The ABC of GDPR

Let’s start with a common misunderstanding: that is to say, GDPR, or to use its full title, the General Data Protection Regulation, is synonymous with ‘consent’ or that it constitutes a set of rules that must be followed. This is incorrect. GDPR is a principle-based system that requires a business to ensure that ‘personal data’ is ‘processed lawfully, held securely, and limited to that which is necessary.’

What is personal data?

The concept of personal data is broad. It is defined as: ‘Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

Almost every practice will also hold ‘special categories of personal data,’ which is defined under the regulations as ‘data concerning health.’ An email address, telephone number, or credit card details constitutes ‘personal data,’ whereas information in relation to medication a patient uses would fall under the ‘special category of personal data.’

Processing personal data

‘Processing’ doesn’t have to be active and isn’t restricted to just collecting personal data. By simply holding onto personal information (retaining it) a practice can be said to be processing data. Processing must be lawful, and GDPR gives six ways in which to lawfully process personal data. Consent is merely one of the six ways, and in many instances will not be the most useful. When relying upon patient consent, this must be explicit and informed, and if captured in a written form, must be ‘presented in a manner which is clearly distinguishable from the other matters.’ For example, a practice which relies upon the consent of a patient to collect and retain their contact details must explain to the patient the reason that the information has been collected and how it will be used in the future. A patient can withdraw their consent at any time – for instance, a request not to receive a recall letter must be actioned by the practice.

Processing that is necessary for the purposes of a ‘legitimate interest’ pursued by the practice is far more broad than simple consent and can often be a much more useful means to lawfully process data. There is clearly a legitimate interest to both a practice and a patient to send recall letters or text messages. And unlike consent, the legitimate interest does not necessarily need to be explained directly to the patient in advance. A legitimate interest must be identified though.

How to store data?

Once you have determined what data you have collected and the lawful means by which you are processing it, you will then need to decide on the best way to store the data. Remember GDPR is not a set of rules; therefore, what is reasonable in one large practice that holds computer records may be disproportionate in a smaller independent practice that has paper records. 

GDPR uses technical language such as using a Data Protection Impact Assessment (DPIA) to ‘Implement appropriate technical and organisational measures.’ In simple terms, this actually requires you to have a think. If the practice uses paper records, and there is no-one in reception, how easily could a member of the public get to patients’ personal data? A locked filing cabinet or records room (which you make sure is locked) may be sufficient. Where electronic records are used, your DPIA may have to consider external threats, and the use of appropriate anti-virus software.

The process of ‘pseudonymisation,’ recommended within the regulations, provides a means to ensure the ‘integrity and confidentiality’ of personal data. Patient records that do not contain information able to identify an individual (name, address, date of birth) will potentially not fall under GDPR because they do not contain personal data. The application of a patient number (pseudonymisation) is a valuable technique to ensure security. However, appropriate security measures need to be applied to keep any document linking names to patient numbers safe and secure.

If there is a data breach, the practice must notify the Information Commissioners Office (ICO) within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This will be fact-specific; however, if you can recover the lost data, or ring-fence the data from being spread, this may be sufficient to avoid notification.

What is necessary?

The practice should not be holding information that is no longer up-to-date. For example, patients have a right to update their addresses, and old addresses should therefore be deleted. However, this doesn’t apply to historic special categories of personal data. There is a clear purpose for a practice to hold information in relation to health; this is not only a relevant record to the ongoing treatment of a patient but could also potentially be relevant to a complaint against the practice.

Patients have a right to access their record (no charge can be applied, and the request must be met as soon as practicable and no later than one month) and a right to rectify (more appropriate to personal data than special categories of personal data). There is also a limited right to object (right to be forgotten) but this is not an absolute right. A practice should remove personal data from a marketing list if there is an objection but should never delete patient records as there are ‘compelling legitimate grounds for the processing which override the right of the data subject.’

Image credit: Shutterstock