GDPR May 2018
The EU General Data Protection Regulation (GDPR) becomes enacted on the 25th May 2018 and will standardise data privacy and protection laws across Europe. The UK government is equally committed to this process. As a result, there may be some further fine tuning of this process following on from the Brexit transition. It will also affect companies outside of Europe as it applies to any entity that processes personal data tied to offering goods and services to, or monitoring behaviour of, European data subjects. The GDPR has implications for all healthcare service operators; with in the NHS and Private sectors.
GP-Plus is very much aware of its obligations as a data processor under the GDPR and we are committed to discharging these obligations in a robust and professional manner. All the activities here at GP-Plus remain underpinned by the same ongoing obligations regarding patient and client confidentiality and always remain an essential part of the core “duties of a doctor” and there are high expectations which are also enforceable by our professional body (General Medical Council) and this will continue in the same vein. This applies to Occupational Health (business to business) related activities just as much as it does for ordinary private GP services. As part and parcel of our ongoing GDPR compliance efforts we will continue to review, improve, refine and document our security measures to protect any of our patients and clients against any unauthorised access, use or disclosure of the content we protect. As well as providing direct private patient care, GP-Plus also provides occupational and Company medical services on behalf of third party employers and it is important that all service users and agents have confidence in all aspects of our service and the data that we must process to effectively do so.
The medical director (Dr Peter Copp) has always been the Data Controller for GP-Plus and will remain so and he will also be primarily responsible for dealing with any of the measures required to facilitate best practice and all related data/GDPR matters and taking full cognisance of the newly emerging legislation. Dr Copp also welcomes any informal or other feedback about any of these statements and how they are interpreted by others (email@example.com). We have (as per legislation) produced a privacy notice which is available on our website (www.gpplus.com): Please go to the foot of any web page to click on the “data compliance policy” option. Furthermore, as part of our extensive obligations to the inspectorate here in Scotland (Healthcare Improvement Scotland) all policies (including those relating to data processing and the GDPR) are assessed and monitored by them for appropriate compliance.
What GDPR will mean for patients/staff?
- Must be processed lawfully, fairly and transparently.
- Collected only for specific, explicit and legitimate purposes.
- Must be limited to what is necessary for the purposes for which it is processed.
- Must be accurate and kept up to date.
- Must be held securely.
- It can only be retained for as long as is necessary for the reasons it was collected.
- Being informed about how their data is used.
- To have access to their own data.
- To ask to have incorrect information changed.
- To restrict how their data is used.
- Move their patients/staff data from one organisation to another.
- To object to their personal information being processed (in certain circumstances).
The GDPR will supersede the current Data Protection Act (DPA). It is like the Data Protection Act (DPA) 1998, with which GP-Plus already fully complies with: but further strengthens many of the DPA’s principles.
The main changes are:
- The Practice must comply with Subject Access Requests (see appendix 1) – a written signed request from an individual to see what information is held about them – like where we require your consent to process data. This must be freely given, specific, informed and unambiguous.
- New special protection for personal data.
- The Information Commissioner’s Office must be notified within 72 hours of a data breach.
- Higher fines for data breaches.
There is a lot of guidance available on line to explain all these issues in much greater detail. The Information Commissioners Office website is generally highly informative and very reliable: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Information for individuals is also available there; for example, a subject access request SAR) can be read about at: https://ico.org.uk/for-the-public/personal-information/ (or ask GP Plus reception/see appendix 1)
Existing patients and clients of GP-Plus are very welcome to make direct contact with us at any time to make any kind of enquiry about their existing data and how this is stored/protected. Every effort will be made to reply to you as quickly as possible but initially, all queries will be dealt with only by the Medical Director. Thank-you for your forbearance and be rest assured, that for most of services provided by GP-Plus; business and service will essentially continue along the same lines.
We will in due course be asking all existing users coming back for future appointments to review our new patient form (also on the website) and re-sign a copy for their GP-Plus records: to update and refresh this professional service ‘relationship’.
Dr Peter Copp May 21, 2018