GENERAL DATA PROTECTION REGULATION

Transcription

1 GENERAL DATA PROTECTION REGULATION (GDPR) What is General Data Protection Regulation (GDPR) What this means for GP Practices Replaces the Data Protection Act 1998 (DPA) Designed to match data privacy laws across Europe Redesigned the way organisations across the region approach data privacy Applies to Data Controllers and Data Processors. Similar to the DPA - the controller says how and why personal data is processed Applies to organisations outside the EU that offer goods or services to individuals in the EU Why is it changing from the Data Protection Act 1998 GDPR comes into force 25 May 2018 The European Union s General Data Protection Regulation (GDPR) represents the biggest change to global privacy laws for over 20 years Many changes involving personal data have occurred since the Act was first introduced. Internet and Social Media now play a major part in society. Patients can now book their GP appointments via the internet and medical records can also be retrieved electronically - all of which were not as readily available in 1998 as they are now. Whilst the GDPR is still based on the same data protection principles as before, it introduces new rights for data subject Potential fines of up to 20 million Euros or 4% of annual turnover Brexit will not affect the commencement of GDPR No charge for copies of patient records Patients can now have their medical records amended if information about them is incorrect Patients will have more say on how their information is used and shared Consent how you seek, record and manage it

2 Information Commissioner s Office 12 Steps to GDPR 1. Awareness You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have. 2. Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit 3. Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. 4. Individuals rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. 5. Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. 6. Lawful basis for processing personal data You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. 7. Consent You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don t meet the GDPR standard. 8. Children You should start thinking now about whether you need to put systems in place to verify individuals ages and to obtain parental or guardian consent for any data processing activity. 9. Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. 10. Data Protection by Design and Data Protection Impact Assessments You should familiarise yourself now with the ICO s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation. 11. Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer. 12. International If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

3 Department of Health: Your Data Better Security, Better Choice, Better Care July 2017 Government response to the National Data Guardian for Health and Care s review of Data Security, Consent and optouts and the Care Quality Commission s review Safe Data, Safe care Link to document The Department of Health and its partners have made the following commitments to ensure the health and social care system in England realises the full benefits of sharing data in a safe, secure and legal way, and, that complements the existing Caldicott principles. We will protect information through system security and standards: The Government agrees to adopt and promote the 10 data security standards set out in this document, as proposed by the NDG s review. The Government also agrees to adopt the CQC s recommendations on data security. NHS Digital is working with the health and care community to redesign and update the Information Governance Toolkit to support and underpin the new standards. This will take account of the relative needs and expectations of different organisations when considering their data security capability. From September 2017, the CQC s welled inspection framework will include the importance of meeting the data security standards. This will be supported by information from the redesigned Information Governance Toolkit. In summer 2017, NHS Improvement will publish a new statement of requirements which will clarify required action for local organisations. Chief Executive Officers must respond to this with an annual statement of resilience, confirming essential action to ensure that standards are being implemented. This will include the requirement for each organisation to have a named executive Board member responsible for data and cyber security. To support implementation, we will take a targeted approach to communications and engagement for leaders and staff across the health and social care system, including with the primary care community, supported by guidance and a new staff training package. NHS Digital will build on its suite of advice and support services, called CareCERT, which forms part of the Data Security Centre, to support health and care organisations prepare their own resilience to cyber security threats, and to respond effectively and safely when they occur. We will boost investment in data and cyber security above the 50 million identified in the Spending Review to address key structural weaknesses, such as unsupported systems. We will target an initial 21 million of capital funding to increase the cyber resilience of major trauma sites as an immediate priority, and improve NHS Digital s national monitoring and response capabilities. Continued.....

4 NHS Digital will support the new data security standards and signpost health and care organisations to tools to identify potential vulnerabilities through the redesigned Information Governance Toolkit and the associated CareCERT suite of services. It will also help to identify organisations in need of additional support. We will work with a range of health and care organisations to assess whether other assurance frameworks such as Cyber Essentials Plus and ISO27001 meet their particular needs and through the Information Governance Toolkit to implement the data security standards. The NHS Standard Contract 2017/18 requires organisations to implement the NDG review recommendations on data security. We will enable informed individual choice on opt-outs: We will support people to make informed choices about how their information is used and protected in the health and social care system. We will reinforce the importance of sharing information securely and appropriately for wider purposes, such as advancing medical science and protecting vulnerable people. By December 2018, people will be able to access a digital service to help them understand who has accessed their summary care record. By March 2020, people will be able to use online services to see how their personal confidential data collected by NHS Digital has been used for purposes other than their direct care. NHS Digital will develop and implement a mechanism to de-identify data on collection from GP practices by September The National Information Board (NIB) will continue to focus on how to build greater public trust in data sharing for health and social care. We will give people the choice to opt out of sharing their data beyond their direct care, which will be applied across the health and social care system. In moving to the national opt-out, we will honour existing type 1 opt-outs until 2020 and consult with the NDG before confirming their removal. We will apply meaningful sanctions against criminal and reckless behaviour: We will implement the UK data protection legislation in May 2018 (GDPR), which will provide a framework to protect personal data and will also impose more severe penalties for data breaches and reckless or deliberate misuse of information. We will protect the public interest by ensuring legal best practice and oversight: We will put the National Data Guardian role and functions on a statutory footing. The Information Governance Alliance (IGA) will publish anonymisation guidance based on the Information Commissioner s Office (ICO) Code of Practice on Anonymisation in We will clarify the legal framework by working with the Confidentiality Advisory Group (CAG) to ensure its approvals process under Section 251 of the NHS Act 2006 enables organisations to access the information they need, for example for invoice validation. Interim CQC Inspection approach for NHS GPs to ensure they are implementing the 10 Data Security Standards from November 2017, with full roll out from April Further information can be found in the document.

5 GP GDPR Support To help you start with obtaining GDPR assurance, we have listed below some examples of policies, procedures and key requirements required under GDPR assurance. Information Governance Policy Information Asset Register Confidentiality Policy Data Flow Mapping Data Protection Policy Caldicott Guardian Third Party Confidentiality Policy IG Lead Information Security Procedure / Policy Records Management Procedure / Policy Acceptable Use Procedure / Policy Patient Leaflet How your information is used Mobile Working Procedure / Policy GDPR Action Plan Staff Information Governance Training RA Procedure / Policy Caldicott IG Training Confidentiality Clauses ie, staff contracts Fair Processing Notices Staff Handbook Confidentiality Agreements Information Sharing Agreements Consent Procedure / Policy Safehaven Procedure / Policy Risk Assessment of Physical Security of the premises Incident Management and Reporting Procedure / Policy Subject Access Procedure / Policy IG Audits Business Continuity Procedure / Policy Staff Induction procedure / policy In order to assist NHS England, the Essex CCG IG Team would like to find out what help you would require with implementing the General Data Protection Regulation (GDPR) Assurance? If we could provide you with any templates, what would you like to be made available? Would you find a workshop on GDPR useful? A slot at the Practice Managers meetings? A bi-monthly GDPR GP Newsletter, to keep you updated? Any other support? Please us at: EssexCCG.IG@nhs.net or call if you would like any support with GDPR.