Suffolk LMC blog
We’re all doomed if you believe the scaremongers, new fines under GDPR enough to obliterate any UK general practice from the financial landscape, up to 20 million Euros, yes that’s twenty, pause, million, pause, euros, or roughly £17M if you’re not counting the pennies. These sums are more than enough to grab anyone’s attention and will likely scare the s***e out of any NHS contract holding GP but a reality check reveals a somewhat less threatening picture.
May 25th is fast approaching. Practices are worrying about what to do. So, in no particular order here is my “Things to do list”. Use it to make a plan or set a timetable.
- Get someone to read the BMA, ICO and IGA guidance on GDPR1, if you’re already reading this blog, it might as well be you.
- Agree amongst the signatories to your NHS contract, usually the partner GPs, i.e. the organisation’s Data Controllers to;
- Decide whether you need a DPO. If you are an NHS contract holding practice you must have one. See Blog 3.
- Designate your DPO
- Find your DPO; time, a desk and a workstation.
- Make sure your DPO is up to speed with guidance from this blog and the BMA, ICO, IGA and others.1
- Get your DPO to assist with;
- Ensuring that the practices contract holders (the DCs) are aware of their new responsibilities.
- Drawing up a plan to reach 100% compliance with GDPR within a reasonable date, for instance by 1/11/18.
- Arrange meetings with partners, salaried doctors, nurses, PAMs and all your staff to set out the broad changes of GDPR.
- Ensure that your CCG Practice IT agreement is signed
- Review what data processing you do within your practice
- Review what data processing is done on your behalf by external processors, and what data they use to do this.
- Check with your CCG what local data extractions your practice is involved in
- Create and publish any necessary Privacy Notices. (see template PNs in this Dropbox and others to follow)
- Create and have available your Data Processing Register (arriving soon in this Dropbox)
- Check with any other non-NHS bodies such as researchers or institutions that you have a suitable contracts and consents in place
- Check that you are collecting consent for non-direct care communications with your patients. See Blog 5.
- Revise your SAR handling arrangements to meet the new options and deadlines. See Blog 7.
- Revise your data breach detection and reporting arrangements. (Coming soon to the Dropbox).
- Set up a program of GDPR training for your staff.
Dr Paul Cundy
What’s different about Subject Access Requests (SARs)?
The fundamental has not changed, its their data, they must have access to it. So, whilst there might seem to be many reasons (excuses?) for not giving up their data specified in this blog the default assumption remains that patients have a right to see their records and as DCs we must provide them access to it.
How to use this Dropbox
Welcome to my first Dropbox!
So here it is, if you’re reading this you’ll be aware of what GDPR is and why 25th May is important. You’ll know that despite our all knowing since April 2016 GDPR it was on its way nothing has happened until the last minute, well you are a GP so situation normal. To be fair one of the problems is that GDPR cannot stand alone and the necessary derogations in UK specific legislation haven’t yet been finalised so to an extent we are all fumbling around in the dark. Well if you’re going to fumble about it the dark you’d best be doing it with a GP. So whilst there has been quite a lot of stuff produced on GDPR1 very little has been specifically for GPs and quite a lot of what has, has not necessarily been aimed at the jobbing GP or their support staff, neither have any of them been written with my advantage of arriving late to the party; being able to answer the queries the front runners missed, mopping up the stragglers.
If you’ve read blogs 1 – 5 and cast around the GDPR Dropbox you’ll have come across the terms “lawfulness” and “legal justifications” and “Articles 6 & 9”. These are all references to Articles 6 and 9 of the original full text of the;
As mentioned in Blog 4 , texts and e-mails need to be considered in their own right.
There are two laws that apply, GDPR Article 22 and the Privacy and Electronic Communications Regulations (PECR)2, full title; The Privacy and Electronic Communications (EC Directive) Regulations 2003, and as usual derived from European law. These were derived to deal with spam mails and texts but unfortunately their definition of “marketing” overlaps with some things we GPs do.
I mentioned in previous blogs the underlying ethos behind GDPR, the need to update and tighten up the protection of individuals’ data in the modern world; how GDPR could be thought of as a strengthening of the trusty but world weary and technologically eclipsed Data Protection Act. Well “Privacy Notices” (PNs) are an integral part of that upgrade. Under the old DPA DSs (Data subjects) were expected to be informed about the processing that was being done to their data, but it was a good practice thing and there was no definition of what “Fair informing” actually meant, it was all a bit woolly. Under GDPR a central plank of the transparency and no surprises agenda is the right to be informed. Its up front and prior notification of what you, the DC (data Controller), are planning to do with your DS’s data. It’s becomes a strict legal obligation and the information that you need to provide is proscribed, clearly defined, specified and itemised. There is no question, lack of clarity or debate, its all set out in Articles 12, 13 and 142 of GDPR but this blog is your quick fire concise bottom line synopsis.
So far blogs 1 and 2 have been pretty low brow, gentle entrées before the main course, well feast your eyes on this. The powers that be advise a blog should be 5 to 600 words, this is a behemoth by comparison, putting DPOs under the spotlight in literally 4KHD (4 thousand words heavy in detail). Written by a GP for GPs.
Blog two of the series!
Having said hallo in my first blog this is a sort of setting the scene post, a bit of background, and an offer of a plan for the next few weeks.
Welcome to my first ever blog!
And what a subject to start with, GDPR, that really racy exciting vibrant energetically enthusing European Data Protection Directive! (the best original text web site to look at the actual words I’ve found is here https://gdpr-info.eu/)