Our Standards and Ethics Policy Manager, Kiersty Griffiths talks about changes to data protection regulation and what it means for all doctors.
On 25 May 2018 the EU General Data Protection Regulation (GDPR) replaces the UK’s Data Protection Act 1998 (DPA), and will become part of UK law after we leave the EU.
A lot has changed in the twenty years since the DPA was passed. New technology and social networks make it easier than ever to access, use and share data. This is why it’s important to make sure data protection laws are fit for the age we live in. The GDPR brings everyone up to date, by strengthening and unifying data protection for all individuals within the European Union (EU).
We recognise you may feel nervous about the GDPR and what it means for your day to day work. While there will be some changes to the way we all handle personal data, the GDPR builds on foundations which we have all been following for the last 20 years.
What you need to do
Firstly you should follow our Confidentiality guidance to be confident that you’re meeting our expectations of doctors’ conduct when sharing patient information. There won’t be any fundamental changes to the guidance. But we’re making the principles around disclosing information clearer for you.
What else you need to do depends on whether or not you’re a data controller. A data controller is a person or organisation that decides how and why personal data is used.
You’re likely to be a data controller if you run your own business, such as a GP or private practice.
In some parts of the UK, you may be sole data controller and in others a joint controller with your contracting authority. For example in Scotland all GPs are joint data controllers with their contracting health boards.
If you are a data controller, as with DPA, you need to understand and meet your legal obligations under the GDPR. The Information Commissioner’s Office has a range of resources to help you understand your obligations. If you work in a managed organisation (such as a hospital) you’re unlikely to be a data controller in your own right. You will need to follow the information governance policies and processes where you work.
Confidentiality – what you need to know
Here are three things you need to know about the amended guidance:
- There are no fundamental changes to the guidance. The way you use and share patient information doesn’t need to significantly change. We have reviewed our guidance to make sure it is consistent with GDPR and we’ll also be updating the legal annex.
- The definition of consent in the guidance has not changed. Our guidance already met the high standard set out in the GDPR. You can also still rely on implied consent to share information when the conditions in the guidance are met. This is explained in the legal annex – see page 56 of our guidance.
- It might not be appropriate to seek consent to disclose information in the public interest. The guidance has been amended to make it clear that it would be unfair and misleading to ask for consent if the patient has no real choice in the matter. So you shouldn’t ask for consent if you’ve already decided that disclosing personal information is justified in the public interest. However, if you intend to disclose information in the public interest, you should still tell patients, unless it is not safe or practicable to do so. You should consider any objections the patient makes, but you may still need to share the information.
It’s not within our remit to advise doctors on data protection law, but other organisations have some really helpful information on this, including the Information Commissioner’s Office, the BMA and the Information Governance Alliance.
Our updated Confidentiality guidance is available to view now. It will come into effect on 25 May at the same time as the GDPR.
What does this mean for sharing images and recordings?
Making and using visual and audio recordings of patients provides detailed guidance on how the principles in Consent and Confidentiality apply where doctors make recordings of patients. We are checking that this guidance is consistent with the GDPR but we are not expecting any significant changes. We’ll update you on this by 25 May.
A key point to remember is that sharing images and recordings is a lot more straightforward if you keep the information anonymised. The guidance states ‘You may disclose anonymised or coded recordings for use in research, teaching or training, or other healthcare-related purposes without consent. In deciding whether a recording is anonymised, you should bear in mind that apparently insignificant details may still be capable of identifying the patient’.
What happens if I breach the GDPR?
If you are a data controller, understanding your responsibilities under the GDPR may seem daunting. But it’s important to remember that many of the fundamental principles remain the same. As now, you should demonstrate that you have the right systems and thinking in place.
If an individual or organisation breaches data protection law, the Information Commissioner’s Office (ICO) can take action. But this doesn’t mean they will in every case.
We only take action if a doctor has made a serious or persistent breach of our guidance, including Good medical practice and Confidentiality, which puts patients at risk or harms the public’s trust in the profession.
The ICO have produced a series of myth busting blogs which you may find helpful to understand how they take a proportionate approach to any breaches.
Where can I find more information?
Other organisations have a range of useful resources to help you understand your responsibilities under the GDPR.
- The Information Commissioner’s Office (ICO) – includes guidance for data controllers, including ’12 steps to take now’ and a GDPR checklist. They also provide resources designed specifically for the health sector.
- The BMA has created a guide for GPs on their responsibilities under GDPR
- The Information Governance Alliance (England) is developing detailed guidance on GDPR for health and social care organisations.
- Your medical defence organisation will have learning materials.
I hope you’ve found this update helpful – if do you have any questions in the meantime, please let us know by commenting below on the blog.
Improving medical education and practice across the UK 
Hello
Please, may I clarify the GMC’s stand on transparency and the use of personal data
Am I right to assume that registered professionals’ data are accessible by other organisations from the GMC, for example, pharmaceutical companies
If so, the GDPR would imply that “selling ” such without implicit consent in illegal
I have not received any information stating what information you are allowed to collect or distribute or share this information
The use of such data is not for the performance of public task or for the purpose of occupational medicine or provision of health/social care.
I have also not been notified of personal exemptions or privacy notice
Thank you
Hi Ignatius, thanks for getting in touch.
Organisations can access data from the medical register, either online or by downloading it. Medical staffing officers use this facility to add the latest registration data to their personnel systems. Information they can download is exactly the same as the information on the medical register. And neither the register or the download service includes doctors’ contact details.
When a company subscribes to download the medical register, they sign a legal agreement with us. It says that they’re not allowed to republish the data without our permission and it isn’t allowed to be used for marketing purposes. If we or any individuals are concerned about the information being misused, we’ll investigate this and may take away the subscription. Any income derived from the download service is used to offset the cost of its maintenance.
Making the medical register publically available is necessary so we can perform our public tasks. The register includes the type of registration a doctor holds, their training and other useful information such as their primary medical qualification. As we have a legal duty to maintain and publish a register of doctors, consent isn’t required.
Separate from the medical register, we hold doctors’ contact details to make sure we can inform them of their registration, annual retention fee and other information relevant to their role. This is not available on our website or in the download service.
We handle personal information with the utmost care and we’re committed to keeping your information secure. We’re accredited to the international information security standard ISO27001 https://www.iso.org/isoiec-27001-information-security.html and protect our IT systems in line with industry standards and good practice.
I would be grateful for clarification as we have had an update from the government department, Dept for Communities NI, DfC, and this is asking for practice outside the normal expectations of seeking consent. I expect to encounter some questions from our staff and client’s GP over this so want to be sure of my grounding.
We provide medical assessments for clients’ benefits claims with the DfC and would request information from GPs and other medical professionals. As part of the claim form there is currently a section specifically requesting consent to approach medical professionals for information to help in making the decision. Admin officers, Decision Makers, will themselves write to medical professionals, usually GPs, for information. They will ask our doctors, to directly contact GPs or other medical professionals if help is needed in making the decision.
I have been sent an update from the DfC about disclosing patient information and GDPR stating ‘ it removes the need for benefit branches to obtain consent before approaching 3rd parties for information that is required to process a claim.’
I have reviewed the GMC document – ‘Confidentiality: good practice in handling patient information’ and particularly the section ‘Using and disclosing patient information for secondary purposes’ 77-116.
115. Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:
a. be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be concealed or withheld
b. obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
The recent update tells us that consent is no longer required to be actively sought as it is not ‘freely given’ and legislation enables this information to be sought directly.
The GMC guidance is still advising that consent be obtained and this is the standard I expect medical professionals will follow.
116 . If a patient refuses or withdraws consent, or if it is not practicable to get their consent, you may still disclose information if it can be justified in the public interest (see paragraphs 63 – 70). You must disclose information if it is required by law (see paragraphs 87 – 94).
88. You must disclose information if it is required by law. You should:
a. satisfy yourself that personal information is needed, and the disclosure is required by law
b. only disclose information relevant to the request, and only in the way required by the law
c. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
d. abide by patient objections where there is provision to do so.32
The end note (32) applies in England and Scotland but not in NI.
This use of the GDPR regulations is likely beyond what practitioners and patients realised. I would be grateful on guidance on the way forward and if it is permissible , though certainly not best practice, to go ahead with seeking medical information of claimants without specific consent.
Very many thanks for your time and advice
Hi Catherine,
Thank you for your comment. To best answer your query, we would ask if you could please email this across to our Standards team via standards@gmc-uk.org along with your preferred contact details and the team would be more than happy to provide you with a detailed answer and any further assistance you might require. If you do require any help in the interim however please do let us know.