What is the GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.

What information does the GDPR apply to?

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.

There are additional rules in the GDPR for organisations processing special category data. This includes information about an individual’s health. 

Will you be producing sector specific guidance?

Our main guidance focuses on the general application of the GDPR. But we are engaging with representatives from a variety of sectors to provide sector-specific advice which could inform key pieces of guidance produced by influential industry bodies.

Can you help me decide what to include in my privacy notice?

The GDPR sets out the information you should supply and when individuals should be informed.

The information you supply about the processing of personal data must be: 

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

There’s more information in our right to be informed section of the Guide to the GDPR.

Do you have any sample GDPR privacy notices?

Not as such, as privacy notices must be specific to the processing in question. However, we have summarised the information that should be included in a privacy notice in our right to be informed section of the Guide to the GDPR.

Are we a public authority under GDPR?

Probably. The Data Protection Act (when passed) will define ‘public authority’. However, it is likely that if you are a public authority as defined under the Freedom of Information Act 2000, or Freedom of Information (Scotland) Act 2002, as many GP practices, dental practices, other health practitioners and pharmacies that carry out NHS work are, you will be a public authority for the purposes of the GDPR.

Do I need to appoint a data protection officer (DPO)?

Probably. Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • your core activities include large scale regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities include large scale processing of special categories of data (which includes information relating to an individual’s health) or data relating to criminal convictions and offences.

So organisations such as GP and dental practices, other health practitioners and pharmacies, and particularly those that carry out NHS work, will probably need to appoint a DPO.

There’s a section on DPOs and when they need to be appointed in our Guide to the GDPR

But even if you don’t have to appoint a DPO, you do still have to comply with the other requirements of the GDPR.

Can the DPO be an existing employee?

Yes. The person you appoint as a DPO can be an existing employee provided that their professional duties are compatible with the duties of the DPO and do not lead to a conflict of interest.

What is a conflict of interest in relation to a DPO?

In this context, ‘conflict of interest’ means a conflict with other possible tasks and duties. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. More information on this can be found at questions 9 and 10 of the Article 29 DPO FAQ's and in the Article 29 guidelines on DPO's.

Can health organisations share a DPO?

Yes. You may appoint a single data protection officer to act for  a group of public authorities or bodies, taking into account their organisational structure and size. There is more on appointing a DPO in our section on DPOs and when they need to be appointed in our Guide to the GDPR.

What are the rules on security under the GDPR?

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.

What is the status of back-ups of personal data under GDPR?

Holding back-up data has implications for individual’s rights especially the rights to rectification, erasure, restriction and objection.  There’s more detail on individual rights in the Guide to the GDPR.

 Do I still need to register under GDPR?

If you needed to register under the Data Protection Act 1998, then you will probably need to pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.

The new Regulations will come into force on 25 May 2018. This doesn’t mean everyone has to pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to pay the new fee until that registration has expired.

You can find more detail in our Guide to the Data Protection Fee.

How do we comply with subject access requests under GDPR?

There’s information about subject access requests in the right to access section in the Guide to the GDPR.

Do we need consent to process personal data for our patient care functions?

Not necessarily. You must have a valid lawful basis in order to process personal data – consent is one of the lawful bases, but there are alternatives. There are six bases available in total and no single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on your purpose and relationship with the individual. See our lawful basis for processing guidance for more information.

Consent under the GDPR must be freely given, specific, informed and unambiguous, and involve a clear affirmative action (an opt-in). If you wish to rely on GDPR consent you must be able to demonstrate that you have consent and the individual must be able to withdraw consent easily. If you are a public authority or another organisation in a position of power over the individual it may be difficult for you to be able to show that the consent has been freely given. See our GDPR consent guidance for further information on the requirements necessary to ensure valid consent.

You need to remember that patient consent for treatment or to share healthcare records is not the same as GDPR consent.

In the healthcare sector, patient data is held under a duty of confidence. Healthcare providers generally operate on the basis of implied consent to use patient data for the purposes of direct care, without breaching confidentiality.

Implied consent for direct care is industry practice in that context. But this ‘implied consent’ in terms of duty of confidence is not the same as consent to process personal data in the context of a lawful basis under the GDPR.

Any requirement to get consent to the medical treatment itself does not mean that there is a requirement to get GDPR consent to associated processing of personal data, and other lawful bases are likely to be more appropriate.

In the healthcare context consent is often not the appropriate lawful basis under the GPDR. This type of assumed implied consent would not meet the standard of a clear affirmative act – or qualify as explicit consent for special category data, which includes health data. Instead, healthcare providers should identify another lawful basis (for example the public task basis may be appropriate).

Please note that if you are processing special category data – which includes information about an individual’s health – it isn’t enough to just identify a lawful basis for processing. You also need to satisfy a separate condition for processing special category data. There are 10 of these in the GDPR itself, including where the processing is necessary for the purposes of medical diagnosis or healthcare, and the DP Bill also provides additional conditions for processing special category data.

For more information please see the section on special category data in the Guide to the GDPR.

I am planning to send material promoting clinics and vaccinations to targeted patients in need. How do I know if the consent I have for this marketing under the DPA is good enough for GDPR?

Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary. 

You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.

You will need to be confident your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.

If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

You are also likely to need consent under ePrivacy laws for many marketing calls, texts and emails. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). For more about PECR please see our Guide to PECR.

Do I always need consent for marketing and does it have to be opt in or can it be opt out?

No. You won’t always need consent e.g.for postal marketing but you will need consent for some calls and for texts and emails under PECR. See our Guide to PECR for more on when you need consent for electronic marketing.

If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. See our legitimate interests guidance for more detail.

If you do rely upon consent it requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. See our consent checklist for more detail.

How do we deal with requests to have personal data rectified?

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

However, this doesn’t extend to medical opinions, where the data recorded accurately represents the opinion in question.

It is often impossible to conclude with certainty, perhaps until time has passed or tests have been done, whether a patient is suffering from a particular condition. An initial diagnosis (or informed opinion) may prove to be incorrect after more extensive examination or further tests. Individuals may want the initial diagnosis to be deleted on the grounds that it was, or proved to be, inaccurate. However, if the patient’s records accurately reflect the doctor’s diagnosis at the time, the records are not inaccurate, because they accurately reflect a particular doctor’s opinion at a particular time. Moreover, the record of the doctor’s initial diagnosis may help those treating the patient later.

When do I need to report a personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Under the GDPR, organisations must notify the ICO of a breach within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals. Organisations must also notify those concerned, where a breach is likely to result in a high risk to their rights and freedoms without undue delay.

If you use a data processor, and they suffer a breach, then they must inform you without undue delay as soon as they become aware – you are responsible for the breach-reporting obligations under the GDPR.

There is more detail about this in the section on personal data breaches in the Guide to the GDPR.

Given existing NHS breach reporting requirements many of these concepts will be familiar.

Currently, the SIRI reporting tool, which is part of the IG Toolkit, allows NHS bodies in England (including NHS England and the Department of Health) to notify the ICO when a serious information governance incident occurs. We understand that this is to be updated, in light of the GDPR, so that NHS organisation can fulfil their obligations to report certain matters to the ICO, by reporting it through the Toolkit. However, additional steps may still have to be taken to notify the individuals concerned, where the GDPR requires it.

How are medical and dental records affected by the right to erasure?

There is no absolute ‘right to be forgotten’.

People can ask for their personal data to be erased - but only when there is no compelling reason for its continued processing.

Requests will have to be assessed on their own merits. However, care providers, for example, will likely have a very good reason for processing much of the personal data they hold for the purposes of providing medical care.

There is more information in the section on right to erasure in the Guide to the GDPR.