GDPR in the health and social care sector
The Data Protection Bill was introduced in the House of Lords in September. The Information Commissioners Office (ICO) has recently outlined the subject matters of the guidance which it will publish this year and in early 2018.
It is a useful time to highlight some of the key changes resulting from the General Data Protection Regulation (GDPR) for those operating in the health and social care sector in a series of briefings.
We anticipate that throughout the course of the countdown to GDPR, concerns will mature and multiply. We can help you to identify the areas of your operations which require consideration and modification in the run up to the GDPR taking effect on 25 May 2018.
The principles contained within the Data Protection Act 1998 (DPA) and the GDPR are broadly the same, albeit detail concerning data subject rights and transfer of personal data overseas can be found elsewhere within the GDPR.
Article 5 GDPR contains the principles and requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Article 5(2) states that the controller shall be responsible for, and be able to demonstrate, compliance with the principles. This is a new requirement and is arguably the most significant addition to the relevant principles.
There are references within the GDPR to adhering to Codes of Conduct and certification schemes. However, we do not yet have details of these.
How can I demonstrate compliance?
The Information Commissioner Office’s guidance note states that you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits and processing activities, and reviews of internal HR policies
- Maintain relevant documentation on processing activities
Organisations of 250 employees or more will also have an obligation to maintain internal records of processing activities, as well as compiling comprehensive policies. Those with fewer than 250 employees will have an obligation to document activities concerning high risk processing.
- Where appropriate, appoint a data protection officer
- Implement measures that meet the principles of data protection by design and data protection by default
- Use data impact assessments where necessary
The position is somewhat fluid and of course many aspects of the new regime will be the subject of guidance in the coming months.
Having considered the GDPR in light of the business activities of our clients we have identified the following areas as those where some thought will be required:
- Processing conditions, privacy notices and contracts
- Security arrangements
- Rights of data subjects
- Responding to subject access requests (SARs)
- Role and responsibilities of data protection officers
- Breach and enforcement action
Please refer back to our website for information in relation to the above in due course.
Further introductory guidance can be found here:
- ‘Overview of the GDPR’ from the ICO – this is a living document and is revised and updated regularly
- ‘12 steps to take now’ from the ICO
- Data Protection Bill Fact Sheet, produced by Department for Digital, Culture, Media and Sport
- The Information Commissioner’s blog also addresses some of the misinformation and myths that have formed around data protection reform generally
For more information or guidance, please contact:
T. 020 7227 7455
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.