Our Standards and Ethics Policy Manager, Kiersty Griffiths talks about changes to data protection regulation and what it means for all doctors.
On 25 May 2018 the EU General Data Protection Regulation (GDPR) replaces the UK’s Data Protection Act 1998 (DPA), and will become part of UK law after we leave the EU.
A lot has changed in the twenty years since the DPA was passed. New technology and social networks make it easier than ever to access, use and share data. This is why it’s important to make sure data protection laws are fit for the age we live in. The GDPR brings everyone up to date, by strengthening and unifying data protection for all individuals within the European Union (EU).
We recognise you may feel nervous about the GDPR and what it means for your day to day work. While there will be some changes to the way we all handle personal data, the GDPR builds on foundations which we have all been following for the last 20 years.
What you need to do
Firstly you should follow our Confidentiality guidance to be confident that you’re meeting our expectations of doctors’ conduct when sharing patient information. There won’t be any fundamental changes to the guidance. But we’re making the principles around disclosing information clearer for you.
What else you need to do depends on whether or not you’re a data controller. A data controller is a person or organisation that decides how and why personal data is used.
You’re likely to be a data controller if you run your own business, such as a GP or private practice.
In some parts of the UK, you may be sole data controller and in others a joint controller with your contracting authority. For example in Scotland all GPs are joint data controllers with their contracting health boards.
If you are a data controller, as with DPA, you need to understand and meet your legal obligations under the GDPR. The Information Commissioner’s Office has a range of resources to help you understand your obligations. If you work in a managed organisation (such as a hospital) you’re unlikely to be a data controller in your own right. You will need to follow the information governance policies and processes where you work.
Confidentiality – what you need to know
Here are three things you need to know about the amended guidance:
- There are no fundamental changes to the guidance. The way you use and share patient information doesn’t need to significantly change. We have reviewed our guidance to make sure it is consistent with GDPR and we’ll also be updating the legal annex.
- The definition of consent in the guidance has not changed. Our guidance already met the high standard set out in the GDPR. You can also still rely on implied consent to share information when the conditions in the guidance are met. This is explained in the legal annex – see page 56 of our guidance.
- It might not be appropriate to seek consent to disclose information in the public interest. The guidance has been amended to make it clear that it would be unfair and misleading to ask for consent if the patient has no real choice in the matter. So you shouldn’t ask for consent if you’ve already decided that disclosing personal information is justified in the public interest. However, if you intend to disclose information in the public interest, you should still tell patients, unless it is not safe or practicable to do so. You should consider any objections the patient makes, but you may still need to share the information.
It’s not within our remit to advise doctors on data protection law, but other organisations have some really helpful information on this, including the Information Commissioner’s Office, the BMA and the Information Governance Alliance.
Our updated Confidentiality guidance is available to view now. It will come into effect on 25 May at the same time as the GDPR.
What does this mean for sharing images and recordings?
Making and using visual and audio recordings of patients provides detailed guidance on how the principles in Consent and Confidentiality apply where doctors make recordings of patients. We are checking that this guidance is consistent with the GDPR but we are not expecting any significant changes. We’ll update you on this by 25 May.
A key point to remember is that sharing images and recordings is a lot more straightforward if you keep the information anonymised. The guidance states ‘You may disclose anonymised or coded recordings for use in research, teaching or training, or other healthcare-related purposes without consent. In deciding whether a recording is anonymised, you should bear in mind that apparently insignificant details may still be capable of identifying the patient’.
What happens if I breach the GDPR?
If you are a data controller, understanding your responsibilities under the GDPR may seem daunting. But it’s important to remember that many of the fundamental principles remain the same. As now, you should demonstrate that you have the right systems and thinking in place.
If an individual or organisation breaches data protection law, the Information Commissioner’s Office (ICO) can take action. But this doesn’t mean they will in every case.
We only take action if a doctor has made a serious or persistent breach of our guidance, including Good medical practice and Confidentiality, which puts patients at risk or harms the public’s trust in the profession.
The ICO have produced a series of myth busting blogs which you may find helpful to understand how they take a proportionate approach to any breaches.
Where can I find more information?
Other organisations have a range of useful resources to help you understand your responsibilities under the GDPR.
- The Information Commissioner’s Office (ICO) – includes guidance for data controllers, including ’12 steps to take now’ and a GDPR checklist. They also provide resources designed specifically for the health sector.
- The BMA has created a guide for GPs on their responsibilities under GDPR
- The Information Governance Alliance (England) is developing detailed guidance on GDPR for health and social care organisations.
- Your medical defence organisation will have learning materials.
I hope you’ve found this update helpful – if do you have any questions in the meantime, please let us know by commenting below on the blog.
Hello
Please, may I clarify the GMC’s stand on transparency and the use of personal data
Am I right to assume that registered professionals’ data are accessible by other organisations from the GMC, for example, pharmaceutical companies
If so, the GDPR would imply that “selling ” such without implicit consent in illegal
I have not received any information stating what information you are allowed to collect or distribute or share this information
The use of such data is not for the performance of public task or for the purpose of occupational medicine or provision of health/social care.
I have also not been notified of personal exemptions or privacy notice
Thank you
Hi Ignatius, thanks for getting in touch.
Organisations can access data from the medical register, either online or by downloading it. Medical staffing officers use this facility to add the latest registration data to their personnel systems. Information they can download is exactly the same as the information on the medical register. And neither the register or the download service includes doctors’ contact details.
When a company subscribes to download the medical register, they sign a legal agreement with us. It says that they’re not allowed to republish the data without our permission and it isn’t allowed to be used for marketing purposes. If we or any individuals are concerned about the information being misused, we’ll investigate this and may take away the subscription. Any income derived from the download service is used to offset the cost of its maintenance.
Making the medical register publically available is necessary so we can perform our public tasks. The register includes the type of registration a doctor holds, their training and other useful information such as their primary medical qualification. As we have a legal duty to maintain and publish a register of doctors, consent isn’t required.
Separate from the medical register, we hold doctors’ contact details to make sure we can inform them of their registration, annual retention fee and other information relevant to their role. This is not available on our website or in the download service.
We handle personal information with the utmost care and we’re committed to keeping your information secure. We’re accredited to the international information security standard ISO27001 https://www.iso.org/isoiec-27001-information-security.html and protect our IT systems in line with industry standards and good practice.