Our Standards and Ethics Policy Manager, Kiersty Griffiths talks about changes to data protection regulation and what it means for all doctors.

On 25 May 2018 the EU General Data Protection Regulation (GDPR) replaces the UK’s Data Protection Act 1998 (DPA), and will become part of UK law after we leave the EU.

A lot has changed in the twenty years since the DPA was passed. New technology and social networks make it easier than ever to access, use and share data. This is why it’s important to make sure data protection laws are fit for the age we live in. The GDPR brings everyone up to date, by strengthening and unifying data protection for all individuals within the European Union (EU).

We recognise you may feel nervous about the GDPR and what it means for your day to day work.  While there will be some changes to the way we all handle personal data, the GDPR builds on foundations which we have all been following for the last 20 years.

What you need to do

Firstly you should follow our Confidentiality guidance to be confident that you’re meeting our expectations of doctors’ conduct when sharing patient information. There won’t be any fundamental changes to the guidance. But we’re making the principles around disclosing information clearer for you.

What else you need to do depends on whether or not you’re a data controller. A data controller is a person or organisation that decides how and why personal data is used.

You’re likely to be a data controller if you run your own business, such as a GP or private practice.

In some parts of the UK, you may be sole data controller and in others a joint controller with your contracting authority. For example in Scotland all GPs are joint data controllers with their contracting health boards.

If you are a data controller, as with DPA, you need to understand and meet your legal obligations under the GDPR. The Information Commissioner’s Office has a range of resources to help you understand your obligations. If you work in a managed organisation (such as a hospital) you’re unlikely to be a data controller in your own right. You will need to follow the information governance policies and processes where you work.

Confidentiality – what you need to know

Here are three things you need to know about the amended guidance:

  • There are no fundamental changes to the guidance. The way you use and share patient information doesn’t need to significantly change. We have reviewed our guidance to make sure it is consistent with GDPR and we’ll also be updating the legal annex.
  • The definition of consent in the guidance has not changed. Our guidance already met the high standard set out in the GDPR. You can also still rely on implied consent to share information when the conditions in the guidance are met. This is explained in the legal annex – see page 56 of our guidance.
  • It might not be appropriate to seek consent to disclose information in the public interest. The guidance has been amended to make it clear that it would be unfair and misleading to ask for consent if the patient has no real choice in the matter. So you shouldn’t ask for consent if you’ve already decided that disclosing personal information is justified in the public interest. However, if you intend to disclose information in the public interest, you should still tell patients, unless it is not safe or practicable to do so. You should consider any objections the patient makes, but you may still need to share the information.

It’s not within our remit to advise doctors on data protection law, but other organisations have some really helpful information on this, including the Information Commissioner’s Office, the BMA and the Information Governance Alliance.

Our updated Confidentiality guidance is available to view now. It will come into effect on 25 May at the same time as the GDPR.

What does this mean for sharing images and recordings?

Making and using visual and audio recordings of patients  provides detailed guidance on how the principles in Consent and Confidentiality apply where doctors make recordings of patients. We are checking that this guidance is consistent with the GDPR but we are not expecting any significant changes. We’ll update you on this by 25 May.

A key point to remember is that sharing images and recordings is a lot more straightforward if you keep the information anonymised. The guidance states ‘You may disclose anonymised or coded recordings for use in research, teaching or training, or other healthcare-related purposes without consent. In deciding whether a recording is anonymised, you should bear in mind that apparently insignificant details may still be capable of identifying the patient’.

What happens if I breach the GDPR?

If you are a data controller, understanding your responsibilities under the GDPR may seem daunting. But it’s important to remember that many of the fundamental principles remain the same. As now, you should demonstrate that you have the right systems and thinking in place.

If an individual or organisation breaches data protection law, the Information Commissioner’s Office (ICO) can take action. But this doesn’t mean they will in every case.

We only take action if a doctor has made a serious or persistent breach of our guidance, including Good medical practice and Confidentiality, which puts patients at risk or harms the public’s trust in the profession.

The ICO have produced a series of myth busting blogs which you may find helpful to understand how they take a proportionate approach to any breaches.

Where can I find more information?

Other organisations have a range of useful resources to help you understand your responsibilities under the GDPR.

I hope you’ve found this update helpful – if do you have any questions in the meantime, please let us know by commenting below on the blog.