GP receptionists and administrators, you can now test your GDPR knowledge with our new quiz here…

Video script:

This short video has been designed to provide receptionists and administrators with an overview of the GDPR and what it means in general practice.

GDPR stands for General Data Protection Regulation, which came into effect on 25^th May 2018 and has been applicable as law in the UK since this date.

The GDPR was introduced to harmonise data privacy laws throughout the EU, giving individuals or ‘data subjects’ (as they’re referred to in the regulation) more rights when it comes to the processing of their personal data.

For more detailed information about the regulation, have a look at the Information Commissioner’s Office website: www.ico.org.uk

So what does the regulation mean to you as a receptionist? Well, you’ve probably had countless emails about the GDPR and so have your patients! But it’s your patients who may want to know more, so you should be prepared. We’ll start by taking a look at some of the terminology used in the regulation.

We’ll begin with ‘data controllers’; this will be your practice (unless the partners decide to nominate an individual). As a controller, the practice has a duty to ensure that personal data at your practice is processed appropriately, and the practice should be able to demonstrate compliance with the regulation.

Next, there are ‘data processors’; these are individuals (or organisations) who are responsible for the processing of personal data on behalf of data controllers. So, in general practice, that’s anyone who processes an individual’s personal data. As a processor you have legal obligations, such as maintaining records of personal data and the associated processing activities. You’ll be legally liable if you’re responsible for a data breach. But don’t worry, because if you’ve been compliant with the Data Protection Act, the Caldicott Principles and other legislation, then there isn’t a lot that’s changed. But if you want to learn more, take a look at Article 5 of the GDPR, which explains processing activities in much more detail.

What do we mean by the term ‘personal data’? Personal data is any information that relates to the data subject; this can be name, address, telephone number, patient ID, etc., and when we talk about ‘processing’ we mean any action performed on personal data regardless of whether it’s an automated or manual process.

Personal data must be: processed lawfully, fairly and transparently; collected only for specific legitimate purposes; adequate, relevant and limited to what is necessary; accurate and up to date, stored only for as long as necessary, and those involved with data must ensure appropriate security, integrity and confidentiality. By doing this, your practice will be demonstrating compliance with the data protection principles set out in the GDPR.

If we turn our focus to the patient, do your patients know how the GDPR affects them, what their rights are, and the changes that have been made to accessing their data? They have a right to know how it’s being processed, to ensure it’s being processed lawfully and fairly. Well, if someone had your data, you’d want to know that too, right?

If patients are uncertain, they could look at your practice privacy notice, which should have been updated to become GDPR compliant. What does that mean? Okay, to be compliant, your practice privacy notice must be: concise, transparent, intelligible and easily accessible, and written in clear and plain language, particularly if addressed to a child.

It must explain:

• What information is collected
• How that information is used
• How confidentiality is maintained and how patients can access their records
• Risk stratification (healthcare risks)
• Invoice validation (who pays for treatment)
• Opt-outs (in relation to the national data opt-out programme)
• Retention periods (how long patient data is kept)
• What patients should do if they have any questions
• Complaints (how to make a complaint)
• Changes to the privacy policy (how changes are made and when they’ll be publicised)

One thing that has changed – and I’m sure you’ll have heard about it – is the way in which subject access requests (SARs) are processed. Firstly, you’ll know that you can’t charge an individual or a third party (such as a solicitor) if they’re acting on behalf of the patient, requesting a copy of the patient’s medical record.

The practice must respond to such requests within one calendar month, but this may be extended by two months if the request is complex or you have a large volume of requests. You’ll also need to make sure you check that the person requesting the information is the data subject; you can do this by verifying their ID, and it’s also acceptable to ask the data subjects for evidence of their identity. Your practice should have an Access to Medical Records Policy which outlines the SAR process.

Something else that you may have heard of is the right to erasure – that’s not the 80s’ pop group! It’s also referred to as the right to be forgotten and it’s where an individual can request to have certain data erased. But the British Medical Association has stated that in healthcare it’s highly unlikely that this right would apply, save for instances of unlawful processing of personal data. If requests for data to be amended are received, the original record must be retained for audit purposes. Detailed information about this particular right can also be found on the ICO website and it’s in Article 17 of the GDPR.

Okay, the last thing I want to talk about is data breaches. Data breaches could be unauthorised third-party access to data or loss of personal data, amending a data subject’s personal data without their permission, the loss of IT equipment, or personal data being sent to the incorrect recipient – there are many more examples.

So if there’s a data breach, it must be reported without undue delay or within 72 hours of the breach being identified. Who do you report it to? Well, this is to be handled on a case-by-case basis, as not all data breaches require the practice to inform the Information Commissioner’s Office, but every breach, no matter how minor, must be recorded. Your practice should have a log where all data breaches are recorded and also the actions taken to resolve the breach. Your practice manager will be able to explain who in your practice data breaches are to be reported to.

There’s also a requirement to inform the data subject about the breach; they should be given time to take any necessary steps to protect themselves from the effects of a data breach. Your practice must ensure they’re given the full facts about the breach, explaining who the data subject must contact if they have a query, what actions have been taken so far and any other relevant information.

Most importantly, don’t hide a breach; if it needs to be reported, make sure you do! Organisations can face a fine of up to 10 million euros if they hide a breach. Further guidance is available from the Information Commissioner’s Officer (ICO).

Okay, that was a short overview of the regulation, hopefully enabling you to understand the importance of the GDPR and how it affects your daily activities in your practice, and what you must do to ensure compliance with the regulation. If you’ve got any questions, there’s a GDPR forum on the Practice Index website where you can ask questions and I’ll do my best to answer them for you. Thanks for watching.