GDPR Update 2018

GDPR Web Updates - April 2018

We’ve reviewed and updated the following guidance on our website so that it reflects the new GDPR requirements. Not all the guidance has changed particularly significantly but it may be useful for future reference.

Staff and Confidentiality:

The LMC is occasionally contacted by practices that have received complaints relating to a member of staff breaching patient confidentiality.  In some these cases they relate to staff who are no longer employed by the practice.

Here are some suggestion all practices might like to consider: 

  1. Check that you all have a clause in your contracts of employment that related to confidentiality. It is worth checking.
  2. Each member of staff should sign a confidentiality agreement. This should include all temporary staff, cleaners and other workers if unaccompanied by a practice staff member.
  3. At your next staff training event it is worth talking about patient confidentiality and reminding all staff members of their responsibilities not only whilst they work for you but also when they cease to work for the practice.

Serious breaches of confidentiality can result in the termination of a contract of employment. Individual members of staff who misuse data may be committing an offence under Data Protection legislation and subject to prosecution by the Information Commissioner's Office. Any staff who seriously breach confidentiality should be reported to the ICO as a data breach (as required by GDPR) and they will determine if they will pUrsue a prosecution.

It is worth remembering that there are no sanctions that can be imposed once a member of staff has left the practice.

If a patient wishes to take action then it would be the practice and partnership who would be held responsible.

Note: Template Data Protection Policy is under review and due to be published by mid June 2018.

Employment Contract Clauses:

Confidentiality & Data Protection

  1. All Employees must strictly adhere to the applicable GMC Guidance on patient confidentiality and the Practice Data Protection Act Policy.
  2. You must not use or disclose confidential information about the Practice’s patients or its business other than as expressly authorised by the Practice as a necessary part of the performance of your duties or as required by law.
  3. Confidential information about the Practice’s business includes (without limitation): business plans; forecasts; information related to research, future strategy, or any other sensitive financial information concerning the affairs of the Practice or its partners. 
  4. The duty of confidentiality continues in perpetuity. 
  5. The Employee shall comply with the data protection policy when handling personal data in the course of employment including personal data relating to any employee or the patients of the Practice.

Release of Data without Consent:

Patient data is sensitive personal data and must always be processed in accordance with the Data Protection Principles . It is also protected by the Human Rights Act, the common law on confidentiality, and the doctor's professional obligation to respect patients' dignity and privacy. Generally the consent of the patient is required before disclosure of any confidential patient data to a third party. However, it may be permissible / essential to disclose the minimum confidential data to serve a legal purpose to a person with the legal right to carry out a legitimate function, and who shares a similar duty of confidentiality, without obtaining prior consent if it is:

  • essential to prevent death or serious mental or physical harm to an individual or individuals
  • overwhelmingly in the public interest
  • to prevent / detect a serious unlawful act
  • to pursue due legal process

Any disclosure without consent must always be:

  • Proportionate
  • Legal
  • Necessary
  • Accountable
  • Justifiable

The doctor has conflicting ethical and legal obligations to always act:

  • to protect vulnerable children
  • in the best interests of patients
  • to protect the confidentiality of patients' sensitive personal data

BUT the safety of the child is ALWAYS paramount.

You must be prepared to justify any decision to release medical data without consent in a court of law or before the GMC.

If in doubt seek legal and professional advice from the LMC or your Medical defence organisation before disclosure.

Personal Data Rights:

Patient data is sensitive personal data and must always be processed in accordance with the Data Protection Principles . It is also protected by the Human Rights Act, the common law on confidentiality, and the doctor's professional obligation to respect patients' dignity and privacy. Generally the consent of the patient is required before disclosure of any confidential patient data to a third party. However, it may be permissible / essential to disclose the minimum confidential data to serve a legal purpose to a person with the legal right to carry out a legitimate function, and who shares a similar duty of confidentiality, without obtaining prior consent if it is:

  • essential to prevent death or serious mental or physical harm to an individual or individuals
  • overwhelmingly in the public interest
  • to prevent / detect a serious unlawful act
  • to pursue due legal process

Any disclosure without consent must always be:

  • Proportionate
  • Legal
  • Necessary
  • Accountable
  • Justifiable

The doctor has conflicting ethical and legal obligations to always act:

  • to protect vulnerable children
  • in the best interests of patients
  • to protect the confidentiality of patients' sensitive personal data

BUT the safety of the child is ALWAYS paramount.

You must be prepared to justify any decision to release medical data without consent in a court of law or before the GMC.

If in doubt seek legal and professional advice from the LMC or your Medical defence organisation before disclosure.

Confidentiality after Death:

Access to Deceased Patients' Health Records

Note: the duty of confidentiality continues beyond death.

The Access to Health Records Act 1990 (AHRA) provides a small group of people with a statutory right to apply for access to the health records a deceased person. These representatives are 'the patient's personal representative and any person who may have a claim arising out of the patient's death'. A personal representative is the  executor or administrator of the  deceased person's estate.

The personal representative is the only person who has a right of access to the record and need give no reason for applying for access. However, they should provide evidence of their identity.

There are occasions when individuals, who do not have a statutory right, may also  request access.  In such  cases, the  general  rules that apply  to  the  disclosure  of  confidential  patient  information  should be considered to determine whether a disclosure  is appropriate  and  lawful.  Requests should  be considered  on a case  by case  basis.  A legal  right of access  under the  Act  is only allowable  where those who do not have a statutory right can establish a claim arising from the  patient's death.  The decision as to whether a claim exists sits with the record holder. Where this is not clear, legal advice should  be sought.

Record holders must be assured  of the  identity of applicants and, where an application  is being made on  the  basis of  a  claim  arising from  the  deceased's  death, applicants  must  provide evidence to support  their claim.

A number of public bodies have authority to require the disclosure of health information and these include the Courts (i.e Coroners Court), legally constituted Public Inquiries and various Regulators and Commissions. In these cases, the common law obligation to confidentiality is overridden.

Applying for Access

Requests should be made in writing, contain enough information to enable the correct records to be identified  and give details of  the  applicant's  right to  access the  records.   It is helpful  if specific dates or parts of the record are requested. The release of a complete health record will need a stronger justification  than  an excerpt from  a record.

Once the data controller has the relevant information and fee, the request should be complied with within 40 days or within 21 days where the record has been added to in the last 40 days.

Disclosure in the Absence of a Statutory Basis

Such disclosures should  be:

  • in the public interest;
  • proportionate;
  • judged on a case by case basis.
 
  The public good must outweigh the obligation of confidentiality to the deceased individual and any other individuals  referred to  in a record.  The data  controller  must consider any preference expressed  by the  deceased  before their death to confidentiality and any  potential for distress or harm to any living individual. The views of surviving family and the length of time after death should also be considered (the obligation of confidentiality is likely to diminish over time).

Requests should demonstrate a strong legitimate purpose and, generally, a strong public interest justification as well as a legitimate relationship with the deceased.

It is good practice, when considering a request, to consult the Practice's Caldicott Guardian/Governance lead and, if there is any doubt or complexity, to seek legal/MDU advice.

Fees

  • Records  held  manually: where  an applicant  is allowed  to  view  the  record  and  where the record has been added  to  in the  last 40 days, no fee  may  be charged.  Where the  record  has not  been added  to  in the  last 40 days, a charge of £10  may be levied.
  • Records held wholly or partially on computer: where an applicant is allowed to view the record, a fee  of £10  may be charged.
  • Hard copies of information: a reasonable fee may be charged but should not result in a profit for the  record holder.

Exemptions

If the deceased indicated  during their  lifetime that they did  not  wish  information  to  be disclosed/remain confidential,  then  it should  remain  so  unless there  is an  overriding  public interest in disclosing.

If the record holder considers that disclosure would cause serious harm to the physical or  mental health  of any  other  person, access  may  be denied.

Similarly, if disclosure would identify a third party who has not consented to the release of information, access may be denied.

Reference: Department of Health: 'Guldance for Access to Health Record Requests'

 

Freedom of Information Act:

The Freedom of Information Act applies to all NHS bodies, including hospitals, as well as to doctors, dentists, pharmacists and opticians.  It specifically includes any person providing general medical or personal medical services under the National Health Service Act.  The Freedom of Information Act 2000 and the Data Protection Act 1998 are intended to operate in tandem.  Requests for access to personal information will be dealt with under the provisions of the Data Protection Act, while requests for access to other sorts of information will be dealt with under the Freedom of Information Act.

All disclosures are protected by:

  • Freedom of Information Act exemptions;
  • Data Protection Act, which protects personal data from any  third party disclosure without consent;
  • Human Rights Act which requires respect for the privacy of individuals;
  • Common law on confidentiality.

A doctor's disclosures are also subject to the duties of a GMC registered doctor to:

  • make the care of patients their first concern;
  • respect and protect confidential information;
  • respect patients dignity and privacy; 
  • work with colleagues in the way that best serves patients' interest;
  • be prepared to justify their actions to patients and colleagues.

Freedom of Information Model Publication Scheme            

Most GPs in the UK, with contracts to provide services to the NHS, fall under the Freedom of Information Act 2000 and since 1st January 2009 have been required to operate a publication scheme under this Act and all such Schemes, must be approved by the Information Commissioner.  The Information Commissioner has provided a model scheme, which you should adopt.   Any publication scheme created before 1 January 2009 is now out of date, and you should replace it with the ICO model scheme.

The Freedom of Information Act applies to all recorded information, and is fully retrospective. The following are all covered by the Act:

  • paper files;
  • computer files
  • internal e-mails 

You may also find the BMA FAQs on FOI useful: https://www.bma.org.uk/advice/employment/gp-practices/service-provision/freedom-of-information-act-faq 

If you receive a FOI request

If you receive a written or e-mailed access request for information, you must generally comply within 20 working days (commencing the day after you receive the request), in the preferred format of the applicant, where practicable. There are, however, a number of absolute or qualified exemptions (see Part II of the Freedom of Information Act*). You need not respond if:

  • the information is already available in your publication scheme or elsewhere; but you should direct the requestor to this information.
  • you intend to publish the information before receiving the access request, provided there is a strong public interest in NOT disclosing before it is published.  If however there is no significant public interest reason to withold, then it must be disclosed, even prior to the intended publication
  • the request is vexatious.

There is a particular expectation that public authorities will account for how they spend public funds. There can be no argument about the fact that a Practice’s NHS funding represents public money, as does the expenditure on drugs prescribed by the clinicians in the Practice. Only if a Practice can make a cogent case that it's commercial interests (or another parties) would be harmed by disclosing details of the public money it is responsible for spending, would it be justified in not disclosing that information.

It should be noted that the level of disclosure agreed for the publication scheme would not allow an individual GP’s personal income to be calculated. When completing the model scheme, practices may prefer to use the phrase “total practice funding”, rather than “total practice income”. Clearly the more information that appears in the publication scheme, the fewer requests for specific pieces of information to which the practice may have to respond.
It is not necessary for practices to disclose information personal to their staff, for example, their private income or pension contributions; such information is exempt under the Data Protection Act. Personal information about someone other than the applicant is referred to as third party data.

Whilst exemptions about commercial interests and personal data are the most frequently applied, there are other exemptions that could apply.  Details of exemptions can be found at:

https://ico.org.uk/for-organisations/guide-to-freedom-of-information/refusing-a-request/

Please note that the default response to an FOI request is to disclose the requested information, not to seek an exemption.  Exemptions should only be applied where there is clear basis to do so and only to the information that the exemption relates to.  If a request wanted to know some information about practice policies and expenditure, then if some items of expenditure were exempted due to commercial interest issues, the rest of the requested information must be disclosed.

If you are looking to apply an exemption and that exemption is subject to the public interest test (see ICO guidance) then you can pause the ‘clock’ until you have reached a decision.

If you apply an exemption that the requestor disputes they can ask the ICO for a ‘decision notice’ where determination of whether an exemption applies will be taken.

Fees for access requests

Most access requests are expected to be free, but you definitely may not charge for:

  • time taken to locate, retrieve, collate or extract information, unless the estimated cost of doing so would exceed the 'appropriate limit' of £450 for GP practices (based on a rate of £25 per hour);
  • time taken to write a covering letter to inform the applicant that the information is being provided.

You may charge a 'reasonable' fee that is not capped to cover the costs of:

  • informing the applicant that you hold the requested information;
  • summarising the information;
  • putting information into the preferred and requested format;
  • translating information into a foreign language, unless this is impracticable or translation, for example into Braille, is required free of charge under the Disability Discrimination Act;
  • photocopying or printing (it is suggested that this would not exceed 10p per sheet);
  • postage or other forms of communication.

You should inform the applicant of the fee before incurring the costs.   

You will find more detailed information about the Publication Scheme on the Information Commisioners Office website

More to follow on SMS messaging, the Data Security and Protection Toolkit (aka the Information Governance Toolkit) and more!

What is the GDPR (General Data Protection Regulation)?

The GDPR is a regulation that is applicable from 25th May 2018. Its strengthens the protection of personal data. The UK is enacting a Data Protection Bill which enshrines the provisions of the GDPR into UK law and establishes continuity of the GDPR in the UK post Brexit. The Data Protection Act will be repealed at this time.

Compliance is essential as fines under the GDPR are up to a maximum of 20 million Euro or 4% of turnover.

The GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.

Headline Requirements

  • Mandatory appointment of a Data Protection Officer (DPO) for all public authorities
  • A requirement to demonstrate compliance with the new law
  • Legal requirements to notify the regulator of security breaches
  • Removal of charges (in nearly all cases) for providing copies of records to patients or staff who request them
  • Requirement to keep records of data processing activities
  • Data Protection Impact Assessments required for high risk processing (including the large-scale processing of health-related personal data)
  • Data protection issues must be addressed in all information processes
  • Enhanced requirements to be transparent and inform individuals how their data is used
  • Where consent is used to process data it must be explicit (NB consent should only be used where the individual has a real of about the use of their data. there are many other conditions that should be used to justify use of data in heath and care settings).
  • Specific requirements for transparency and fair processing
  • Tighter rules where consent is the basis for processing

Practices that are performing well in their information governance toolkit will have a good baseline to work from. However, organisations will be required to take specific actions and to be able to evidence that they have done so.

The Information Governance Alliance (see: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance) has published general guidance and some resources for primary care.

The British Medical Association has published guidance at:  https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr  

The information commissioners office, who regulate data protection law, have published a couple of check lists which may be helpful,  https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/

They also have GDPR specific webpages at:  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

And the GPC has advised the following:

  • Practices should already have data protection policies and procedures in place; under the GDPR they will need to be able to show that they are written down and accessible to staff and that staff are aware these policies are in place.
  • Practices should already know what personal data they hold, who can access them (and why), with whom the data is shared (and the legal basis for this), and what security measures are in place for storing and sharing; under the GDPR it will be a requirement to have an audit/record to state the above, which can be provided to the ICO upon request (e.g. if there is a complaint from a patient about a breach or non-compliance).
  • Practices should already have ‘fair processing’ or ‘privacy notices’ displayed in the practice and on the practice website. These notices should explain to patients how their data might be used, when they might be shared and with whom and any rights of objection.
  • Practices need to be able to demonstrate their compliance with the regulations upon request – at present they just need to be compliant; under GDPR they will need to be able to demonstrate that they have all policies and procedures in place, as well as a record of the above. Essentially if the ICO turns up at a practice, they need to be able to provide them with a document showing all of the above.
  • Penalties for data breaches, including not being compliant and not being able to demonstrate compliance are much higher under the GDPR. The regulator (ICO) can take action to enforce compliance and where an issue has caused (or is likely to cause) harm or distress can impose a significant financial penalty. 
  • Practices will no longer be able to charge a fee for patients to access their own information.
  • Practices which are already compliant with the Data Protection Act 1998 will be in a strong position for the introduction of the GDPR. The BMA has existing guidance on GPs as data controllers under the DPA: which you can read here .

All Content and Images are  the Copyright property of
The Mid Mersey Local Medical Committee. 
© 2014 - 2018. All Rights Reserved.