The new European General Data Protection Regulation (GDPR) is coming into law on the 25th May 2018.
Key changes introduced by the new GDPR
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Consent must be opt-in and not ‘tick to opt out’, also it must be detailed so that the person can see exactly what they are consenting for.
Breach notification will be mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The GDPR say this must be done within 72 hours of first having become aware of the breach, but note that currently the Information Commissioners Website states that you have to report within 24 hours. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
This is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’, Data Portability is primarily for the large social media companies.
Privacy by Design
Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Act 2018
The Government has announced a new Data Protection bill to sign the European GDPR into law and to update the Data Protection Act. The details of the new Act are as yet unclear, there may be special provisions for health records. When the DPA act becomes law in May 2018 there may be some additional CODE updates following its release.
The Legal Basis for Processing Data
You must establish a legal basis for processing data. For personal data there are 6 options:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.)
Clinical records however are special category data, which needs a different lawful basis. For dental or GP practice this could be:
“9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.”
Data protection compliance
The CODE iComply solution brings together the requirements of the Data Protection Act, GDPR and the NHS Online Toolkit. This seeming complexity is simplified by assigning the requirements into three areas. Compliance is delivered through easy to use policies, procedures and audits and risk assessments:
- Data Protection (M 216) – this provides and overview of all data processing requirements including the Data Protection Act (DPA), the GDPR. It is supported by and the CODE Data Protection and Information Security Policy (M 233-DPT) and the GDPR Action Plan, which you follow the first time to set everything up
- Information Governance – which provides the main procedures, policies and risk assessments to meet your data protection requirements in a format that can be used for the NHS IG Online Toolkit. It consists of a suite of 19 templates from (M 216A) the IG Improvement Plan to (M 217UA) Contract for a Data Processor. This has recently changed to the Data Security and Protetion Toolkit for all organisations that have access to NHS patient data and systems. CODE will update the (M 217A) by the end of June so that practices will have the necessary templates and know what to do with them.
- Consent – covers all aspects of consent. This includes patient consent for treatment, patient consent for marketing and non-patient consent for marketing too. Patient confidentiality is covered too. Some of the most important CODE templates for this area include Valid Consent for treatment (M 292), Communication Consent Form (M 217RA), Consent for Clinical Photography (M 217RB), Data Requests Record (M 217RX) and Confidentiality Policy (M 233-CON)
Here are some questions that members are asking:
Q: Do we need to obtain consent again from all of our patients?
A: There are two types of consent to consider.
1. Consent to process special category data, which in our case is the clincial records. The legal basis for processing it is described above and fully in the Data Protection Overview (M 216). If you are providing treatment you be obtaining Valid Consent (M 292) on a continuing basis. The legal basis for handling this special category data is explained above.
2. ‘ Personal data’ is processed when you carry out marketing to patients or non-patients, by email or post etc. If your current consent for marketing does not meet the GDPR standards then you will need to re-consent for it. The legal basis for marketing is “consent”.
CODE has produced two new forms, Communication Consent Form (M 217RA) and Consent for Clinical Photography (M 217RB) for you to adapt or add their details to your medical history form. It is suggested that you start re-consenting in March as patients visit the practice.
Q: What is a Privacy Notice?
A: It is a key requirement to show that you are transparent and provide information to individuals about how you will use their personal data. It expected that you do so with a Privacy Notice, on your website and available in print at the practice if requested. CODE iComply has provided a template for members, it’s called Privacy Notice (M 217T). There is also a Privacy Notice for Children (M 217TC).
Q: I use online software or cloud storage services that store data outside of the EU is this ok?
A: It is necessary to identify where your data may be stored, e.g. Dropbox stores data in the USA, iComply stores data in Southern Ireland in the EU. If data is stored outside of the EU there must be adequate protections for it. America has the EU-US Privacy Shield, which means that we can use a company that stores personal data in the US (as your data processor), as long as the company is certified for the Privacy Shield. You can check if an American company has certification by searching the Privacy Shield List.
Note that you must also have a contract with all data processors that you use, either using the template Model Contract for Data Processor (M 217UA) or in the case of large companies like Dropbox or Microsoft the information about how they comply woith GDPR will be downloadable from their website. Now is the time to identify where you store digital data, and obtain the necessary contracts or identify links to the relevant terms.
Q: What should I do now?
A: CODE iComply members should work through the GDPR Action Plan (M 216A) making sure that you are using the latest templates – check the version numbers in the Updated Templates table at the end of this guide. The latest templates will be released by mid March.
If you are not a CODE iComply member, work through the ICO Action List for Non-members
below, as well as the FAQ activities above, using your own research.
Q: Under the GDPA right to be forgotten, do we have to delete clinical records if a patient requests it?
A: It is CODE’s view that patient records should be retained according to NHS guidelines. We have a template on Record Retention (M 215). We recommend retaining clinical records until the end of the retention period and would not delete them. However if we have marketing records of non-patients, such as email and name, we would be required to delete them under the GDPR if requested by the data subject, otherwise delete them 2 years after the last processing date.
Information Commissioner recommendations – for non-members to carry out now
Below is an abbreviated copy of the action list from the ICO that is recommended to perform now to prepare for GDPR. See the full details on the ICO website. Note that there is much more that has to be done to meet the requirements, this is a starter list. The CODE solution is provided as a guide so that you can research your own solution.
ICO Action List for Non-members
|Action to take||CODE iComply solution|
|1. Your business has conducted an information audit to map data flows||Security Risk Assessment (M 217M)|
|2. Having audited your information, you should then be able to identify any risks||Security Risk Assessment (M 217M)|
|3. Your business has identified your lawful bases for processing and documented them||Information Governance Procedures
|4. Your business is currently registered with the Information Commissioner’s Office|
|5. Your business has provided privacy notices to individuals||Privacy Notice (M 217T)|
|6. Your business has a process to recognise and respond to individuals’ requests to access their personal data||Information Governance Procedures
|7. Individuals have the right to obtain:
a. Confirmation that their data is being processed
b. access to their personal data;
c. and other supplementary information – this largely corresponds to the information that you should be provide in a privacy notice. You should provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ under some circumstances
|Information Governance Procedures
|8. Your business has processes to ensure that the personal data you hold remains accurate and up to date||Information Governance Procedures
(M 217C) and iComply scheduled checks
|9. Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked you to erase it||Information Governance Procedures
|10. Individuals have the right to be forgotten and can request the erasure of personal data when:
a. It is no longer necessary in relation to the purpose for which it was originally collected/processed
b. The individual withdraws consent
c. he individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
d. It was unlawfully processed (ie otherwise in breach of the GDPR);
e. It has to be erased in order to comply with a legal obligation; or
f. It is processed in relation to the offer of information society services to a child
|Information Governance Procedures
|11. You should regularly review your how long you keep personal data to make sure it continues to meet business and statutory requirements and any amendments should be agreed with managers and incorporated into your Record Retention document. For example if you stop processing personal data (not patient data), you must delete it after 2 years.||iComply scheduled review of Record Retention (M 215)|
|12. You should designate responsibility for retention and disposal to an appropriate person||Information Governance Lead/Data Protection Officer|
|13. Your business has procedures to respond to an individual’s request to restrict the processing of their personal data||Information Governance Procedures (M 217C)|
|14. Individuals have a right to block or restrict the processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future||Information Governance Procedures (M 217C)|
|15. Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. Examples of appropriate formats include CSV and XML files||Information Governance Procedures (M 217C)|
|16. Your business has procedures to handle an individual’s objection to the processing of their personal data||Information Governance Procedures (M 217C)|
|17. Your business has an appropriate data protection policy||Data Protection and Information Security Policy
|18. Your business has a written contract with any data processors you use, including self-employed associates, hygienists, therapists and lab technicians.||Model Contract for Data Processor (M 217UA)
or big company online terms
|19. Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively||Business Impact Analysis (M 217N)|
|20. Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities||Security Risk Assessment (M 217M) and Information Governance Procedures (M 217C) Disaster Planning and Emergency Procedures (M 255 )|
|21. Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Under the GDPR, this is referred to as data protection by design and by default.||Backup Procedures and Software Log (G 135 )
Computer Backup Log (G 135A)
Purchased Software Log (G 135B)
Information Governance (M 217C) Procedures
Compliance Monitoring Form (M 217K)
Mobile Equipment Terms and Conditions (M 217I)
Computer and Software Access Log (M 217L)
Physical Security Risk Assessment (M 217M)
Sensitive Information Map, PIA and Risk Assessment (M 217Q)
Data Protection and Information Security Policy (M 233-DTP)
Confidentiality Policy (M 233-CON)
Consent Policy (M 233-CNS)
Social Medial Policy (M 233-SMD)
|22. Your business has nominated a data protection lead or Data Protection Officer (DPO)||For NHS practices (M 217C)|
|23. Your business has an information security policy supported by appropriate security measures||Data Protection and Information Security Policy
|24. You should process personal data in a manner that ensures appropriate security||Information Governance Procedures (M 217C)|
|25. Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area Outside of the EU we only process in the USA under the EU-US Privacy Shield||Information Governance Procedures (M 217C), Sensitive Information Map, PIA and Risk Assessment (M 217Q)|
|26. Your business has effective processes to identify, report, manage and resolve any personal data breaches||Information Governance Procedures (M 217C)|
|27. Decide what information you have:
a. Information owner
b. How long the information should be kept for
c. Disposal action such as ‘securely delete, physically destroy’
d. Why the information should be kept, for example, legal, regulatory or other reason for the disposal period and action
e. Sensitivity/access restrictions
f. Where the information is held
|Information Governance Procedures (M 217C)
Record Retention (M 215)
Sensitive Information Map and Risk Assessment (M 217Q)
What iComply members should do?
All the latest templates are being upploaded to iComply now and will be available to members after the 16th March.
- Adopt the Data Protection and Information Security Policy (M 233-DPA) – Version 16
- Read the Data Protection Overview (M 216) – Version 5
- Follow the GDPA and Data Protection Action Plan (M 216A) – Version 2. It will lead you step by step though what you have to do and tell you which CODE templates to use
- iComply will remind you when the GDPR and data protection activities are next due
- iComply will inform you if there are any changes when the Data Protection Act becomes law in May 2018. These are expected to be relatively minor
- Keep an eye on iComply news for any updates
Information Governance Procedures (M 217C)
This updated template (M 217C) now also contains other key procedures to meet GDPR requirements, for example:
- Processing of clinical records
- Processing of staff records
- Systems for managing consent
- Responding to requests for access to personal data
- Privacy Notice
- Method for keeping personal data accurate and up to date in the iComply step
- Methods to dispose of data that is outside of the data keeping range
- Data security, computer security, privacy by design
- Method for transferring data in secure ways
- Integrated data protection
- Mobile equipment security
- Reporting and notifications requirements
And much more.
To find out more about iComply and how is it ‘GDPR Ready‘ with access to all of the GDPR templates and guidelines, please call 01409 254 416, visit icomply.cc or email firstname.lastname@example.org to arrange a free demonstration.