GDPR in your GP Practice
The GDPR, which came into force on May 25th, has serious implications for anyone running a GP practice of any size. It gives the Data Protection Commissioners the power to impose heavy fines and makes it easier for individuals to bring civil claims for compensation for breach of data privacy. It puts great emphasis on transparency and security, and gives individuals stronger data protection rights. Preparing for the GDPR can be an opportunity to streamline procedures, with potential time and cost efficiencies. Taking the necessary steps to properly implement the GDPR in your practice can help you avert potential payouts, avoid reputation damage and help you to build trust with your patients.
A GP practice should have a designated Data Protection Officer (DPO), which needs to be registered with the Data Protection Commissioners (see point 3 below). You can appoint a member of your staff, where they have the required training and time to implement and manage it, or you can use an external DPO service like ourselves, Data Protection Providers Ltd.
You need to prepare a complete listing of all the personal data that your practice holds. For example, patient personal details, including next of kin contact details, date of birth, medical card number, health insurance details, details of a previous GP, payment history, medical history, details of attendances, scans, test results and correspondence.
For each category, you need to consider how securely it is stored, particularly for any data which is considered ‘special’ or ‘sensitive’, which includes health data. You also need to consider retention periods, and, in the case of needing to share this information, how securely it is transferred. This will enable you to begin to see areas that need to be improved upon in order to achieve compliance.
Once this has been done, an action plan can be prepared. Keep in mind that data mapping applies to any personal data, including staff, suppliers and contractors.
When considering security, think about access and authorisation levels to any systems that you use for personal data; make sure every user has a unique username and password, and that only strong passwords are used. You must consider paper copies of any sensitive information; if these are being retained they must be stored securely and if they are being disposed of, a shredder should be used. Encryption is important for both email and storage systems used. Staff awareness training must be given about the risks of phishing/ scam emails and malware.
It’s a good idea to ask an independent assessor to see if they can see any risks in the day to day operation of the practice such as rooms not being properly sound-proofed, allowing consultations to be overheard or the receptionist’s computer screen being visible to the public, revealing personal data.
3rd Party Suppliers
You need to be sure that all systems, including email, storage and any software used in your practice to handle personal data, are GDPR compliant. You also need to ensure that any external contractors used who have access to personal data, have signed contracts in which they guarantee confidentiality and GDPR compliance. These may include outsourced payroll for staff or a lab used to analyse blood samples.
Legal Basis for Processing
In a GP practice, you could assume that consent is freely given to share personal data. However, you need to retain evidence of that consent so how this is done must be considered e.g. retention of intake forms which should explicitly seek consent.
Subject Access Requests
You may already have a procedure in place to deal with these but, if not, you need to put one in place. Your Data Protection Statement, which is a publicly available document, should make it clear exactly how to make a subject access request e.g. who to make the request to and what identification needs to be supplied. These can include a request to know what data you hold, a request to rectify that data and a request to gather that data in a form that it can be transferred to a newly appointed GP practice. In general, these need to be responded to within 30 days.
The DPO needs to be responsible for reporting data breaches. These must be reported to the Data Protection Commissioners within 72 hours of becoming aware of them. Affected data subjects must be informed as soon as possible. A log of all breaches must be maintained, with records of any corrective action taken to stop the breach from happening again.
Your practice’s Data Privacy Statement will need to be updated. Under the GDPR, you will have to set out more information including the legal basis for processing the data, the applicable retention periods and details of the rights patients have under the GDPR, including the right to complain. This should be available on your website. You should review your privacy statement regularly to make sure that it is accurate and up to date.
Documents to Prepare
The following are a list of documents that we can work with you to prepare:
- A website privacy statement;
- A practice privacy and confidentiality policy;
- A patient leaflet regarding data protection;
- Consent intake form regarding the processing of personal data;
- Confidentiality clauses in staff contracts or the employee handbook;
- GDPR compliant contracts with third party service providers;
- Written procedures regarding the subject access requests, including the policy on refusal;
- A data breach management procedure; and
- A written complaints policy for the practice.
Ongoing GDPR Management
GDPR implementation is not a one-off project. It is something that requires ongoing review and management. We provide a service to continually assist you in managing and auditing your compliance. For more information email me at firstname.lastname@example.org or call me on 086 812 7708.