Please rotate the screen to Landscape view for best viewing experience.

Close
Speak to an Expert: 01409 254 354

article

GDPR - What's new and what you have to do

GDPR – What’s new and what you have to do

Where are we now
The Data Protection Act 2018 and the GRPR regulations became law May 2018. Much of the regulation was covered by the first release of the CODE GDPR templates three months ago. But as there’s some important changes to the Information Commissioner’s Office ICO guidelines and the understanding of their consequences CODE has updated 12 major templates, which are discussed in this article and expored in this newsletter. CODE iComply members will be informed what to do and when to do it by iComply Application, so for them this article is for advice only. Non-members will find the article and newsletter helpful to understand some of the latest CODE advice about GDPR.

These are the CODE iComply templates that have just been updated:

  • M 216 – Data Protection Overview
  • M 216A – GDPR and Data Protection Action Plan
  • M 217C – Information Governance Procedures
  • M 217L – Network, Computer and Software Access Log
  • M 217RA – Communication Consent Form
  • M 217S – Legitimate Interests Assessment
  • M 217T – Privacy Notice
  • M 217TC – Privacy Notice for Children (new)
  • M 217UA – Contract for Data Processor or Joint Data Controllers
  • M 233-DPT – Data Protection and Information Security Policy
  • M 245A – Staff Terms and Conditions of Employment
  • M 245AA – IG Amendment to Staff Terms and Conditions
Requirement How to meet it CODE iComply Template
Consent for special category data needs a lawful basis to process personal data plus a lawful basis to process special category data We have suggested that “Legitimate interests” as the basis for processing personal data and the basis for processing special category data includes “Processing is necessary for health care purposes”

Note that we processing personal data includes:

  • Patient and no-patient data that is not special data
  • Contacting patients by phone or letter
  • Marketing
  • Employee files

Special category data includes:

  • Clinical records
  • Appointments and recalls
  • Patient complaints
  • Medical information on employees and self-employed contractors
  • Criminal record disclosures for employees and self-employed contractors

Members will be advised to update their Data Protection and Information Security Policy (M 233-DPT) soon.

Data Protection and Information Security Policy, (M 233-DPT). Version 7

See the new Legitimate Interests Assessment (Template M 217S).

The full list of Lawful Bases for Processing personal data is in the new Privacy Notice (M 217T)

The new Data Security and Protection Toolkit. Privacy Notice for Children Practices who access to NHS patient data and systems must now complete the new Data Security and Protection Toolkit instead of the Online IG Toolkit. You can be guided with an updated version of the GDPR and Data Protection Action Plan (M 217A) available soon when CODE has analysed the new online toolkit requirements
New and updated Information Governance Procedures
  • Reference to the Childrens Privacy notice
  • New weekly and monthly checks for information security
  • New password guidance – covered in a later article
  • Managing levels of computer access
  • New Personal use of practice email, internet and phones – policy and procedure
  • New Remote VPN access policy and procedure for practices who’s team members log in remotely with VPN
  • We have added the requirement to have a data processor contract with your dental laboratories as well as self-employed dentists, hygienists, therapists, clinical dental technicians. This has been added to remind you, but it is covered in a later article.
  • Other minor updates
Information Governance Procedures (M 217C). Version 3. Is one of the key templates that covers many areas of your procedures, policies and advice. It has just been updated
Network, Computer and Software Access Log Minor changes to make the log more powerful and to add monitoring who can access the network See the Network, Computer and Software Access Log, (M 217L). Version 3
Legitimate Interests Assessment There are now two assessment templates, one for processing personal data and one to be used if you decide to use Legitimate Interests for Marketing, which is something that CODE cannot advise on at present, but you may decide to do it after taking your own advice. Legitimate Interests Assessment, (M 217S), Version 2
Privacy Notice for Adults It has been re-written and should be adpoted right away Privacy Notice (M 217T). Version 2
Privacy Notice for Children Required by the ICO, it’s an easy to read version for people under 18 years. Privacy Notice for Children, (M 217TC). Version 1
Staff Terms and Conditions of Employment, new data protection amendments There is a new version of the Staff Terms and Conditions of Employment that include clauses on meeting Data Protection and GDPR requirements.

CODE Total HR, let CODE be your HR and Employment Law Manager

Let CODE be your HR Manager

Staff Terms and Conditions of Employment (M 245A). Version 5. If you are using version 3 or earlier, it’s time to issue new contracts.
Communication Consent The form has been simplified into two parts, one for consent for sending text and email messages and the other consent for marketing Communication Consent Form, (M 217RA). Version
Contract as data processor or joint controller for self-employed team members The data processor contract now includes labs, and self-employed personnel. Please read the article for details. Model Contract for Data Processor (M 217UA). Version 2
Staff Terms and Conditions of Employment, new data protection amendments There is a new version of the Staff Terms and Conditions of Employment that include clauses on meeting Data Protection and GDPR requirements.Read more about it in the article. Staff Terms and Conditions of Employment (M 245A). Version 5
There is a GDPR compliance agreement for employees who have recent CODE terms Read more about it in the article. Amendment to Staff Terms and Conditions, (M 245AA). Version 1

If your staff members have version 3 of the CODE Terms and Conditions you can use this, but better to upgrade all staff to Version 5.

There’s lots to do to keep updated now and things are still changing. But after this major update, CODE iComply members will be almost there. We will keep you informed. Find out more about iComply here.

Disclaimer: The implications of the GDPR regulations are not yet fully explored, but CODE has released this article to share our current thinking and direction. With experience and guidance from government bodies and further input from experts in the coming months the CODE advice will be updated and refined. The Information CODE articles is in general terms and is believed to be based on the relevant legislation, regulations and good practice guidance. This information is indicative only and is intended as a guide for you to review and take particular professional advice to suit your circumstances. CODE does not accept any liability for any loss or claim that may arise from reliance on information provided. The use of the information in this article indicates acceptance of these terms. CODE is a trading name of both the Confederation of Dental Employers Ltd and Codeplan Ltd.