Protecting your Data (GDPR)
The General Data Protection Regulation (GDPR) is an EU Regulation which will be directly applicable in the UK from 25 May 2018.
What you need to know
The GDPR and Data Protection Act 2018 replace the Data Protection Act 1998 with an updated and strengthened data protection framework, however, the key principles of the original Act remain unchanged. The most relevant changes for GPs in their role as data controllers are highlighted in the below.
Key changes under GDPR
- Compliance must be actively demonstrated, for example it will be necessary to:
- keep and maintain up-to-date records of the data flows from the practice and the legal basis for these flows; and
- have data protection policies and procedures in place.
- More information is required in 'privacy notices' for patients.
- A legal requirement to report certain data breaches.
- Significantly increased financial penalties for breaches as well as non-compliance.
- Practices will not be able to charge patients for access to medical records (save in exceptional circumstances).
- Designation of Data Protection Officers
The practice complies GDRP and Access to Medical Records legislation. Identifiable information about you will be shared with others in the following circumstances:
- To provide further medical treatment for you e.g. from district nurses and hospital services.
- To help you get other services e.g. from the social work department. This requires your consent.
- When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.
If you do not wish anonymous information about you to be used in such a way, please let us know.
Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.
Freedom of Information
- You may ask to see the records held about you
- Your request must be in writing
- There may be a fee
You will need to give adequate information so that your identity can be verified and your records located. We will respond to your request within 1 month from receipt of your information.
You are Entitled
- To be informed whether personal data about you is being used
- To be given a description of the personal data, the purposes for which the data is being processed and the recipients to whom the data is, or may be, disclosed.
- To have communication in an intelligible form, the information constituting the data and any information as to the source.
- To be told of the logic involved in any automated decision