Health, care and the new data protection regime David Evans Principal IG Advisor
The National Working Group Membership from 40+ organisations representing the wider health and social care system. Responsible for developing and drafting sector specific guidance regarding the new data protection regulation Robust approval and publication process to ensure relevant stakeholders are engaged. NHS England, Local Government Association, National Data Guardian, Information Commissioner’s Office etc i.e. Data Protector Officer, Lawful Processing etc. including guidance for independent contractors (i.e. GPs, Dentists etc.) and social care.
Data Protection Package General Data Protection Regulation (GDPR) Data Protection Bill EU Law Enforcement Directive Intel. services Non-EU matters Law enforcement
Where are we now? The GDPR comes into full effect on 25 May 2018. The DP Bill entered its third reading in the House of Lords on 17 January 2018. The likely conclusion will be late January 2018 at which point it will transfer then to the House of Commons. Fairly clear but not finalised!
IGA Publication Schedule Published:- CEO Briefing published FAQs Publishing February 2018*: What's new The data protection officer Transparency and subjects' rights Social care awareness guidance Data protection accountability and implementation priorities Pseudonymisation Lawful processing Publishing April 2018* Privacy by design and default Personal data breaches and notification Profiling and risk stratification GDPR overview GP Practice / primary care suite * Anticipated timeframe
Guidance from others NHS Digital - IG Toolkit Checklist Health Research Authority (HRA) - Implications for research including legal basis and safeguards for research
Further consideration A need for the health and social system to start considering other statutory responsibilities, i.e. Codes of Conduct Any codes cannot be significantly progressed until the ICO has published their overarching guidance. For example, confidentiality – currently new Code being drafted to replace the 2003 version. These will complement guidance under the data protection reform and support “the how” (i.e. organisation’s applicability) of legislation and responsibilities. This will develop over a period of time.
What should I be looking for? Should I be worried? Do you; meet your present obligations; follow good practice; know your assets; and communicate well? What should I be looking for? If so, you’re well on your way in meeting compliance with the new Data Protection reform. Remember, it’s about demonstrating that compliance. Review your own organisation; what are your assets and are these recorded sufficiently, how you can demonstrate your compliance and enhanced transparency for data subjects (including their increased rights). Also monitoring guidance from the ICO and those to be published to complement it; the IGA, NHS Digital etc. It is your responsibility to ensure compliance – don’t wait to act for system guidance – that published from the ICO is sufficient. (i.e. 12 steps to GDPR compliance).
Remember There are no experts in this field There are many shades of grey It’s about proportionality There will always be unresolved issues – it’s about how you respond and what you do.
Final thoughts “GDPR compliance will be an ongoing journey” and “ … if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.” Both quotes taken from Elizabeth Denham’s blog
Questions?