GDPR in the health and social care sector

The Data Protection Bill was introduced in the House of Lords in September. The Information Commissioners Office (ICO) has recently outlined the subject matters of the guidance which it will publish this year and in early 2018.

It is a useful time to highlight some of the key changes resulting from the General Data Protection Regulation (GDPR) for those operating in the health and social care sector in a series of briefings.

We anticipate that throughout the course of the countdown to GDPR, concerns will mature and multiply. We can help you to identify the areas of your operations which require consideration and modification in the run up to the GDPR taking effect on 25 May 2018.

GDPR principles

The principles contained within the Data Protection Act 1998 (DPA) and the GDPR are broadly the same, albeit detail concerning data subject rights and transfer of personal data overseas can be found elsewhere within the GDPR.

Article 5 GDPR contains the principles and requires that personal data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) states that the controller shall be responsible for, and be able to demonstrate, compliance with the principles. This is a new requirement and is arguably the most significant addition to the relevant principles.

There are references within the GDPR to adhering to Codes of Conduct and certification schemes. However, we do not yet have details of these.

How can I demonstrate compliance?

The Information Commissioner Office’s guidance note states that you must:

• Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits and processing activities, and reviews of internal HR policies
• Maintain relevant documentation on processing activities

Organisations of 250 employees or more will also have an obligation to maintain internal records of processing activities, as well as compiling comprehensive policies. Those with fewer than 250 employees will have an obligation to document activities concerning high-risk processing.

• Where appropriate, appoint a data protection officer
• Implement measures that meet the principles of data protection by design and data protection by default
• Use data impact assessments where necessary

The position is somewhat fluid and of course, many aspects of the new regime will be the subject of guidance in the coming months.

Having considered the GDPR in light of the business activities of our clients we have identified the following areas as those where some thought will be required:

• Processing conditions, privacy notices and contracts
• Security arrangements
• Rights of data subjects
• Responding to subject access requests (SARs)
• Role and responsibilities of data protection officers
• Breach and enforcement action

Further introductory guidance can be found here:

• Overview of the GDPR from the ICO — this is a living document and is revised and updated regularly
• Data Protection Bill Fact Sheet, produced by Department for Digital, Culture, Media and Sport