Appropriate Data Sharing in Health and Social Care Data Protection Reform in Local Government Regional Conference Mark Golledge, Programme Manager, Health and Social Care, LGA David Evans, Senior Information Governance Advisor, NHS Digital Date www.local.gov.uk

Outline General Data Protection Regulations (GDPR) and Data Protection Bill Common Law Duty of Confidentiality Consent – To consent or to not consent… Caldicott Standards and Data Protection and Security Toolkit Opt out Model Things to Consider

1. GDPR and Data Protection Bill GDPR - processing is fair, lawful and transparent Lawful specifically includes that the common law duty of confidentiality is also satisfied Organisations must establish, record and inform subjects about the lawful basis they are relying on This means: an Article 6 condition is satisfied (for personal data); and an Article 9 condition is satisfied (for special categories of data) and To respect confidentiality (common law): there is consent from an individual or there is another legal basis to set aside common law

1. GDPR and Data Protection Bill Lawfulness of Processing 6(1)(a) – Consent 6(1)(b) – Performance of a contract (care providers) 6(1)(c) – Compliance with a legal obligation 6(1)(e) – Public interest or official authority functions Processing Special Categories of Personal Data 9(2)(a) – Explicit consent 9(2)(b) – Safeguarding for direct care 9(2)(h) – Medical treatment and social care provision 9(2)(j) – Research or statistical purposes

1. GDPR and Data Protection Bill The Data Protection Bill states that this includes circumstances in which it is carried out: By or under the responsibility of a health professional or social work professional By another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law (i.e. non-registered professionals) Social workers are regulated by the Health and Care Professions Council and expected to adhere to professional codes of practice

2. Common Law Duty of Confidence Meet both GDPR and common law duty of confidence requirements “Consent” to meet the common law is different to consent to processing under GDPR. Consent may be obtained for confidentiality – not needed for GDPR No need to change consent practices if consent not used for GDPR processing

3. To consent or not consent… Using consent under GDPR: Public bodies must keep a record of where someone has obtained consent In order for consent from an individual to be valid under the GDPR it is required to comply with the following: To be freely given To be specific To be informed To be unambiguous A clear affirmative act Article 29 Working Party guidance on consent: http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48849

3. To consent or not consent… For social care: Imbalance of power and the data subject will have no realistic alternatives to accepting processing. Maintain a record of social care involvement. If you use, the data subject has rights to withdraw consent as well as erase the data. However, you may still wish to seek consent to meet the requirements of the common law duty of confidentiality. Right to Erasure Right to Portability Right to Object Consent ✓ X but right to withdraw consent Contract Legal obligation Vital interests Public task Legitimate interests

3. To consent or not consent… For common law purposes there are two general types of consent: Implied consent – assumed where the use of the information is to support direct care Explicit consent - i.e. a patient has agreed to the use of their data for a purpose; this does not have to meet GDPR requirements but does need to be transparent and supported by appropriate information Other clear legal basis Section 251 application NHS Digital collects under direction Public Interest

4. Caldicott Standards & Data Protection and Security Toolkit Caldicott Report introduced a new set of data security standards alongside a proposal for a new opt-out model Data security standards will form part of the replacement for the IG Toolkit which will launch from April 2018. https://www.gov.uk/government/publications/data-security-and-protection-for-health-and-care- organisations http://www.nationalcareforum.org.uk/dataprotection.asp

5. Opt Out Model From May 2018 Public will be able to register to opt out of their personal and confidential information being used beyond direct care (online and paper) Between May 2018 and 2020 opt outs will be applied to data Webinars to understand impact on Local Government: Friday 26 January 2018 10:00-12:00 Wednesday 14 February 2018 10:00-12:00 Thursday 15 February 2018 14:00-16:00 To book a place, email newoptoutenquiries@nhs.net

6. Things to consider GDPR Have you identified (and communicated via your privacy notice) the legal basis for processing data under the GDPR? Have you documented your lawful basis decision to demonstrate compliance? Where consent is being used as the legal basis have you made sure that you are able to meet all the requirements set by the GDPR?

6. Things to consider Common Law Duty of Confidence Have you determined how to meet the common law duty of confidence when sharing information i.e. is information being shared through informed consent, explicit consent or another basis (i.e. confidence is “set aside” through Section 251 of the NHS Act 2006)? Caldicott Standards & Data Security and Protection Toolkit Are you sighted on plans for the new Data Security and Protection Toolkit launching in April 2018? Are you considering how to support care providers in meeting their responsibilities under GDPR? Some councils are supporting them directly.