Background
The General Data Protection Regulation (GDPR), the successor to 1998’s Data Protection Act, is now live throughout the EU. Brexit or no Brexit, it will remain law for the UK. It should be welcomed, as the volume of data in our everyday lives has exponentially grown over the past twenty years. The primary function of this new piece of legislation is to enable the individual to take greater control over the security and privacy of their own personal data. Security and privacy are not the same: If I am at home and close my curtains I have complete privacy – but someone could still break through my window, so I need security. If I’m at home and I have a wonderful alarm system, but my curtains are wide open, and the lights are on – someone can see what I am doing, so I also need privacy.
Our GP IT systems, known as GP Systems of Choice (GPSoC) are robust and practices’ governance systems are longstanding – GPs are generally very good at protecting our patients’ data. But the GDPR introduces some new concepts – such as accountability. Accountability is central to GDPR: data controllers (practices and their partners) are responsible for compliance with the principles and must be able to demonstrate this to patients and the regulator.
So too must individual GPs in their day to day practice, and this is especially relevant if you may work in a number of practices as a locum or portfolio GP. The new accountability and transparency requirements mean we should be upfront with our patients and clearly document our lawful basis for processing their personal data – relevant examples are below.
Relevance to GPs
As GPs we deal with highly sensitive personal data with every patient interaction. GDPR is relevant to every GP, irrespective of their contractual status, and data protection is everyone’s responsibility.
The practice contract holders, the partners, are the data controllers. There will also be a local data protection officer. Depending on local arrangements this may be a large practice, an individual nominated by a CCG, or a federation for example. It is sensible to familiarise yourself with who your local DPO is – there may be more than one if you work across different geographical areas. The DPO is there primarily for advice and monitoring – they cannot also be a data controller as that would be too great a conflict of interest.
GDPR has also received widespread media attention and patients may ask you questions about the privacy and security of their medical record during a consultation, e.g. subject access requests (SARs) or restriction of data. These queries should be passed to the practice manager who will manage the query on behalf of the data controller(s). Practices, as data controllers, will have policies in place for compliance with GDPR – it is important that every GP working in the practice follow these local policies and procedures.
Key facts relevant to Sessional GPs:
Data Breaches
If you become aware of a data breach (e.g. breach of confidentiality; accessing patient records for personal not professional use; confidential patient information found outside of a practice) you must immediately inform the data controller(s), and they in turn will be required to notify the Information Commissioner’s Office (ICO) without undue delay, and where feasible no later than 72 hours after becoming aware of the breach.
This is in addition to the duty of candour to inform patients of such breaches. It is important to distinguish between the common law duty of confidentiality (which remains in place) and the GDPR. Clinicians sharing information amongst the wider healthcare team that is providing ongoing care to a patient, can still rely on implied consent e.g. a GP referral to secondary or community care.
GPDR itself provides a lawful basis for sharing information in order to provide healthcare. Whilst explicit consent is not required for this purpose, practices (in their role as data controller) must ensure they identify the appropriate lawful basis for sharing personal data – and make that clear in their practice privacy notices.
Accessing Personal Patient Data
Where previously we may have relied on the concept of implied consent, with GDPR in place it may be wiser for a GP who for example, wishes to follow up a patient after the clinical encounter has ended (either for the purposes of CPD, reflection or safety netting) to seek explicit consent from the patient during the consultation. Given this access to personal data will be lawful, professional and relevant – there should not be any barriers to this, but it is demonstrative that the GP is being mindful of our new responsibilities.
GDPR advises us to reflect on whether we use patient’s personal data in a way that they would not expect. This is particularly pertinent to a peripatetic locum GP who may not regularly provide services from a specific practice location, but who may wish to learn of the outcomes of a clinical encounter. This is where the written documentation of verbal explicit consent to follow up within the patient’s record would be helpful, as it would allow this GP to contact the data controller(s) and learn of the outcome of their diagnosis and/or treatment. The GMC is also clear that explicit consent should be sought for disclosure purposes such as this.
Practice Education
It may be the case that the practice manager will include you in some practice-based education sessions on the impact of GDPR, you would be wise to accept this. Furthermore, if there is a change in IT platform or GPSoC for the clinicians in a practice, you may be asked to review the practice’s data protection impact assessment (DPIA) and to familiarise yourself with its content.
Practice Education
It may be the case that the practice manager will include you in some practice-based education sessions on the impact of GDPR, you would be wise to accept this. Furthermore, if there is a change in IT platform or GPSoC for the clinicians in a practice, you may be asked to review the practice’s data protection impact assessment (DPIA) and to familiarise yourself with its content.
Patient’s Rights
There are certain rights within GDPR including the right to rectify; the right to object to the processing of one’s own data; place restrictions upon it, or move it; and the right to erasure. This does not mean a patient can insist on removing key events from their medical history – if a patient requests an amendment(s) to their clinical record, it would be wise to flag this with the practice manager and advise the patient to discuss this with the practice’s data controller(s).
Local information and GMC guidance
The GMC has guidance on confidentiality and all doctors should continue to follow this: www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality
Locally, Cambridgeshire & Peterborough CCG, like many others, is supporting its member practices by taking on the role of Data Protection Officer whilst these new regulations ‘bed in’.
Any queries around GDPR can be emailed to the generic inbox at the CCG: [email protected]