1. Health, care and the new data protection regime David Evans Principal IG Advisor

2. The National Working Group
Membership from 40+ organisations representing the wider health and social care system.
Responsible for developing and drafting sector specific guidance regarding the new data protection regulation
Robust approval and publication process to ensure relevant stakeholders are engaged.
NHS England, Local Government Association, National Data Guardian, Information Commissioner’s Office etc
i.e. Data Protector Officer, Lawful Processing etc. including guidance for independent contractors (i.e. GPs, Dentists etc.) and social care.

3. Data Protection Package
General Data Protection Regulation (GDPR)
Data Protection Bill
EU Law Enforcement Directive
Intel.
services
Non-EU matters
Law enforcement

4. Where are we now? The GDPR comes into full effect on 25 May 2018.
The DP Bill entered its third reading in the House of Lords on 17 January The likely conclusion will be late January at which point it will transfer then to the House of Commons.
Fairly clear but not finalised!

5. IGA Publication Schedule
Published:-
CEO Briefing published
FAQs
Publishing February 2018*:
What's new
The data protection officer
Transparency and subjects' rights
Social care awareness guidance
Data protection accountability and implementation priorities
Pseudonymisation
Lawful processing
Publishing April 2018*
Privacy by design and default
Personal data breaches and notification
Profiling and risk stratification
GDPR overview
GP Practice / primary care suite
* Anticipated timeframe

6. Guidance from others NHS Digital - IG Toolkit Checklist
Health Research Authority (HRA) - Implications for research including legal basis and safeguards for research

7. Further consideration
A need for the health and social system to start considering other statutory responsibilities, i.e. Codes of Conduct
Any codes cannot be significantly progressed until the ICO has published their overarching guidance.
For example, confidentiality – currently new Code being drafted to replace the 2003 version.
These will complement guidance under the data protection reform and support “the how” (i.e. organisation’s applicability) of legislation and responsibilities.
This will develop over a period of time.

8. What should I be looking for?
Should I be worried?
Do you; meet your present obligations; follow good practice; know your assets; and communicate well?
What should I be looking for?
If so, you’re well on your way in meeting compliance with the new Data Protection reform. Remember, it’s about demonstrating that compliance.
Review your own organisation; what are your assets and are these recorded sufficiently, how you can demonstrate your compliance and enhanced transparency for data subjects (including their increased rights). Also monitoring guidance from the ICO and those to be published to complement it; the IGA, NHS Digital etc.
It is your responsibility to ensure compliance – don’t wait to act for system guidance – that published from the ICO is sufficient. (i.e. 12 steps to GDPR compliance).

9. Remember There are no experts in this field
There are many shades of grey
It’s about proportionality
There will always be unresolved issues – it’s about how you respond and what you do.

10. Final thoughts “GDPR compliance will be an ongoing journey” and
“ … if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”
Both quotes taken from Elizabeth Denham’s blog

11. Questions?