GDPR - GPC - Blog11

11 Blog Eleven I’m an LMC* what’s in it for me?

I’ve referred to LMCs in the DPO blog but here are some hopefully helpful pointers in typical lucid, concise and to the point LMC stylee aimed at an LMC audience or LMC officer audience.

BIG note. This blog, as with all the others represents my opinion from reading the actual text of the various laws, regulations and official guidance, not once but by now literally dozens of times. I stand by it as my informed expert opinion as the IT lead for the GPC. I am not however, a lawyer. These bogs are in the process of being adopted and moved over to the main BMA web site.

In the meantime GDPF has commissioned lawyers to provide LMCs with a definitive GDPR package which will include definitive legal advice.

 

I’m an LMC does GDPR apply to me?

Yes, obviously

Why?

Because you are an “undertaking” under EU law and process at least “personal data”

What’s an undertaking?

Anything that offers services or products.

12.5 What’s personal data?

Personal data means “any information relating to an identified or identifiable natural person; (the stem ends there, everything that follows is explanation about how a person can be identifiable) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

…but that’s not all

As an LMC you probably also process “special category” personal data which are defined as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”

So, if you have any constituent’s ethnic background on your database let alone get involved in pastoral care, complaints, investigations, GMC actions, performance reviews and practitioner health issues etc, this is all considered under GDPR to be “special category” data and this requires extra protection.

To be clear; Personal data or special category data, different entities?

No. Wrong. Please note the distinction and read the words in italics in para 12.5 carefully, there are not personal data and a separate standalone category of special category data, everything is personal data, but within the entirety of this all-encompassing envelope there are types of data sitting in the envelope that are special in their sensitivity and thus subject to enhanced treatment. All data is personal, some personal data is special, all special category data is personal.

Ergo…

….as an LMC you must comply with GDPR. This means:

Lawful processing under Article 6

You must have a lawful basis for processing any personal non-special category data and the options available start under Article 6. If you also process special category data, you must have both an Article 6 and an Article 9 justification. Article 6 applies to all personal data, anything about an identifiable person, Article 9 is the added protection and applies to any special category data within the personal data you process. See my blog, Blog 6 Articles 6 and 9 deciphered. 

So, what are our Article 6 options?

Under Article 6 there are three potential justifications; consent (Article 6(1)(a)) or contract (Article 6(1)(b)) or according to legal obligation (Article 6(1)(c)).

Consent is obvious enough. Consent under GDPR is burdensome.

Contract would not be covered by the practice’s GMS or PMS agreement with NHSE (which refers to the LMC) because it is not a direct contract between the LMC and the signatories and is certainly not a contract between the LMC and any GP provider employed by the practice. To be valid the LMC will have to have their own contract with every constituent. This one doesn’t fly.

Legal obligation. LMCs are the bodies recognised by statute as representing GPs. There is therefore a clear and unambiguous legal obligation justification. Paragraph 97 of the NHS Act and its subsequent amendments under the HSCA 2012 create an option for NHS England* to:

  • recognise a committee formed for an area
  • to be named a “Local Medical Committee” (LMC)
  • to act as representative for the GPs in that LMC area
  • who must be either:
  1. contracted to provide primary medical services or
  2. providers of primary medical services notified NHS England they are represented by that LMC.

        

So, this captures both contractors (aka provider GPs) by default and performer GPs (i.e sessional, retainers, employee GPs) no matter what their employment status, aslong as they’ve told NHS England*.

That just about fits the bill for me.

 

That just about fits the bill for me.

So, performer GPs have not notified NHS England* they won’t be represented by the LMC?

Partly true. Yes they can be represented, the LMC can represent anyone for any other purpose it and the provider GP agree but for the specific purposes of interfacing with NHS England*, to recognise that representative role they must nominate the LMC.

LMC role for these performer GPs

If the performer GP has not nominated the LMC then the LMC cannot rely upon the Article 6(1)(c) lawful basis for possessing and processing their data and will have to find another justification.

What other basis?

Consent would appear to be the best basis, but that opens a whole can of worms (see later and my blog on consent, Blog 17).

To avoid that can of worms?

 

They need to notify NHS England* which LMC they wish to represent them (and arrange to contribute to the levy, no representation without taxation!). If they are being represented by an LMC their share of the LMC’s costs are worked out and levied by their nominated committee directly (NHS Act 2006, Section 97, para 11)

LMCs do a whole range of stuff, what’s the limit of that representation?

 

Indeed, they do. Too much to mention here and you’ll know that anyway. The NHS Act legal obligation to represent is not limited by the statute. It simply says that the LMC is “representative of” so there is no limitation on the range of activities that can be represented. I would interpret this to mean the LMC can act as foil to anything the CCG wants to raise with GPs. Alternatively, if the GP(s) is(are) under the LMC’s representative wing then no matter what the matter the CCG raises, the LMC will be responding as a representative.

Will that cover everything?

Everything the CCG wants to raise under the Acts. There’s an equal argument that as a representative of local GPs the LMC can make representations on any matter under the Act to the CCG. It’s a two-way street.

What about other stuff not under the Acts involving the CCG?

Such as GMC, CQC, practitioner health issues etc? Yes, anything that’s not raised via the CCG LMC relationship, will have to be covered by another legal basis, but that sort of stuff is getting a bit special, see later.

And what would that additional legal basis be?

That can of worms again, consent. Article 6(1)(a).

So, for personal data Article 6(1)(c) covers most of an LMC’s activities and very rarely Article 6(1)(a) may be required.

And what about their special category data

Even if you hold just your constituents’ ethnic data or BMA membership information, let alone health data, that needs Article 9 cover because this is “Special Category data”.

Indeed, imagine you are defending a fitness to practice investigation based on alcohol excess or other misuse. That’s firmly in the special category envelope so an Article 9 justification is required.

Which one?

Looking through the options available; (a) can of worms consent, see later, you’re not their employer (9)(2)(b), they won’t be unconscious (9)(2)(c), I doubt the data will be public domain (9)(2)(e) and I can’t see any of the remaining (f) to (j) applying.

So that leaves only one; processing carried out under Article (9)(2)(d).

Which reads in full but with my italics:

“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.”

So how does that fit for an LMC?

 

LMCs are not foundations or associations but are usually a “not for profit body” so that fits.

“Political, philosophical, religious or trade union aim” which of these apply?

 

Political, probably although not in the sense of party politics. LMCs should be politically agnostic. So that may not fit.

Are you wedded to the philosophy of the NHS? Indeed, bathed in the glory of defending the NHS. I’d be surprised if any LMC didn’t want to associate with this. So that fits.

Are you acting with “trade union aims”?

Clearly LMCs pursue many of the activities that a trade union would pursue, but locally and not nationally. It’s a fact that some of the negotiations carried out by LMCs are directly delegated from the national contract negotiations, this is absolutely the work that a trade union would do, for instance negotiating LESs.

 

Can you act “with a trade union aim” and not be a trade union?

Yes. And remember the LMC receives the levy which is a political taxation so you are doubly covered.

If you act “with a trade union aim” are you liable to trade union law?

Not if you are not a trade union and LMCs are not trade unions.

But we’ve vehemently argued for years that we’re not a trade union and we can’t call GPs out on strike, how can I now claim trade union alignment?

Because you’ve been right all along but the rhetoric needs to align with changed circumstances. You are not a trade union but because you represent local GPs in some trade union type activity you can rely upon Article 9 for legal cover under GDPR.

And if we don’t want to be associated with trade union activites or aims?

Then you’ll have to rely on another legal basis. Over to you.

And the other criteria that apply in Article 9(2)(d)?

 

“on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it”, well that is firmly satisfied.

“in connection with its purposes”. Well obviously, see above and the statutory defined purpose, they represent local GPs. This condition is satisfied.

“and that the personal data are not disclosed outside that body without the consent of the data subjects.” This is easy enough to satisfy.

To sum up

So, in my opinion the LMC is covered for processing constituent’s special category data under Article 9(2)(d).

Would that cover everything?

Well just as for the Article 6 justifications, potentially not, one could imagine circumstances where special category data about a GP needed to be processed by an LMC that lay outside its trade union, philosophical or political activities. The primary purpose of an LMC is to act as the local representative body for the CCG. Therefore, one could argue anything that was not related to the CCG lay outside its purpose. In those circumstances Article 9(2)(d) will not suffice so you’d probably be back at Article 9(2)(a) consent. Thinking DPIA will help you identify when Article 9(2)(a) should apply.

So, my conclusion is……

So, my conclusion is that for the vast majority of LMC activity they are covered by Articles 6(1)(c) and 9(2)(d) but only on very exceptional occasions and for individual GPs on a case by case basis, they may need to act under Article 6 (1)(a) and 9(2)(a) and seek GDPR compliant consent for that processing event, such as a complaint, disciplinary, performance or revalidation hearing.

Hey but we also interface to practice managers…..

Practice managers are not GPs. Your 6(1)(c) and 9(2)(d) justifications only apply to GPs. I would argue that practice managers are acting as representatives for the contractor GPs covered by the NHS Act. So, there is no problem.

In terms of “marketing” existing managers on your databases are covered by the “soft opt in” discussed in Blog 5. Newly appointed practice managers added to your databases will need to be consented to receive marketing materials.

Caught by consent

It does not matter whether it’s either Article 6 or 9 consent, if consent is triggered it must be fully complied with.

And the consequences of consent are?

Consent under GDPR is a very specific thing. So specific there’s a blog about it. The headline alert is that existing consent may not be enough and must be updated before 25th May. Current constituents who have previously been consented and who are still being represented by the LMC will have to have their consent validated against the strict GDPR criteria, any that are not GDPR compliant will have to be re-consented, except for marketing,  newsletters or announcements (see “soft opt in” Blog 5 Texts and E-mails ). This needs to be done by 25th May. All future constituents needing representation beyond the NHS Act will need to be fully GDPR consented.

And more consequences of relying on consent?

Apart from the need to review every constituent’s existing consent you mean?

When and if you do rely on consent, then there are downstream implications;

No(t) right to object

Constituents have no right to object to processing. They exercise their right to withdraw consent instead. You don’t need the former if you have the latter.

Erasure.

Yes, they have right to erasure, because you are relying on consent, the DS has a right to have their personal data deleted. However, they must withdraw consent for processing first.

Restriction, Article 18

DSs have the right to request you restrict the processing of their personal data if:

The accuracy of their data is being verified, their having contested its accuracy

There’s been unlawful processing, and the DS opts for restriction rather than erasure, i.e. to preserve the evidence.

To preserve evidence to establish, exercise or defend a legal claim.

The restriction, once activated means you can only store the data.

Portability

If consented, a constituent will have a right to portability. Remember that only applies to data they provided to you directly. However, via SARs and TSARs (Article 12) they have a right to copies of their all their data, and its assumed that these will be provided in electronic form, so that right to an electronic copy of everything pretty much overlaps the Article 20 right to portability. For an LMC portability and SARs look pretty similar. If you wanted to you could provide it a Word file, a Spreadsheet, an Outlook Contact or a VCF file, all would suffice.

SARs and TSARs

There’s a Blog on SARs. Of relevance to an LMC is the fact that you’ll almost never ever be able to charge a fee for providing copies of the data you hold on a single member. 

Other stuff

Do I need a DPO?

 

No, highly unlikely. DPOs are mandated only in certain circumstances; you are not a pubic body, you are not spying on anyone and your processing is not large scale.

Large scale, but we are huge, bigger and better than Wessex!

 

“on a large scale” is not specifically defined in the actual text of GDPR but there are pointers in the various guidance documents, in terms of employees; over 250, in terms of members or activity or scope and volume of records processed; the size of a hospital. Ergo no matter how megalomaniacal your ambitions no LMC is going to be considered to be so large that it is mandated by GDPR to have a DPO.

OK, so are there any other consequences of being a mega-LMC?

Yes, read to the very bitter end…….

Can we have a DPO if we want one?

 

Yes, an undertaking can elect to have a DPO voluntarily. That election can be varied so you can dip in and out on an as needed basis.

I would think it prudent for every LMC to have access to DPO level advice.

If we don’t have a DPO can be forget GDPR?

No, no although the absence of a DPO does not equate to not complying with GDPR neither does it let you off complying.

Does our DPO need to be an expert?

 

See Blog 3 for anything more on DPOs

What else do I need to do?

 

You’ll need a Privacy Notice, here’s one I prepared earlier, and a Data Processing Register, although as a non-large scale undertaking the latter can be an abridged one.

DPIAs

 

See my blog on DPIAs. Basically its inconceivable that any LMC, no matter how large, would ever need to undertake a formal DPIA submission to the ICO. Obviously you will need to be “think(ing) DPIA” all the time, but submitting one to the ICO, highly unlikely.

Documentation

 

As a non-large undertaking, or small to medium size, to use common parlance, you will only need an abridged Data Processing Register.

Marketing and communicating

 

See Blog 5 Texts and E-mails for advice on marketing and communicating with your members. If you want to invite them to a talk or roadshow you’ll either need to have been doing it for that member prior to May 25th (the “soft opt in” relying on previous historic behaviour and practice) or if a new member, with their prior consent.

The beginning of the bitter end: Regions enslave localities

So I’m a super mega regional LMC, how does GDPR apply to me?

There are several so called “regional LMC”s spread across the land. This is interesting because an LMC only exists in law to meet the NHS Act para 97 requirement of NHS England* having the option to recognise a local committee “formed for an area,…”, that then represents the GPs in that area. These regs were clearly written with disruption in mind because it follows:

    • that NHS England may choose not to recognise an LMC, there could be LMC free areas!
    • there can be only one LMC recognised for the specified area but NHS England* could recognise LMCs with overlapping areas.
    • Neither is there any link or requirement for the area to be co-terminus with any natural or other boundary.
    • they don’t have to map to a CCG area, or an STP footprint or a borough Council.

   

More quiz night stuff

It is the recognition by NHS England* that empowers the LMC. If the LMC is not recognised by NHS England* the LMC has no statutory status and thus cannot rely on Articles 6(1)(c) and 9(2)(d) for its lawful processing.

So, for instance, in my patch, I am a Merton GMS contract holding GP; we have a Merton LMC but there is also a Londonwide LMC. To rely on 6(1)(c) and 9(2)(d) for lawful processing both will need to be recognised by NHS England*.

Is that possible?

Yes. Because a local and regional LMC do not have the same areas they can both be recognised by NHS England*. They can thus both rely upon Articles 6(1)(c) and 9(2)(d) for lawful processing.

So both could be recognised by NHS England*

Yes. But if both are recognised, then both have to work out their expenses (NHS Act Section 97, sub sections 9),10),11) and 12) and NHS England* will deduct both sets of monies from the provider GPs in the relevant area. Presumably they will split the costs.

Or there is an alternative approach

The NHS Act 2006, Para 97, sub section 5 as amended by HSCA 2012 allows the recognised LMC to delegate its powers and activities to a subcommittee made up of members of the recognised LMC. So, in my example, if Londonwide were the recognised LMC, Merton LMC could be a subcommittee made up of members of Londonwide and thus lawfully rely upon Articles 6(1)(c) and 9(2)(d).

The reverse would not be possible; a Londonwide LMC cannot be a subcommittee of one of its constituent parts. In that case Londonwide will need an alternative basis to process their data.

 

Additionally

 

If performer GPs want to be recognised by both they will have to tell NHS England* about both LMCs

That’s going to be a big LMC!

It is.

For the avoidance of doubt

Where there are regional and local LMCs there needs to be a clear understanding as to which are recognised by NHS England* or whether the smaller is a subcommittee of the larger. Otherwise after the 25th May one or other will fall foul of GDPR.

So, if I’m a “regional LMC” but not recognised by NHS England* what does it mean for me?

In a word, trouble.

You cannot rely upon 6(1)(c) or 9(2)(d) and will almost certainly have to rely upon 6(1)(a) and 9(2)(a) consent, and that consent must be made fully GDPR compliant by 25th May 2018.

So what does this mean?

You can either seek recognition or establish a committee / subcommittee relationship with your local LMCs. Remember the local LMC subcommittees must be made up of members of the larger recognised LMC.

or

you will need to get GDPR compliant consent prior to 25th May 2018 for every GP and any other person on your database

or

cease processing their personal data.

LMCs as employers

LMCs are also employers, so read blog 16 on Those you employ.

Dr Paul Cundy

GPC IT Policy Lead

1st May 2018

* This is unashamedly written for England, the devolved nations will need their own specific equivalents of the 2006 NHS Act. However the GDPR Articles apply to all.

For “NHS England” read “NHS England and or any CCG to which it has devolved delegated powers”.

 

 

 

 

All Content and Images are  the Copyright property of
The Mid Mersey Local Medical Committee. 
© 2014 - 2020. All Rights Reserved.