In May this year there will be new data protection regulations – the EU General Data Protection Regulation (GDPR) – law in the UK from 25 May – and the new Data Protection Act 2018 (DPA 18). Post Brexit, it is expected that DPA 18 will provide a data protection regime equivalent to GDPR.
The regulations apply to businesses and organisations who process or control personal data. That means the NHS and includes general practices and dental practices. A redesigned IG Toolkit is expected in April 2018 and should include the requirements of GDPR and DPA 18.
The key changes under GDPR were set out in a news item issued by NHS Employers as follows:
organisations will have to show how they've complied with the new law
penalties will be significantly increased for any breach of the regulation - not just data breaches
security breach notifications will be a legal requirement - to be notified within 72 hours
charges will be removed in most cases for provision of records to patients or staff who request them
trusts will be required to keep records of data processing activities
high risk processing will require a data protection impact assessment
data protection issues must be addressed in all information processes
there will be specific requirements for transparency and fair processing
there will be much tighter rules where consent is the basis for processing.
An action plan
Under GDPR, organisations must be able to demonstrate compliance. Some of the requirements to do so should be established good practice. However, health organisations are advised to develop an action plan to achieve demonstrable compliance.
The plan could include:
Appointment of a data protection officer whose job description meets GDPR requirements
Reviewing and revising evidence used for the IG Toolkit
Revising information governance policies, including on the introduction of new processes
Awareness raising among staff and managers
Identify the legal basis for each use of personal data
Update your communication materials to ensure people are properly informed of the use of their personal information and their rights to comply with GDPR transparency requirement
Revise your subject access procedures as GDPR removes the requirement to pay a fee in most cases and the time comply is one month instead of 40 days
Review your policy on notification of data protection breaches because GDPR extends the scope of the IG Incident Reporting Tool beyond NHS patient data
The Information Governance Alliance (IGA) has issued a useful briefing note on changes to data protection legislation, available via the NHS Digital website. It is has published other guidance and will be producing more which can be accessed here.
Help is available
Complying with these new data protection regulations may seem daunting and potentially time-consuming. I can help you – my expertise is in compliance at all levels within healthcare organisations. Email me to discuss your requirements firstname.lastname@example.org