What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euro’s
What is ‘patient data’?
Patient data is information such as personal details, including name, age, address, next of kin, record of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care..
What is consent?
- Explicit consent under GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality. Where there is a request for personal confidential data from an insurance company, solicitor or employer, that lawful basis and lawful condition for processing will be via explicit consent from the patient
- Where there is the requirement to disclose under Legislation, the lawful basis to disclose would be for compliance with legal obligation.
- GDPR creates a lawful basis for processing Special Category health data when it is for the provision of direct care that does not require explicit consent
- Special Category condition for processing for direct care is that processing is “necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care systems and services”.
Person to contact regarding Data Protection matters.