The General Data Protection Regulation (GDPR) is a new EU regulation and, as such, will have a direct effect in all EU countries, including Ireland.
The GDPR has been written to reflect the increasingly digital climate in which organisations now operate. It aims to enhance the current data protection rules by introducing a number of additional data protection obligations on organisations, increasing rights for individuals and allowing them greater control over their own personal data.
The GDPR will apply to all individuals and organisations that have day-to-day responsibilities for data protection. All doctors should consider, therefore, how the GDPR will impact on their practice.
The Data Protection Commissioner (DPC) has published guidance titled <em>The GDPR and You</em>. This sets out the key changes, although it is by no means an exhaustive document.
The DPC has also launched a GDPR-specific website with guidance for both individuals and organisations, raising awareness of their respective enhanced rights and responsibilities under the GDPR.
The GDPR introduces the principle of accountability and makes this mandatory. In short, as well as ensuring GDPR compliance, organisations must now be able to demonstrate this compliance. Organisations must maintain accurate records of all their data processing activities, including the purpose for collecting and holding personal data, how it was obtained, how long it will be retained, the security measures in place, and how and why data may be shared with third parties.
It will also be important to document all advice provided by the Data Protection Officer (DPO) and any risk assessments undertaken.
All staff should be aware of their individual responsibilities and it is important to keep a log of staff training.
<h3 class=”subheadMIstyles”>Lawful basis for processing personal data</h3>
Organisations need to identify their lawful basis for processing patients’ personal data (such as their name, address and date of birth). There are six lawful bases, which include patient consent; processing is necessary for the performance of a contract or provision of a service; processing is in the organisation’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the patient; and processing is necessary in the vital interests of the data subject.
Under the GDPR, certain ‘special categories of personal data’ — including data concerning health — cannot be processed (eg, collected, stored, used, disclosed or destroyed), unless one of 10 conditions is met. Organisations therefore need to establish this special category condition and ensure this, and the legal basis for processing personal data, is communicated to patients. The most relevant conditions are patient consent; and that processing is necessary for the purpose of preventative or occupational medicine, medical diagnosis or the provision of healthcare or treatment that is done by, or under the responsibility of, a professional who is subject to an obligation of professional secrecy.
<h3 class=”subheadMIstyles”>Consent </h3>
The GDPR sets a very high standard for consent in relation to the processing of personal data. If organisations are relying on consent as a lawful basis for processing personal data, they must ensure that it is freely given, specific and informed. It should constitute an unambiguous indication of the patient’s wishes, by a clear affirmative action to the processing of his/her data. Pre-ticked boxes will not count as consent and there must be a positive opt-in process, separate from other terms and conditions. Organisations will be obliged to demonstrate that the patient has given their consent. There must be an easy way for a patient to withdraw their consent.
<h3 class=”subheadMIstyles”>Transparency and fair processing</h3>
As has always been the case under data protection legislation, organisations have an obligation to inform patients what they are doing with their data. However, the GDPR will bring in more detailed and specific rules on providing such privacy information.
Privacy notices should be used to inform patients at the time of collecting their data. A variety of communication methods could be used, such as posters, leaflets, letters and information on the organisation’s website.
The GDPR places emphasis on the importance of privacy notices being easily accessible to patients, including children and vulnerable adults. Information within such notices should be concise, truthful and written in clear, straightforward language. If your organisation has non-English-speaking patients, then privacy notices should also be translated into other languages, as necessary.
The following information must be provided to patients within privacy notices:
<p class=”listBULLETLISTTEXTMIstyles”>The data controller’s identity.
<p class=”listBULLETLISTTEXTMIstyles”>The Data Protection Officer’s contact details.
<p class=”listBULLETLISTTEXTMIstyles”>The purpose of the processing.
<p class=”listBULLETLISTTEXTMIstyles”>The lawful basis for processing.
<p class=”listBULLETLISTTEXTMIstyles”>The categories of personal data processed.
<p class=”listBULLETLISTTEXTMIstyles”>The potential recipients of personal data.
<p class=”listBULLETLISTTEXTMIstyles”>How long the data will be retained.
<p class=”listBULLETLISTTEXTMIstyles”>The security measures in place to protect their data.
<p class=”listBULLETLISTTEXTMIstyles”>A list of the data subject’s rights.
<p class=”listBULLETLISTTEXTMIstyles”>Any safeguards that will be used if data is to be transferred to a country outside the EU.
In addition, patients must be informed that they can complain to the DPC if they believe there is a problem with how their data is being handled.
<h3 class=”subheadMIstyles”>Subject access requests</h3>
The time scale for compliance with a patient’s subject access request will be reduced from 40 days to one month. Organisations will no longer be able to charge for the provision of copies of records, unless the request is ‘manifestly excessive or unfounded’ or is repetitive in nature. In these exceptional circumstances, organisations may charge a ‘reasonable fee’ based on administrative costs. If organisations refuse a subject access request, they must tell the patient why they have done that and inform them they have a right to make a complaint to the DPC.
If a subject access request is made electronically, or if the patient requests it, information should be provided to the patient in a commonly-used electronic format.
The DPC advises that if an organisation handles a large number of subject access requests, the impact of the change could be considerable. Organisations may wish to consider whether it is possible to develop a self-service system that allows an individual to have remote access to their information.
<h3 class=”subheadMIstyles”>Data breaches</h3>
In the event of a data breach affecting a patient’s privacy rights (for example, a breach of confidentiality), data controllers will be required to notify the DPC ‘without undue delay’, and where feasible, no later than 72 hours after becoming aware of the breach. Organisations will also have to notify the patient of the breach if it is likely to result in a high risk to their privacy rights. This is in addition to the duty of candour to inform patients of such breaches, outlined in paragraph 67 of the Medical Council’s <em>Ethical Guide</em>.
The DPC will have the discretion and power to impose higher fines for data breaches, as well any other infringement of the GDPR.
Data Protection Impact Assessments (DPIAs) are recommended as a way of assessing the level of protection in place to safeguard patients’ personal data. Whilst considered good practice in any case, DPIAs will be legally required where the processing of personal data is likely to involve high risks to the confidentiality of individuals. They are likely to be required when organisations introduce new technology, for example a new computer system or a new system of sharing data.
<h3 class=”subheadMIstyles”>Data Protection Officer</h3>
Certain organisations will be required to have a DPO, including public bodies and organisations that process special categories of personal data (including health data) on a large scale. The DPC has provided further clarification in this regard.
The DPO should have expert knowledge of data protection and their role will include advising on and monitoring compliance with the GDPR, providing advice regarding DPIAs and acting as an intermediary for patients and also the DPC.
<h3 class=”subheadMIstyles”>Patients’ rights</h3>
Individuals will be given stronger rights under the GDPR, including the right to rectification, the right to erasure, the right to object to processing, the right to restrict processing and the right to data portability. These rights are complex and not absolute. Organisations should ensure that they understand when they apply and have a process in place to deal with them, should patients wish to exercise them.
<h3 class=”subheadMIstyles”>Where to obtain further information</h3>
The DPC’s GDPR-specific website has a number of resources that you may find helpful. It is likely that over the coming weeks, there may be further clarification of the legislation and you should check this website regularly. The DPC has produced a checklist for organisations to prepare for the GDPR, available under the ‘Resources’ heading of this website.
Healthcare professionals can also contact their medical defence organisation if they have any concerns.