Ignore GDPR at your peril

9 February 2018
It’s tempting to see the new General Data Protection Regulation (GDPR) as more legislation that can be safely ignored. After the GDPR takes effect, and all the lawyers, consultants and event organisers have made their money, it will be business as usual, right?
 
Unfortunately the answer is no. For healthcare organisations, doing nothing before the 25 May deadline is risky bordering on reckless.
 
While it’s true that in many ways GDPR simply reinforces principles in existing data protection legislation, it also introduces some fundamental changes that anyone dealing with healthcare data, specifically personal medical information, needs to heed.
 
In 2015/16, 45% of all data security breaches reported to the Information Commissioner’s Office (ICO) involved the health care sector. In May 2016, the ICO handed out fines totalling £365,000 to NHS organisations.
 
Under the GDPR, maximum fines will increase from £500,000 to €20 million. If the biggest fine handed out to an NHS organisation to date - £325,000 to Brighton and Sussex University Hospitals NHS Trust – were scaled up under the new rules it could reach €15 million.
 
Speaking at a recent PCC event, David Hill, legal director at Hill Dickinson, said: “There’s money to be made creating a sense of alarm about GDPR, but there are some objective reasons we need to get to grips with it. If you do nothing, you will almost certainly be in breach.”
 
Since 2010 European lawmakers have been concerned by patchy implementation of data protection law. With each country free to enact its own legislation, there is no common understanding of fundamental concepts. For example, definitions of “personal information” vary from country to country.
 
A decision was taken to replace the current EU directive, with its wide scope for interpretation, with specific regulations which each country will need to enshrine in law.
 
Hill warned against the hope that GDPR could become irrelevant post-Brexit. Financial services companies and other organisations hoping to trade in Europe after the UK’s withdrawal will need to be GDPR compliant. Meanwhile new legislation implementing GDPR is currently making its way through the UK Parliament. “GDPR is here to stay,” Hill says.
 
“A lot is not new but is augmenting what is already there or making explicit what is now implicit,” said Hill.
 
AMONG THE CHANGES ARE:
 
  • New/amended definitions and scope
  • New/amended data protection principles
  • New/amended conditions for processing
  • New rules about consent
  • New/amended data subject rights
  • New obligations for data controllers and processors
  • More robust regulation and enforcement.
For health care organisations, where the data being processed is sensitive personal data – or what GDPR now terms “special category data” – the rules are set to become much tighter. Organisations cannot rely on inferred consent: it must be explicit.
 
Hill warns NHS bodies not to rely on consent where there is no genuine choice on offer. For example a patient undergoing a course of treatment should not be given a choice about whether the clinicians concerned can access their medical records. “It’s fine to say in effect we’re not asking for your consent because it’s part and parcel of the service,” Hill says.
 
“A way can always be found for any processing that is legitimate. For example, get the patient to sign to acknowledge what you propose to do with their data rather than obtain consent.”
 
The law makes no distinction between large and small organisations, so while trusts and other large NHS bodies may feel confident that they have the capacity to deal with new rules around record-keeping and the compulsory appointment of data protection officers, others, such as general practices may be concerned about another tsunami of bureaucracy heading their way.
 
Acknowledging that understanding and implementing the new arrangements could seem onerous, Hill said this was another area where it made sense for practices to join forces. For example, LMCs and federations could develop policies that can be shared by their practices. While every practice will be required to have a data protection officer (DPO), it is allowable to act as DPO for more than one organisation – again, this could be a role performed at federation level on behalf of a number of practices.
 
The PCC and Hill Dickinson event Implications of GDPR on the Health Care Sector is repeated on 12 April in Leeds. Other local events may also be run, subject to sufficient demand.
 
To book your place at the Leeds event: http://bit.ly/2Ex0nvP
 
For all other enquiries email enquiries@pcc-cic.org.uk with GPDR in the subject line.
Support updates Case studies

Latest News

Improvement and assessment framework: conflicts of interest indicator submission process for CCGs

19 February 2018

NHS England has provided further information on the conflicts of interest indicator in the clinical commissioning group improvement and assessment framework, and the process for completing and returning the self-certification submissions, including updated templates.

Read More

Return on investment tool for the assessment of falls prevention programmes

19 February 2018

A tool from Public Health England pulls together evidence on the effectiveness and associated costs for interventions aimed at preventing falls in older people living in the community. The accompanying report details how the tool was constructed and presents the main results.

Read More

Working with policing and social care organisations to protect and prevent harm to vulnerable people

19 February 2018

NHS England has supported the launch of a joint consensus statement between policing, health and social care organisations. It commits partners to working together to use our shared capabilities and resources more effectively to improve people’s health and wellbeing, prevent crime and protect the most vulnerable people. An action plan is now being developed to progress the commitments of the statement, which include identifying and supporting vulnerable people and their families; improving trust, knowledge sharing, best practice and training across the system; and working with partners to commission and deliver preventative services in response to assessments of threat, harm, risk and vulnerability.

Read More

People’s experience of personal health budgets

19 February 2018

NHS England has commissioned Quality Health to run an online survey to gather feedback about people’s experiences of personal health budgets in England. Opening on 1 March 2018 and running until 30 April 2018, the survey is open to all current or previous personal health budget and integrated personal budget holders, who can register now to receive a link to the survey when it opens. Commissioners are encouraged to share details of the survey with all personal health budget holders in their area. The findings will be used to improve how personal health budgets are offered in England.

Read More

Spatial competition and quality: evidence from the English family doctor market

19 February 2018

A paper from York University examines whether general practice in England responds to local competition by improving on clinical performance and patient satisfaction. It finds that there is evidence to support increased competition with small increases in quality of care, particularly in practices with lower quality of care.

Read More