GDPR - GPC - Blog 8

Blog 8

Things to do list

May 25th is fast approaching. Practices are worrying about what to do. So, in no particular order here is my “Things to do list”. Use it to make a plan or set a timetable.

 

  • Get someone to read the BMA, ICO and IGA guidance on GDPR1, if you’re already reading this blog, it might as well be you.
  •  
  • Agree amongst the signatories to your NHS contract, usually the partner GPs, i.e. the organisation’s Data Controllers to;
  •  
  • Decide whether you need a DPO. If you are an NHS contract holding practice you must have one. See Blog 3.
  •  
  • Designate your DPO
  •  
  • Find your DPO; time, a desk and a workstation.
  •  
  • Make sure your DPO is up to speed with guidance from this blog and the BMA, ICO, IGA and others.1
  •  
  • Get your DPO to assist with;
  •  
  • Ensuring that the practices contract holders (the DCs) are aware of their new responsibilities.
  •  
  • Drawing up a plan to reach 100% compliance with GDPR within a reasonable date, for instance by 1/11/18.
  •  
  • Arrange meetings with partners, salaried doctors, nurses, PAMs and all your staff to set out the broad changes of GDPR.
  •  
  • Ensure that your CCG Practice IT agreement is signed
  •  
  • Review what data processing you do within your practice
  •  
  • Review what data processing is done on your behalf by external processors, and what data they use to do this.
  •  
  • Check with your CCG what local data extractions your practice is involved in
  •  
  • Create and publish any necessary Privacy Notices. (see template PNs in this Dropbox and others to follow)
  •  
  • Create and have available your Data Processing Register (arriving soon in this Dropbox)
  •  
  • Check with any other non-NHS bodies such as researchers or institutions that you have a suitable contracts and consents in place
  •  
  • Check that you are collecting consent for non-direct care communications with your patients. See Blog 5.
  •  
  • Revise your SAR handling arrangements to meet the new options and deadlines. See Blog 7.
  •  
  • Revise your data breach detection and reporting arrangements. (Coming soon to the Dropbox).
  •  
  • Set up a program of GDPR training for your staff. 
  •  

Dr Paul Cundy

GMC 2582641

3rd April 2018

1, Guidance on GDPR from

ICO https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

BMA https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/gps-as-data-controllers and in this Dropbox

Information Government Alliance

https://digital.nhs.uk/media/37922/IGA-GDPR-GP-Advice-Note-v1-FINAL/pdf/IGA_-_GDPR_GP_Advice_Note_-_v1_FINAL

All Content and Images are  the Copyright property of
The Mid Mersey Local Medical Committee. 
© 2014 - 2020. All Rights Reserved.