GDPR - GPC - Blog 15
15 Blog Fifteen, Documentation
Article 30. Oh joy, at last, we get to the papwork.
Well if you’ve come this far you’re the sort that loves paperwork anyway. But be not underjoyed, its actually not that difficult for NHS GPs because of that “non-large” thing again.
In fact, as its only one Article, Article 30, what I propose to do is run through it with you line by line, we can feel our hearts sink and then rise…….
As with my Blog 6 deciphering Articles 6 & 9 my words are the ones in blue.
Its worth remembering that GDPR moves the old DPA from passive to active, under DPA you had laws to obey but under GDPR you must be compliant with all of it, to be compliant you need records to prove it. Yes that hearts sinking isn’t it, beginning to feel like CQC…..
So it begins
Records of processing activities
- Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.
That’s you, the DC, will maintain, i.e. keep up to date, accurate and apposite, a record
That record shall contain all of the following information:
That’s a shall, meaning MUST, this record must contain.
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- that’s easy enough
- the purposes of the processing;
- you can derive that from your Practice Privacy Notice(s)
- a description of the categories of data subjects and of the categories of personal data;
- OK again that’s pretty straightforward.
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
- unlikely to apply unless you use remote dictation
- where possible, the envisaged time limits for erasure of the different categories of data;
- so, this is caveated, “where possible”. Basically, for medical records its according to the various laws that apply. Remember GPs keep their electronic records forever. The paper records of ex patients are managed by NHS England (and or their delegated CCG).
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
- So, this will be for example and not in any way exhaustively; NHS supplied and maintained IT, GPSoC systems, NHS smartcards, N3, confidentiality under GMC, NHS Act, training, contracts of employment, the IG Toolkit, appraisal etc. A list of all those elements that make up your overall privacy and confidentiality envoirenment.
the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
the categories of processing carried out on behalf of each controller;
where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
This is crossed out because it all applies to your processors, not you
- The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
- Understood, so available in the waiting room and on your web site.
- The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.
- There’s that evidence of compliance thing. Keep the file next to the CQC one.
- The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Ah ha, our hearts can lift because unless you are a Gp at Hand, Hurley or equivalent the average NHS general practice is nowhere near this 250-employee threshold. So, paragraphs 1 to 3 are only applied to your processing that is high risk, (been there done that), is routine (yes well we have a lot of that), or is Article 9 data (i.e. health and the like).
Now a quick reminder of what “processing activities” in the first sentence means
Processing is; “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
Yes, that’s it, most of this can be derived directly from you Privacy Notice.
So how do we actually do it?
Well I’d suggest a spreadsheet. There’s one here prepared by the ICO, if you’re dosed up on propranolol, visit scaryspreadsheet. Alternatively
there’s one that I prepared here as a cut down NHS GP in England not sending data abroad version of the really scary one. I’ve started it off but you can embellish it. It has optional columns that can link to the Article 12, 33 and 35 recording responsibilities.
Is there anything else I need?
Yes, your Practice Privacy Notices as per the links above.
And here endeth the paperwork.
Except there is one large scale caveat, as we know GDPR does not come in until 25th May 2018. Although GDPR says what it says on that tin the Working Party delegated to produce definitive guidance and convert it into practical paragraphs we can understand, has not yet adjudicated on Article 30, like me they’ve left the boring bits to last. So be warned, this blog may have to be revised!
Dr Paul Cundy
GPC IT Policy Lead
29th April 2018