What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
There are additional rules in the GDPR for organisations processing special category data. This includes information about an individual’s health.
Will you be producing sector specific guidance?
Our main guidance focuses on the general application of the GDPR. But we are engaging with representatives from a variety of sectors to provide sector-specific advice which could inform key pieces of guidance produced by influential industry bodies.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our right to be informed section of the Guide to the GDPR.
Do you have any sample GDPR privacy notices?
Not as such, as privacy notices must be specific to the processing in question. However, we have summarised the information that should be included in a privacy notice in our right to be informed section of the Guide to the GDPR.
Are we a public authority under GDPR?
Probably. The Data Protection Act (when passed) will define ‘public authority’. However, it is likely that if you are a public authority as defined under the Freedom of Information Act 2000, or Freedom of Information (Scotland) Act 2002, as many GP practices, dental practices, other health practitioners and pharmacies that carry out NHS work are, you will be a public authority for the purposes of the GDPR.
Do I need to appoint a data protection officer (DPO)?
Probably. Under the GDPR, you must appoint a DPO if you:
- are a public authority (except for courts acting in their judicial capacity);
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data (which includes information relating to an individual’s health) or data relating to criminal convictions and offences.
So organisations such as GP and dental practices, other health practitioners and pharmacies, and particularly those that carry out NHS work, will probably need to appoint a DPO.
But even if you don’t have to appoint a DPO, you do still have to comply with the other requirements of the GDPR.
Can the DPO be an existing employee?
Yes. The person you appoint as a DPO can be an existing employee provided that their professional duties are compatible with the duties of the DPO and do not lead to a conflict of interest.
What is a conflict of interest in relation to a DPO?
In this context, ‘conflict of interest’ means a conflict with other possible tasks and duties. The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. More information on this can be found at questions 9 and 10 of the Article 29 DPO FAQ's and in the Article 29 guidelines on DPO's.
Can health organisations share a DPO?
Yes. You may appoint a single data protection officer to act for a group of companies or a group of public authorities, taking into account their structure and size. There is more on appointing a DPO in our section on DPOs and when they need to be appointed in our Guide to the GDPR.
What are the rules on security under the GDPR?
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
What is the status of back-ups of personal data under GDPR?
Holding back-up data has implications for individual’s rights especially the rights to rectification, erasure, restriction and objection. There’s more detail on individual rights in the Guide to the GDPR.
Do I still need to register under GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to register, and pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will come into force on 25 May 2018. This doesn’t mean everyone has to re-register and pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to re-register or pay the new fee until that registration has expired.
You can find more detail in this blog post.
How do we comply with subject access requests under GDPR?
There’s information about subject access requests in the right to access section in the Guide to the GDPR.
Do we need consent to process personal data for our patient care functions?
You must have a valid lawful basis in order to process personal data. There are six bases available and no single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.
Consent is only appropriate if you can offer people real choice and control over how you use their data. If you cannot offer a genuine choice, it is not appropriate to rely on it.
Organisations in positions of power over individuals, like the providers of medical services, should avoid relying on consent unless they are confident they can demonstrate it is freely given. For more information please see the section on consent in the Guide to the GDPR.
Please note that if you are processing special category data – including information about an individual’s health – it isn’t enough to just identify a lawful basis for general processing. You also need to satisfy a separate condition for processing special category data. There are 10 of these, including where the processing is necessary for the purposes of medical diagnosis.
For more information please see the section on special category data in the Guide to the GDPR.
When should we use the other lawful bases for processing instead of consent?
The six lawful bases for processing are broadly similar to the conditions for processing in the Data Protection Act 1998, although there are some differences. For more information please see the consent section of the Guide to the GDPR.
If you are processing special category data – which includes information about an individual’s health – as well as identifying a lawful basis for general processing, you also need to satisfy an additional condition for processing. There are 10 of these, including where the processing is necessary for the purposes of medical diagnosis.
For more information please see the section on special category data in the Guide to the GDPR.
How can we meet the stricter rules on consent?
The GDPR sets a higher standard for consent than in the Data Protection Act 1998.
Again, organisations in positions of power over individuals, like providers of medical services, should avoid relying on consent unless they are confident they can demonstrate it is freely given.
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge. It requires a positive opt-in (no pre-ticked boxes or any other method of default consent). You must be specific and ‘granular’ so that you get separate consent for separate things. You must make it easy for people to withdraw consent and tell them how they can do it and keep evidence of the consent you get.
For more information please see the consent section of the Guide to the GDPR.
How do we record verbal consent?
Organisations in positions of power over individuals, like medical services providers, should avoid relying on consent as the lawful basis for processing unless they are confident they can demonstrate it is freely given. For more information please see the consent section of the Guide to the GDPR.
However, if you need to obtain consent you can obtain it verbally, but you should keep a record of:
- when and how you got consent from an individual, and
- exactly what they were told at the time.
How can we obtain consent from an individual with mental health problems?
Organisations in positions of power over individuals, including the providers of some medical services, should avoid relying on consent as the lawful basis for processing unless they are confident they can demonstrate it is freely given. For more information please see the consent section of the Guide to the GDPR.
However, if you need to obtain consent from an individual who lacks the mental capacity to make decisions for themselves, you may find the Alzheimer Society’s guidance note Acting on behalf of a person with dementia useful. This gives practical advice to third parties about handling someone’s personal information, to help them manage their affairs, or when managing their affairs for them.
Although this was written in relation to the Data Protection Act 1998, the advice will still apply under the GDPR.
How do I know if the consent I have for marketing under the DPA is good enough for GDPR?
Our consent checklist sets out the steps you should take to seek valid consent under the GDPR. This checklist can also help you review existing consents and decide whether they meet the GDPR standard, and to seek fresh consent if necessary.
You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.
You will need to be confident your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.
If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
You are also likely to need consent under ePrivacy laws for many marketing calls, texts and emails. These rules are currently found in the Privacy and Electronic Communications Regulations 2003 (PECR). For more about PECR please see our Guide to PECR.
Do I always need consent for marketing and does it have to be opt in or can it be opt out?
No. You won’t need consent for postal marketing but you will need consent for some calls and for texts and emails under PECR. See our Guide to PECR for more on when you need consent for electronic marketing.
If you don’t need consent under PECR you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.
If you do rely upon consent it requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. See our consent checklist for more detail.
When can I use the ‘legitimate interests’ condition of processing for marketing instead of consent?
You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object – and if you don’t need consent under PECR.
See our Guide to PECR for more on when you need consent for electronic marketing.
How do we deal with requests to have personal data rectified?
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
However, this doesn’t extend to medical opinions, where the data recorded accurately represents the opinion in question.
It is often impossible to conclude with certainty, perhaps until time has passed or tests have been done, whether a patient is suffering from a particular condition. An initial diagnosis (or informed opinion) may prove to be incorrect after more extensive examination or further tests. Individuals may want the initial diagnosis to be deleted on the grounds that it was, or proved to be, inaccurate. However, if the patient’s records accurately reflect the doctor’s diagnosis at the time, the records are not inaccurate, because they accurately reflect a particular doctor’s opinion at a particular time. Moreover, the record of the doctor’s initial diagnosis may help those treating the patient later.
When do I need to report a personal data breach?
A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Under the GDPR, organisations must notify the ICO of any breaches that are likely to result in a risk to the rights and freedoms of individuals. Organisations must also notify those concerned, where a breach is likely to result in a high risk to their rights and freedoms.
There is more detail about this in the section on data breaches in the Guide to the GDPR.
However, it is likely that many NHS health bodies won’t have to do anything different to report breaches to the ICO.
Currently, the SIRI reporting tool, which is part of the IG Toolkit, allows NHS bodies in England (including NHS England and the Department of Health) to notify the ICO when a serious information governance incident occurs. We understand that this is to be updated, in light of the GDPR, so that NHS organisation can fulfil their obligations to report certain matters to the ICO, by reporting it through the Toolkit. However, additional steps may still have to be taken to notify the individuals concerned, where the GDPR requires it.
How are medical and dental records affected by the right to erasure?
There is no absolute ‘right to be forgotten’.
People can ask for their personal data to be erased - but only when there is no compelling reason for its continued processing.
Requests will have to be assessed on their own merits. However, care providers, for example, will likely have a very good reason for processing much of the personal data they hold for the purposes of providing medical care.
There is more information in the section on right to erasure in the Guide to the GDPR.