General Data Protection Regulations GDPR General Data Protection Regulations
General Data Protection Regulations The GDPR is Europe's new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon. The EU's GDPR website says the legislation is designed to "harmonise" data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information.
Key Terms Data Controllers – Partners Data Processors – You, me, everyone! Data Protection Officer – External ”expert” (TBC) Data Subject – The individual whose information we are processing Personal Data – Information relating to a Data Subject Processing – Operation performed on personal data Recipient – The entity we are disclosing information to
Video about GDPR Introduction to GDPR https://www.youtube.com/watch?v=2Tkn9q2ZNKk
What is an information asset An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk, content and lifecycles.
What Information do we hold Asset Register on public folder Add anything you come across which could be consider identifiable information (either paper or electronic) Les will then complete boxes if you are stuck on what to do – email me to say what you have added. Retention Policy Electronic files on computers should be deleted in line with the retention policy.
Who do we share information with District Nurses Secondary care Pharmacies Private providers* Insurers* Research study teams* Path lab OOH Social services Social care providers Care homes *With consent!
Privacy Notices Poster in waiting room Information on our website Information sheet at reception Patient may ask for a copy of the information sheet, this must be given to the patient.
Online Access Form to be completed at the desk Photographic ID is needed Can register wife/husband/children over 12 with the patients signed consent form Can register children under 12 if at the same address as both parents registering
Children Reaching 12 Under GDPR all children are allowed to decide who can access their records from the age of 12. Monthly a search will be run to identify all patients who have turned 12 (numbers will be low) Open EMIS Access and check if patient is registered for online access Only if patient is registered, de register them and add them back on – generating a new registration form. In EMIS print the letter explaining to the patient why they have been re-registered. Add the code as per process GDPR10
What about your information You have the same rights as patients over information the practice holds about you. Employee data policy GDPR 11 – please read, ask questions and sign once understood.
Rights as Individuals under GDPR Right to be informed Right to access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling.
Privacy Notices One for patients and one for staff Plain language Displayed in public areas Read them! Feel free to feedback and ask questions as patients may ask you! Outlines the information we hold, how we use it, share it, store it etc. How long we keep the information – retention policy to compliment the notice How to request a copy of the information Who our DPO is – Current TBC How to complain - about compliance, request refusals etc.
Patient Questions You will need to be able to answer any patients questions Do not direct questions to Jane or Me If you don’t know the answer, ask Jane or myself and then share the answers with everyone else. So... If I ask a question you may need to answer it....
Subject Access Requests Free!!! May be able to charge if excessive, multiple requests or unjust Deadline reduced from 45 days to 1 calendar month Extension of 2 months can be requested Verifying requests from third parties (solicitors/insurers) – New form Clock will start ticking when we verify the request (we cant intentionally delay this) New software to help with third party redactions
Subject Access Requests Form will need to be completed at the front desk. You may need to complete it on behalf of a patient Verbal request have to now be complied with, as such you may need to complete the form by asking the patient the questions over the phone. Patients should collect the records themselves where possible, where not possible we will need written consent from the patient (form available) to allow records to be handed to someone else on their behalf.
Children and Medical Records Scotland have decided any child 12 or over (who has competency) is to have the same rights as an adult with their records. Tests which parents were at will be record as with mum/dad etc and this is consent to give results. We may need to get consent from children 12 or over to disclose information These are not our rules but the law under GDPR (general data protection regulations) Consent is only valid at the point the consent is given and for that single purpose. Records will alerts will need to be reviewed as to what the practice will do. This is going to cause issues and frustrations so use your common sense when assessing if consent is needed. You are amazing at doing this so simply keep doing what your doing.
Data Breaches Data Breaches will happen as we are only human and human’s make mistakes. If a data breach occurs or you think one has happened a data breach from must be completed. At the moment the form is the information commisioner office (ICO) form but a practice form will be used to simplify the reporting. Not all breaches are reportable to the ICO but the practice manager MUST be aware of all breaches in case the patient complains to the ICO Like clinical significant event analysis SEA, the form and subsequent investigation is to look at how to improve the systems and the practice, not to look for blame.
Still to do Patient Asset Register Staff Asset Register Posters for waiting room Website Visitors book and confidentiallity
Summary New law applying from 25th May, we must comply We all have a part to play as processors Privacy Notices will be circulated – familiarise yourselves Patients (and 3rd parties) can request copies of their information for free Evolutionary – Please ask questions and feedback, no one is an expert! Don’t panic! (that’s my job!)
Any Questions G D P R