1. General Data Protection Regulation (GDPR)
V0.2March 2018

2. Session Objectives By the end of this session you will understand:
The principles and terminology of the new Data Protection legislation – GDPR
The differences between the Data Protection Act and the GDPR
How GDPR may impact your work area
How your area can ensure compliance
Potential penalties for non compliance
Where to find further guidance and support

3. General Data Protection Regulation
Repeals Directive 95/46/EC on which UK Data Protection Act 1998 was built.
Comes in to force on 25th May 2018
UK Data Protection Bill currently going through parliament
Data Protection Bill will:
Supplement GDPR
Implement the EU Law Enforcement Directive
Extend Data Protection laws to areas not covered by GDPR

4. Key Changes
Accountability & Governance – organisations have to prove they are doing the right thing.
Data Protection Officer
More Data included
Data Subjects Rights
Consent
Increased ICO powers & fines
Suppliers (data processors) liable
Data breach notification to ICO and affected individuals

5. Accountability The CCG must
Implement appropriate security measures such as:
Policies
staff training
internal audits
Completion of Revised IG Toolkit
Maintain relevant documentation on processing activities
Appoint a Data Protection Officer
Privacy by Design
Adhere to approved codes of conduct and compliance tools such as those issued by the ICO
May need to organise an information audit (DFM)
Accountability – organisations to be able to show how they comply with the DP principles e.g. effective policies and procedures in place
Information asset register to be updated and risk assessed – important with new assets

6. Data Protection Officer (DPO)
Responsible for monitoring compliance, advising on Data Protection obligations, advising on Data Protection Impact Assessments (DPIAs)
Will take responsibility for data protection compliance at board level
May not be disciplined or dismissed for carrying out their tasks as a DPO
Will be the point of contact for the Information Commissioners Office (ICO)
Contactable by Data Subjects
There are plans to have one DPO across the 4 Derbyshire CCGs
DPO – challenging to appoint has the individual needs to have a level of understanding of Data Protection – be able to report at board level .
No other conflicts with other roles SIRO & Caldicott and cannot be responsible for making decisions about how information will be processed.

7. Subject Access requests. Right of portability. Right of erasure.
Individual’s Rights
Subject Access requests.
Right of portability.
Right of erasure.
Right of rectification.
Right to object and restrict processing.
Fair Processing (Privacy) notices.
- Fair Processing notices to identify what rights are applicable to the processing.
Individual’s rights to be documented in privacy notices

8. Subject Access Requests
Disclosure now must be within one month.
Can claim an extra 40 working days for complex or numerous SARs,
(but the requestor must be advised of this at the start of the process)
Can’t charge for a SAR
For ‘manifestly unfounded’ or excessive requests particularly where they are repetitive we are allowed to either:
– Refuse the request explaining why, or;
– Charge a reasonable amount for the SAR
It is no longer a requirement for requestors to advise where their data might be held, (i.e. tell us which team has handled their information)
Do you know what data you hold and where you hold it?

9. Some pseudonymised data
Personal Data
“data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.” ICO
For example
name
NHS number
location data
an online identifier
Some pseudonymised data

10. trade union membership; genetics;*
Special Category Data
race
ethnic origin
politics
religion
trade union membership;
genetics;*
biometrics (where used for ID purposes)*;
health;
sex life; or
sexual orientation
* New categories under GDPR

11. Legal Basis for Processing Personal Data
Must have a schedule 2 condition (now article 6). Public authorities can no longer rely on legitimate interests.
To process sensitive personal data (now special category data) must also have a schedule 3 condition (now article 9).
Where consent is used as the legal basis data subject can withdraw consent
Data Subject then has the right to erasure
What if you need to carry on processing the data?
Which conditions are you relying on?
Much processing relies on legitimate interests – use public function condition – necessary for the performance of a task carried out in the public interest.
Take common law duty of confidentiality into account

12. Schedule 2 (article 6)
6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

13. Schedule 3 (article 9)
9(2)(a)the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
9(2)(b)processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
9(2)(c)processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
9(2)(d)processing is carried out in the course of its legitimate activities.
9(2)(e)processing relates to personal data which are manifestly made public by the data subject;

14. Schedule 3 (article 9)
9(2)(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
9(2)(g) processing is necessary for reasons of substantial public interest
9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,
9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

15. Consent
Art 7 (4)‘Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment’ and further consent should not provide a valid legal ground…where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority’
How will this impact on employee information?

16. Consent Review how you are seeking, obtaining and recording consent.
Freely given, specific, informed and unambiguous.
Positive indication of agreement – cannot be inferred from silence, pre-ticked boxes or inactivity.
Individuals generally have stronger rights where you rely on consent.
Must be able to demonstrate that consent was given – effective audit trail.
Individuals have a right to withdraw consent at any time.
Complete the ICO Consent Checklist to identify any gaps and amend your processes accordingly
Ideally use other purposes such as public function, medical purposes, for contract purposes

17. Children
If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).
For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
Is this applicable to any Data Processed by the CCGs?

18. Fair Processing Notices (Privacy Notices)
Must be transparent and easily accessible and in a concise form. Must include:
Contact details of the DPO
Schedule 2 and 3 (articles 6 and 9) relied on
Data retention periods
Reference to the data subjects rights
Staff Fair Processing notice
Review of notices by NHS Digital
Fair processing notice for children if applicable
Does the current Fair Processing Notice provide an accurate description of the processing undertaken by your team? (Task)

19. New Duties for Data Processors
GDPR places new specific legal obligations on data processors.
Required to maintain records of personal data and processing activities.
Data processors can now be fined.
Data controllers must ensure contracts with data processors are up to date and review as necessary.
Data processors must comply with GDPR and must not act contrary to the lawful instructions of the data controller.
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the data controller or the data processor for the damage suffered.
Damages will be available for pure distress claims arising from breaches of GDPR.
May lead to more claims
Are you processing Data on behalf of another organisation or CCG ?
Is there a Data Processing agreement in place?
Do You hold any Non-NHS contracts? Forward a copy to the IG Team.

20. Privacy By Design
General obligation to implement technical and organisational measures to show how the organisation has considered and integrated data protection in to processing activities.
A Privacy Impact Assessment (PIA) is a process which helps to assess privacy risks to individuals in relation to any use of their personal information (known as ‘processing’).
The process aims to support responsible use of personal data to improve NHS services, carry out audit, research and training, and a number of other activities, by making sure that these are being carried out ethically and legally.
Will be known as Data Protection Impact Assessments from 25th May 2018
Mandatory requirement under GDPR for any organisation undertaking any project which involves new or changes use of any personal data.
PIA processes should be commenced as early as possible in any design phase.
A PIAs is not static, it should run alongside a project and should be modified along the way.

21. Privacy Impact Assessments
All projects require a stage 1 PIA
13 Questions
Will demonstrate that the organisation has considered privacy implications
Answering yes to any of the questions will mean a Stage 2 is required
Stage 2 PIA covers key areas-
Project description
Details of personal data
Legal basis
Information Security arrangements
Risks & mitigations
Disaster recovery & Business Continuity
Records – archiving, disposal and destruction
How Can PIAs be better embedded within the organisation?
Do you have processes and systems in place that have not
undergone a PIA?

22. PIA Review Process Consult with the DPO via IG Team on Stage 2 PIAs
Information Commissioner’s Office to be consulted where any high risk identified that cannot be mitigated.
The ICO will:
give written advice within eight weeks, or
14 weeks in complex cases.
In appropriate cases ICO may issue a formal warning not to process the data, or ban the processing altogether.
PIA templates are available on the GDPR internet site.
Templates to be updated by end April 2018.
What impact could this have on your project?

23. Breaches
A new requirement to report ‘High risk’ breaches to the ICO and the relevant data subjects within 72 hours. Failure to notify a breach can result in a significant fine of up to 10 million euros
Medium breaches of data protection are subject to administrative fines: whichever is higher of the following:
up to 10,000,000 EUR
up to 2 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)
Focussed on process failures
Major breaches of data protection are subject to administrative fines: whichever is higher of the following:
up to 20,000,000 EUR
up to 4 % of the total worldwide annual turnover of the preceding financial year (in the case of an undertaking)
Focussed on incidents which are likely to cause damage and distress
Maintain written records in accordance with article 30 medium fines
Where processor does not obtain written consent for sub processing
The Data Subject is at the centre of claims for compensation.
The Data Controller must pay up front and then recoup from the Data Processor where appropriate

24. ICO Powers ICO powers include: Carry out audits
Impose improvement notices
Issue orders to cease operations
Notify data subjects of a breach
Restrict or erase data
Issue fines not just for personal data breaches but also for lack of, or insufficient systems & processes.

25. GDPR for GP Practices
Practices are responsible for appointing their own DPO
Possible options – Practice level, as a group or across a federation of practices
Can be outsourced
NHS England have commissioned Mids & Lancs CSU to provide IG support.
No additional support for GDPR
Remind practices of the IG support available?

26. Common Law Duty of Confidentiality
‘Information confided should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission. DH Confidentiality Code of Practice 2003
Needs to be met in addition to GDPR.
Can be either implied (direct care)or explicit consent
Can be set aside under ‘Section 251’ NHS Act 2006

27. Immediate Actions Complete the GDPR Checklist Spreadsheet
Where consent is the legal basis under GDPR complete the ICO Consent Checklist
Check the legal basis in any Information Sharing agreements.(ISAs)
Supply copies of an ISAs, Data Processing Agreements and non NHS Contracts to the IG Team.
Review the Fair Processing Notice applicable to your team
Draft a GDPR action log for your team

28. Further Information
CCG GDPR website – under development and available soon.
Information Commissioner -
Information Governance Alliance -
Article 29 Data Protection Working Party

29. Contacts GDPR Derbyshire CCGs - Sderccg.gdprderbyshireccgs@nhs.net
Bronwyn Jackson – Derbyshire CCGs IG Manager
Bronwyn.
Richard Heaton – Head of Governance – Erewash CCG
Stuart Fletcher – Governance Manager- Southern Derbyshire CCG
Karen Watkinson – Corporate Secretary - Hardwick CCG
Suzanne Pickering – Head of Governance - North Derbyshire CCG