GDPR (General Data Protection Regulation)
GDPR (General Data Protection Regulation)
The EU’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will be incorporated into UK data protection laws. It most probably will continue to apply even after the UK leaves the EU, not least because organisations in this country wishing to exchange data with those remaining in the Union will have to comply with its requirements. The GDPR consolidates and strengthens current data protection safeguards as developed under the Data Protection Act 1998 (DPA). The responsible UK authority, the Information Commissioner’s Office (ICO), considers that, if organisations are already compliant with the current data protection laws, they will find it relatively easy to comply with the GDPR.
Primary care providers should have a raft of policies and procedures that already meet the requirements of the DPA. A privacy notice based on this template, which follows ICO guidelines, will then help to show that the primary care service is serious about protecting the personal information it collects and processes from its patients, employees and others, and will show how it succeeds in doing this by providing an overview of its various policies and procedures.
The privacy notice should be a public document, available to patients and their families, staff and any third parties who might provide their personal information for any purpose, and in whatever ways, including on the organisation’s website and intranet if there is one. It should also feature in any training programme which the organisation introduces to deal with the GDPR.
What information we collect about patients, staff and third parties
As a primary care provider, we must collect some personal information on our patients, including personal health information, which is essential to our being able to provide effective care and support. The information is contained in individual files (manual and electronic) and other record systems, all of which are subject to strict security and authorised access policies. Personal information that becomes inactive for any reason is kept securely only for as long as it is needed, before being safely disposed of.
Employees and volunteers. The service operates a safe recruitment policy to comply with the regulations in which all personal information obtained, including CVs and references, is, as with patients’ information, securely kept, retained and disposed of in line with the GDPR. All employees are aware of their right to access any information about them.
Third parties. All personal information obtained about others associated with the delivery of the primary care service, including contractors and suppliers will be protected in the same way as information on patients and employees.
What we do with personal information
All personal information obtained on service users, employees and third parties is consistent with our purpose of providing a primary care service which meets all regulatory standards and requirements. It will not be disclosed or shared for any other purpose.
Who we might share information with
We only share the personal information of patients, employees and others with their consent on a “need to know” basis, observing strict protocols in doing so. Most information sharing of service users’ information is with other professionals and agencies involved with their care and treatment. Likewise, we would not disclose information about our employees without their clear agreement, e.g. when providing a reference.
The only exceptions to this general rule would be where we are required by law to provide information, e.g. to help with a criminal investigation. Under the terms of the GDPR, this is “complying with legal obligations”, an alternative to consent.
Where we provide information for statistical purposes, the information is aggregated and provided anonymously so that there is no privacy risk involved in its use.
How personal information held can be accessed
There are procedures in place to enable any staff member, employee or third party whose personal information we possess and might process in some ways to have access to that information on request. The right to access includes both the information and any uses which we might have made of the information. There will only be a charge for providing such information in the event that requests are held to be “manifestly unfounded or excessive” (particularly if they are repetitive). Even then this fee will cover only the amount of administrative work involved.