GDPR: the transfer of data power

07 June 2018

New data protection laws came into force across Europe last month, with major implications for how organisations gather and process personal information. Journalist Juliette Astrup looks at why this matters to you.

The European Union’s General Data Protection Regulation (GDPR) became UK law on 25 May, at a time when high-profile data breaches and scandals around data use are rarely out of the press, and the public has never been more aware of the risk of personal information getting into the wrong hands.

The changes it brings are substantial. Fundamentally it ‘rebalances the relationship between individuals and organisations’, says information commissioner Elizabeth Denham. ‘It gives greater control to people about how their data is used, and it compels organisations to be transparent and account for their actions.’

For healthcare professionals handling sensitive and confidential information, it presents an opportunity to review and improve their practice. Health minister Lord O’Shaughnessy says: ‘For community practitioners, this will help to build the confidence of their patients in how their information will be accessed and used. It will also enable a more connected and integrated approach to how data is managed across the NHS.’


So what’s new?

As under the 1998 Data Protection Act (DPA), which it supersedes, GDPR requires that all aspects of the collection, analysis and dissemination of personal data have a lawful basis – but this new regulation brings in both new and strengthened requirements.

Much of its contents is already familiar from requirements under the DPA and in the statutory and good practice codes of the Information Commissioner’s Office (ICO), as well as good practice guidelines and codes of practice set out by the Department of Health and Social Care, NHS Digital and NHS England, among others.

As Dawn Monaghan, head of data sharing and privacy at NHS England, head of strategic information governance at NHS Digital and director of the Information Governance Alliance says, the impact of GDPR on the health and social care sectors ‘shouldn’t be very much if we’ve been doing it right in the first place’ (UK Authority, 2018).

While some elements, such as data protection impact assessments and privacy notices, have gone from being good practice to mandatory, there are also new requirements.

Crucially, any public authorities processing a large amount of personal data, or any special category data – which includes all health trusts and boards – must now appoint a data protection officer to monitor and advise on internal compliance.


The accountability principle

Underpinning much of GDPR is a new drive for transparency and accountability.

As the information commissioner says: ‘The law requires you to be transparent and tell people what you will do with their data. You then have to stick to what you said. This is the strengthened part of the law: you should be prepared to account to your customers and the regulator for what you have done’ (ICO, 2018a).

In particular, organisations must be crystal clear about the legal basis for processing any personal data. Under GDPR there are six available lawful bases for processing, broadly similar to the six conditions for processing under the DPA (see graphic below).

In addition, when the processing involves ‘special category information’ – particularly sensitive data such as health information – at least one of 10 additional conditions for processing must be met.

For example, Public Health England (PHE) makes clear that the lawful basis for the processing of its National Child Measurement Programme (NCMP) data under GDPR is considered to be ‘compliance with a legal obligation’ and, in addition to that, the ‘provision of health or social care’.

So, while parents must be provided with an opportunity to withdraw their children from the programme in accordance with existing regulations, ‘consent is not the lawful basis for the NCMP’ (PHE, 2018).


Capturing consent

The tough new rules around consent have certainly drawn attention, spawning a flurry of email requests from organisations asking customers to renew their consent to be contacted.

GDPR requires consent requests to be ‘opt in’ rather than ‘opt out’, and given in an intelligible and easily accessible form. It must also be as easy to withdraw consent as it is to give it.

That ‘GDPR means you must have consent’ is the biggest potential area for misunderstanding, believes data protection expert Andrew Brenton.

Indeed, as the ICO (2018b) points out in its information for health sector bodies: ‘You need to remember that patient consent for treatment or to share healthcare records is not the same as GDPR consent.’

It goes on: ‘Any requirement to get consent to the medical treatment itself does not mean that there is a requirement to get GDPR consent to associated processing of personal data, and other lawful bases are likely to be more appropriate’ (ICO, 2018b).

GDPR also requires that data subjects, or their guardians if they are under 13, are informed of what data is being kept, and why and how it will be used. ‘It could be a letter or an email – but any communication must be plain and simple and appropriate for the audience,’ explains Andrew.

These ‘privacy notices’ are already commonplace, but will be enhanced and made mandatory under GDPR. For example, they must now explain the lawful basis for holding the information, the retention period and details of the right to complain.

Enhanced rights

As well as the right to be informed, GDPR enhances individuals’ rights to access, amend and even erase their personal data.

They ‘put more power into the hands of the patient’, says Lord O’Shaughnessy. ‘They will mean that for the first time patient data can be requested and obtained within a month – rather than the current 40 days. Patients will also have the power to request their information is moved, deleted or altered. They will, in other words, have greater agency and control over how their data is managed than ever before.’

‘Key changes here are that requests can now be made verbally,’ explains a Central Office of Information spokesman. ‘As a general rule there is no fee now, although there are provisions where the request is excessive, and the response time is now one month.’

But Andrew Brenton cautions that in order to prevent a ‘request becoming a data breach’, it’s ‘very important that frontline practitioners don’t respond to access requests themselves; they need to field them and pass them on to the correct person in the organisation so they can be processed methodically and carefully.’

And when it comes to the new ‘right to erasure’ – as the British Medical Association (BMA) guidelines point out - ‘it is extremely difficult to envisage the circumstances when this right would apply to medical records’ (BMA, 2018).


Glossary of terms


Data protection impact assessments: A process designed to help systematically analyse, identify and minimise the data protection risks of a project or plan.



Privacy notices: The information given by organisations to data subjects to let them know what data they hold and how and why they are processing it.




Personal data: Any information that can directly or indirectly identify an individual such as their name, identification number, address or an online identifier. 




Special category personal data: Data that is more sensitive, and so needs more protection, such as information about ethnic origin or health. Under GDPR, an organisation must identify both a lawful basis for processing, and a separate condition for processing special category data. 



Data breaches and fines

Another significant difference is what happens in the event of a data breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Unless a breach poses no risk to the rights and freedoms of individuals, there is a new mandate that it be reported to the ICO in 72 hours. And employers must also inform the individuals affected if the breach has a significant negative effect on them.

Lord O’Shaughnessy says: ‘We need to have the same fast and forensic approach to addressing any compromised data as we do to failures in patient care – both are fundamentally breaches of patient trust and safety.’

When things do go wrong, the new law also allows for much tougher fines: the maximum fine has increased from £500,000 to £17m or 4% of turnover – whichever is higher. But, as information commissioner Elizabeth Denham has been at pains to point out in her series of GDPR myth-busting blogs, there is a tiered approach to fines and these new powers will be used ‘judiciously and proportionately’ (ICO, 2017).


Preparing practitioners

While the information commissioner has repeatedly referred to data security as a ‘boardroom-level issue’, it has to be in the minds of individuals on the ground as well.

Some trusts are well ahead of the game. For example, Belfast Health and Social Care Trust says it has updated all its information governance policies and procedures and trained staff.

A spokesman says: ‘Staff have been trained in the GDPR changes including face-to-face and intranet training, and a leaflet for all staff is to be disseminated.’

At NHS Greater Glasgow and Clyde, Isobel Brown, head of information governance, says her team have used factsheets and hosted roadshows to ‘help inform what this new regulation means to each of the staff’.

Others might not be so ready. Think tank Parliament Street commissioned a report into the issue that concludes: ‘The NHS is struggling to prepare for GDPR’ (Parliament Street, 2018).

In February, its researchers sent Freedom of Information requests on NHS expenditure on GDPR preparation. In all, 46 trusts responded, reporting more than £1m spent; the biggest spenders had assigned more than £100,000 apiece, the lowest spenders just a few hundred.

The report also cites research from the Digital Health Alliance stating that only ‘55% of acute trusts and 47% of mental health trusts have an implementation plan for GDPR’ (Parliament Street, 2018).

Andrew Brenton says it must be the responsibility of managers to ‘drive cultural policy and technological changes down through an organisation’.

He adds: ‘It is as much about staff feeling empowered and knowledgeable as it is anything else. You can’t expect someone to do something if they’ve not been trained to do it.’


Top tips

There is plenty to consider in day-to-day practice, he adds, much of it ‘common sense’. His top tips include ‘don’t let your laptop out of your sight’ and ensuring all devices, including USB drives and mobile phones, have been ‘completely encrypted’. He also cautions against the pitfall of keeping the personal information of next of kin without their knowledge or permission.

Vigilance is key when it comes to personal data. As Elizabeth Denham puts it: ‘Don’t just shut the door. Lock it. Then check the locks. And be mindful about who you allow to have a key’ (ICO, 2018a).


Down the line

While there are ‘clearly important logistical challenges for healthcare professionals in preparing for the new regulations’, says Lord O’Shaughnessy, the changes mandated by the GDPR could have advantages for the NHS further down the line.

‘Let’s not lose sight of why this matters. In the 70 years since the NHS was created, clinicians and scientists have consistently approached data with the guiding principle that it can make a huge difference to patient care. And there is consensus now that this matters more than ever, not least as we seek to deliver fast, effective transfer of records helping to join up care for patients with complex and multiple conditions.

‘Yet we can only travel as fast and as far as the public’s confidence allows us, and in a volatile climate, where people are asking serious questions about the ethics of “big data”, the introduction of this new regulation – alongside the work already being done in the wake of Fiona Caldicott’s review – gives us definitive answers within healthcare.

‘By implementing the regulation, we can win permission to ensure more patients can benefit from an improved experience and better outcomes as a result of fully integrated and shared personal medical records.’ 


Need help with GDPR?

Visit the health sector-specific guidance on the ICO website at bit.ly/ICO_health or parts of the education section at bit.ly/ICO_education

Read the ICO’s eight myth-busting blogs about GDPR at bit.ly/ICO_myths

Call the ICO helpline on 0303 123 1113 or use the live chat service at bit.ly/ICO_chat


UK Authority. (2018) GDPR – what it means for the health and social care sector. See: ukauthority.com/news/7715/gdpr-what-it-means-for-the-health-and-social-care-sector (accessed 21 May 2018).

BMA. (2018) GPs as data controllers under the GDPR. See bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/gps-as-data-controllers (accessed 21 May 2018).

Information Commissioner’s Office. (2018a) Building the cyber security community. Elizabeth Denham's speech at the National Cyber Security Centre's CYBERUK 2018 event, Manchester Central, 12 April. See ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/04/building-the-cyber-security-community (accessed 21 May 2018).

Information Commissioner’s Office. (2018b) General Data Protection Regulation (GDPR) FAQs for small health sector bodies. See ico.org.uk/for-organisations/health/health-gdpr-faqs (accessed 21 May 2018).

Information Commissioner’s Office. (2017) GDPR – sorting the fact from the fiction. See: https://ico.org.uk/about-the-ico/news-and-events/blog-gdpr-sorting-the-fact-from-the-fiction/ (accessed 21 May 2018).

Parliament Street. (2018) Getting the NHS ready for the GDPR. See: parliamentstreet.org/wp-content/uploads/2018/04/Getting-the-NHS-Ready-for-the-GDPR-NEW-1.pdf (accessed 21 May 2018).

Public Health England. (2018) National Child Measurement Programme operational guidance 2017: addendum 2018. See: assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/691542/NCMP_GDPR_guidance.pdf (accessed 21 May 2018).


Picture Credit | Shuttershock 

Subscription Content

Click To Return To Homepage

Only current Unite/CPHVA members or Community Practitioner subscribers can access the Community Practitioner journals archive. Please provide your name and membership/subscriber number below to verify access:

Membership number

If you are not already a member of CPHVA and wish to join please click here to JOIN TODAY

Membership of Unite gives you:

  • legal and industrial support on all workplace issues 
  • professional guidance on clinical and professional issues 
  • online information, training and support 
  • advice and support for all health professionals and health support workers
  • access to our membership communities 
  • CPHVA contribution rate is the Unite contribution rate plus £1.25 per month 

Join here https://www.unitetheunion.org/join-unite/

If you are not a member of Unite/CPHVA but would like to purchase an annual print or digital access subscription, please click here