The new General Data Protection Regulation (GDPR) is coming into force in May 2018. In many ways, it is similar to the current Data Protection Act (DPA), but it introduces some new and important requirements. The Government have confirmed that the decision to leave the EU will not affect the implementation of this European legislation.
The main changes under the GDPR are new compliance obligations for data controllers and processors in terms of security and protection of the rights and privacy of individuals, plus clarification in the requirements for notification of data breach.
Who is the data controller?
A data controller must register with the ICO. The data controller is responsible for the processing of data. A data controller is an individual, a partnership, a company etc. When deciding who in a practice is the data controller you can refer to the ICO research : “Information Governance in Dental Practices”, which says:
“1. Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
2. Do you have a patient list separately from the practice in which you treat patients, that would follow you if you left?
3. Do you treat the same patient at different practices?
4. If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?
If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to register with the ICO.”
The “data processor” means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This could be a third-party company such as a cloud storage company used for backup of patient records.
Personal data means data which relates to a living individual who can be identified:
- From the data, or
- From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller
- Including any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
For the processing of personal data to be lawful under the GDPR, you need to identify a legal basis. Examples of the legal basis include:
- Consent of the data subject
- Necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Necessary for the purposes of legitimate interests pursued by the controller or a third party
An example of personal data is staff employment records.
‘Special data’ under the GDPR
This is broadly similar to the ‘sensitive data’ as defined by the DPA with the addition of “genetic data” and “biometric data categories.
Special data is:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership;
- Data concerning health or sex life and sexual orientation;
- Genetic data (added by GDPR)
- Biometric data where processed to uniquely identify a person new (added by GDPR)
The legal basis for processing special data in a dental practice is:
“9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.”
An important aspect of the GDPR is the requirement to offer people choice and control over how their data is used. For clinical records there is a legal basis for processing special data. But if you are sending out email newsletters for example, you will need to consider the consent requirements, which include:
- There are details about the different ways data will be used and the ability to choose between them e.g. email newsletters and/or printed newsletters
- The consent statement must be clear and specific, and the indication to give consent must be unambiguous
- Tick boxes must never be pre-ticked, this is called ‘positive opt-in’
- Consent mist be easy to withdraw with a clear way to withdraw it at any time
- Evidence of consent is kept, including who, when, how, and what you told people
- Consent process is kept under review, and refreshed if anything changes
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) help practices to identify the most effective way to comply with the obligations of the GDPR. The assessment sets out the options for addressing each identified risk and whether the options for addressing the result in the risk being:
- Reduced; or
Data breach notifications
The GDPR provides specific breach notification rules. The ICO says:
“You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.”
You must notify a breach to the relevant supervisory authority within 72 hours of you becoming aware of it. It is recognised that you may have to provide information in phases as your investigation takes place. If serious you may need to notify patients, and if so you must do so without delay. Failure to notify a breach can result in a fine of up to 2% of your total turnover or 10 million Euros.
What do to next
CODE iComply members already have the Information Governance Kit (M 217), which meets many of the requirements. The ICO is continually updating its guidelines as the new regulations are understood and CODE will regularly update the IG Kit with the GDPR version released this autumn. The iComply Application will automatically tell you what to do and when to do it, as well as providing the latest GDPR templates just when you need them. This means that members need do nothing for now, but as always keep an eye on the iComply news section. If you are not a CODE iComply member you can start by researching the guidelines and links below.
Information Commissioner’s Office (ICO) – Overview of the GDPR