We all need to be ready for the tougher new data protection laws which come into force from 25 May so it helps to have a clear understanding of the terminology and how to apply it in your practice.
Here are 7 key terms commonly used in the GDPR. Some may already be familiar but are more tightly defined in the new rules.
1. Data controller: An organisation or individual who determines the purposes and means of processing personal data. The Information Commissioner’s Office (ICO) keeps a public register of data controllers and from 25 May 2018, there will be an annual Data Protection Fee. For more information, visit https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf
2. Data processor: A person or organisation that processes information on behalf of a data controller eg Healthcode processes data on your behalf as part of our e-billing service. Data controllers should only appoint processors who can give sufficient guarantees that they meet the GDPR requirements.
3. Personal data: Information relating to a person who can be directly or indirectly identified, particularly by name, identification number, location data or online identifier. The GDPR applies to both automated personal data and to manual filing systems.
4. Special Category Data: Sensitive personal data including information about an individual’s health, including genetic and biometric data. Practitioners require additional grounds for processing Special Category Data as it has enhanced protection under the GDPR.
Healthcode’s GDPR Toolkit provides further detail of additional processing grounds within the Guide. Log in to ePractice to find out more and to purchase the Toolkit.
5. Consent: Freely given, specific, informed and unambiguous indication of the data subject's wishes, signifying agreement to processing of their personal data. Consent is only one of the six legal bases for processing personal data and organisations should use the most appropriate for their own purpose - the ICO has said that consent is ‘not the silver bullet for GDPR compliance’. Whether or not you use consent as a grounds for processing, doctors have an existing ethical duty to seek patients' consent to disclose information about them.
Healthcode’s GDPR Toolkit provides information on Consent within the Guide. Log in to ePractice to find out more and purchase the Toolkit.
6. Personal data breach: A breach of information security, leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. If a data breach is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO within 72 hours. The individuals concerned must also be contacted if the breach poses a high risk to their rights and freedoms.
Healthcode’s GDPR Toolkit includes a data breach procedure template. You can gain access to the GDPR Toolkit by logging into ePractice.
7. Data protection by design: Implementing technical and organisational measures to show that you have considered and integrated data protection into all your processing activities. This is a general obligation under the GDPR and was implicit under previous data protection law.
This is one of a series of blogs from Healthcode in the run-up to the GDPR. For more detailed information about the new data protection law relating to private practitioners and a range of resources to help you comply, log in to ePractice to gain access to the GDPR Toolkit. You can also find general information on the ICO website at www.ico.org.uk