What is the GDPR and how is it going to affect me?
The new General Data Protection Regulation (‘GDPR’) is a European regulation and will apply for as long as the UK remains in the EU. In any event, its provisions will be adopted by the UK government and will be transposed into UK law by the new Data Protection Bill currently making its way through Parliament. The GDPR (and all UK privacy legislation) is and will be enforced by The Information Commissioner’s Office (‘ICO’).
Healthcare is a particularly data-rich industry, and the GDPR will place greater responsibilities on healthcare organisations and practitioners in terms of how they use, share, store and protect data. The aim of the GDPR is to give individual “data subjects” more control over their Personal Data, and to help ensure that such data is kept safe once collected.
So, what's happening on 25 May 2018?
This is the date upon which the GDPR comes into force and becomes a part of UK law. It is important that you start preparing for the changes that the GDPR will bring, and ensure that you have a plan in place regarding how you and your healthcare organisation manage data, as well as an understanding of the measures that need to be put in place to ensure compliance with the new, enhanced, privacy regime.
What information does the GDPR apply to?
The GDPR applies to the “processing” (or use) of all “Personal Data”.
What is Personal Data and what rules apply to that?
“Personal Data” is, for the purposes of GDPR, any information relating to a living individual who can be directly or indirectly identified from it, either alone or in combination with other information. Such individuals are referred to as a “Data Subject”.
Personal identifiers which will constitute “Personal Data” include names, identification numbers, location data or other online identifiers. You must have a valid lawful basis in order to process Personal Data. These lawful bases are set out in Article 6 of the GDPR and are:
- consent (where the Data Subject has given their explicit consent for the processing of their Personal Data),
- contractual obligation (the processing of the relevant Personal Data is necessary for the purposes of complying with the terms of a contract you have with the relevant Data Subject),
- legal obligation (where it is necessary to process a Data Subject’s Personal Data to comply with the law),
- vital interests (where the processing of Personal Data is necessary to protect the Data Subject’s life or other interests),
- public task (where the processing of Personal Data is necessary to perform a task in the public interest or through your official functions, and that task or function has a clear basis in law) and
- legitimate interests (where the Processing of Personal Data is necessary to advance your legitimate interests or those legitimate interests of a third party).
What is sensitive Personal Data and what different rules apply to that?
All Personal Data must be processed lawfully under one or more of the Article 6 grounds set out above. In addition, the GDPR prohibits processing of certain categories of data including “sensitive” Personal Data unless a specified exemption applies. This includes data revealing race, ethnic origin, politics, religion or trade union membership. Importantly for surgeons, this also includes data revealing genetic details, biometric data, sexual orientation or health. Any clinical record concerning an identifiable patient will contain “sensitive” Personal Data.
If a surgeon wishes to process sensitive Personal Data, then the processing must be necessary (a reasonable and proportionate way of achieving the relevant purpose) and one of the ten exemptions under Article 9 of the GDPR must apply. In the healthcare context, the most likely will be
- Explicit consent (from the patient)
- Where processing of the sensitive Personal Data is necessary to protect the vital interests of the patient (usually where the patient is incapable of giving consent)
- For the purposes of health and social care (such as where necessary for the purposes of preventative or occupational medicine, for assessment of the working capacity of the employee, medical diagnosis, provision of health or social care or treatment)
- Public interest in the area of public health
If you can reasonably achieve the same purpose without processing sensitive Personal Data, you will not usually have a lawful basis to process it.
In order to lawfully process sensitive Personal Data, a Data Controller (which is the person or organisation who decides how and for what purpose Personal Data is collected for processing) must identify a lawful basis under the Article 6 grounds, and a separate condition for processing sensitive Personal Data under Article 9. These do not have to be linked.
What different rules apply to the personal data of deceased patients?
The GDPR does not apply to Personal Data relating to deceased patients. However the common law of confidentiality, regulatory obligations, general expectations of privacy and human rights, and relevant legislation relating to access to health records remain applicable when considering the Personal Data of the deceased.
What are the key changes introduced by the GDPR in relation to the processing of Personal Data/sensitive Personal Data?
The GDPR introduces a higher bar for relying on consent.
- Consent, when required for the processing of Personal Data, must be freely given, specific, informed and unambiguous and involve a positive indication of that consent. Consent cannot be inferred from silence, pre-ticked boxes or inactivity and it must be separate from other terms and conditions. Your organisation will need to provide simple ways for patients to withdraw consent at any time and for any reason.
- Parental consent will always be required when processing the data of children.
- Patients will be entitled to ask for Personal Data to be deleted or removal of Personal Data where there is no compelling reason for its continued processing, notably where it is irrelevant or excessive.
- Patients will be entitled to ask for Personal Data in their records to be rectified if it is inaccurate or incomplete.
- Patients will have greater rights to access, free of charge, to any Personal Data held about them by your private clinic or hospital. Subject access requests must, in most cases, be responded to without delay but in any event within 1 month.
- You must keep clear records to demonstrate consent (including details of the date, the mechanism by which consent was obtained, and the wording used).
Governance and Accountability Measures
- The GDPR introduces the concept of “accountability” which requires you to be able to demonstrate, through robust policies and procedures how you comply with its terms.
- If you are the data controller, you will have a duty to report certain types of data breaches to the ICO within stringent timescales, and usually within 72 hours of the event. You may also need to inform the individual Data Subjects affected by any breach, who may look to pursue a civil claim against you as part of their new right to an “effective judicial remedy”. Further details of the requirements to notify the ICO /Data Subjects are set out below.
Transfer of Data Outside the EU
- Personal Data may only be transferred outside the EU in certain permitted circumstances and to places with equivalent standards of privacy protection to those within the EU.
Does the private hospital/clinic where I work have to put in place any other governance measures?
The private hospital/clinic will be expected to put in place comprehensive, but proportionate, governance measures. Your organisation will need to demonstrate that it has implemented appropriate measures such as the development of internal data protection policies with provision for ongoing staff training, record keeping, internal audits of processing activities and reviews of internal HR policies. It must also maintain relevant documentation on processing activities. Many may already be considering carrying out a “Privacy Impact Assessment” (which is not compulsory now but will become so in certain circumstances once the GDPR comes into force) and a Data Audit to assist with this process. Where appropriate, organisations must appoint a Data Protection Officer.
Is it mandatory to appoint a Data Protection Officer?
A Data Protection Officer (DPO) is responsible for overseeing data protection strategy and ensuring compliance. Data Protection Officers must have expertise in Privacy Law, and their Job Description must reflect this requirement. NHS organisations must appoint a DPO. If your clinic/hospital carries out large scale processing of sensitive Personal Data, it must also appoint a DPO. An example of “large-scale processing” includes processing of patient data in the regular course of business by a hospital. It does not include processing of patient data by an individual surgeon.
What is a data breach and what do I need to do if I discover a data breach?
A Personal Data breach is any breach of security infrastructure leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. It includes sending Personal Data to an incorrect recipient and computing devices containing Personal Data being lost or stolen.
If a data breach is likely to risk a person’s rights and freedoms, then it must be reported to the ICO within 72 hours after becoming aware of it. It is likely that all data breaches in a healthcare context would be reportable to the ICO. If your organisation has a DPO, then you should notify that person without delay in the event of a breach as they, along with your Management and Communications Teams, will guide you on next steps.
Do I need to notify my patient of the breach?
If a breach is likely to result in a “high” risk to the rights and freedoms of your patient, the GDPR indicates that you must inform them without delay. The threshold for informing an affected patient is higher than for informing the ICO.
Accidental disclosure of patient records, given that they contain sensitive Personal Data, would certainly require notification to the affected patient, as well as the ICO.
What power does the Information Commissioner’s Office have under the GDPR?
The ICO’s powers include the following:
- To request controllers/processors to provide relevant information.
- To carry out data protection audits.
- To gain access to premises and data processing equipment.
- To issue warnings, reprimands and orders to bring processing operations into compliance where infringements have been discovered.
- To impose temporary or definitive limitations including a ban on processing.
- To require the rectification, restriction or erasure of data.
- To impose Monetary Penalties for breaches of the GDPR’s obligations.