services.

Read More