top of page

New data protection regulations for healthcare organisations

In May this year there will be new data protection regulations – the EU General Data Protection Regulation (GDPR) – law in the UK from 25 May – and the new Data Protection Act 2018 (DPA 18). Post Brexit, it is expected that DPA 18 will provide a data protection regime equivalent to GDPR.

The regulations apply to businesses and organisations who process or control personal data. That means the NHS and includes general practices and dental practices. A redesigned IG Toolkit is expected in April 2018 and should include the requirements of GDPR and DPA 18.

Data protection

Main changes

The key changes under GDPR were set out in a news item issued by NHS Employers as follows:

  • organisations will have to show how they've complied with the new law

  • penalties will be significantly increased for any breach of the regulation - not just data breaches

  • security breach notifications will be a legal requirement - to be notified within 72 hours

  • charges will be removed in most cases for provision of records to patients or staff who request them

  • trusts will be required to keep records of data processing activities

  • high risk processing will require a data protection impact assessment

  • data protection issues must be addressed in all information processes

  • there will be specific requirements for transparency and fair processing

  • there will be much tighter rules where consent is the basis for processing.

An action plan

Under GDPR, organisations must be able to demonstrate compliance. Some of the requirements to do so should be established good practice. However, health organisations are advised to develop an action plan to achieve demonstrable compliance.

The plan could include:

  • Appointment of a data protection officer whose job description meets GDPR requirements

  • Reviewing and revising evidence used for the IG Toolkit

  • Revising information governance policies, including on the introduction of new processes

  • Awareness raising among staff and managers

  • Identify the legal basis for each use of personal data

  • Update your communication materials to ensure people are properly informed of the use of their personal information and their rights to comply with GDPR transparency requirement

  • Revise your subject access procedures as GDPR removes the requirement to pay a fee in most cases and the time comply is one month instead of 40 days

  • Review your policy on notification of data protection breaches because GDPR extends the scope of the IG Incident Reporting Tool beyond NHS patient data

The Information Governance Alliance (IGA) has issued a useful briefing note on changes to data protection legislation, available via the NHS Digital website. It is has published other guidance and will be producing more which can be accessed here.

Amanda Atkin

Help is available

Complying with these new data protection regulations may seem daunting and potentially time-consuming. I can help you – my expertise is in compliance at all levels within healthcare organisations. Email me to discuss your requirements mandy.atkin@sky.com

Featured Posts
Recent Posts
Archive
Search By Tags
Follow Me
  • LinkedIn Social Icon
  • Twitter Basic Square
bottom of page