What is GDPR
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euros
The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data. The regulation applies from 25th May 2018, and will apply even after the UK leaves the EU.
What GDPR will mean for patients
- The GDPR sets out the key principles about processing personal data, for staff or patients;
- Data must be process lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed
- Information must be accurate and kept up to date
- Data must be held securely
- It can only be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include:
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
- The right to object to their patient information being processed (in certain circumstances)
What is 'patient data'?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
Individuals also have the right to withdraw their consent at any time.
Who to contact regarding Data Protection matters
The Forest Practice 121 Woodgrange Road Forest Gate London E7 0EP
Your doctor, nurse or any other health and social care professional needs to keep records on their interactions with you. The records may be written or held on computer systems and will include:
- Your basic details, such as address and next of kin contacts
- Details about the treatment, care and support that you need and receive
- Results of investigations, such as x-rays and laboratory tests
- Relevant information from other health and social care professionals, relatives or those who care for you and know you well.
How Your Information Is Used
Your information helps us to manage the care you receive to make sure that:
- Everyone involved in your care has accurate and up-to-date information to assess your needs and provide support
- Full information is available should you need to see another doctor or be referred to a specialist
- There is information to help us decide if you’re receiving the right type of care and support
- Your concerns can be fully investigated if you need to complain.
Please let us know if any of your information changes, particularly if you move house. We can then make sure all correspondence is sent to the right address.
Why Do We Hold This Information?
- To look after the health of individuals
- To support the management and financing of the care provided
- To prepare statistics on performance and review and plan services
- To train and teach health and social care professionals
- To Audit our accounts and services
- To investigate complaints, legal claims or untoward incidents
- To conduct research and development.
How Do We Keep Your Information Confidential?
Our promise to you is that we are holding your information in strict confidence.
Everyone involved in your care has a legal duty to keep information about you confidential and access to it is strictly controlled. We will make sure that your right to confidentiality is upheld unless we have a legal duty to release information or we have obtained your consent to do so.
We will pass on information about your health, diagnosis and treatment to other NHS services. We may also pass on information to other individuals or organisations involved in your care, including Social Services, to help in arranging care for you following treatment in hospital. We only pass on information about you if there is a genuine need to know, and anyone who receives the information is also under a legal duty to maintain confidentiality.
We will not give out your information to third parties except under exceptional circumstances, such as when the health and safety of others is at risk or where the law requires us to do so, for example infectious diseases (e.g. measles or meningitis, but not HIV/AIDS).
Access to Your Records
The Data Protection Act 1998 allows you to find out what information we hold about you. You can request informal access to your records by speaking to the professional staff involved in your care. If you think some of the information in your records is inaccurate you are entitled by law to ask for it to be corrected.
In special circumstances the law allows us not to show you your information if we consider it harmful to you, or another persons', physical and/or mental wellbeing. For formal access to your records you must make a request in writing to the contact below. Please note that under the provisions of the Data Protection Act 1998 you may be charged to access your records with an overall limit of £50 where copies are provided.
Your Right To Withdraw Consent For Us To Share Your Personal Information
You have the right to restrict how and with whom we share the personal information in your records that identifies you. This must be noted explicitly within your records in order that all healthcare professionals and staff treating and involved with you are aware of your decision. By choosing this option, it may make the provision of treatment or care more difficult or unavailable. You can also change your mind at any time about a disclosure decision.