What is GDPR?
GDPR is a new law that determines how your personal data is processed, kept safe and the legal rights that you have in relation to your own data. The new regulation applies from Friday 25th May 2018.
What GDPR will mean for patients/staff
- must be processed lawfully, fairly and transparently.
- collected for specific, explicit and legitimate purposes.
- must be limited to what is necessary for the purposes for which it is processed.
- must be accurate and kept up to date.
- must be held securely.
- can only be retained for as long as is necessary for the reasons it was collected.
- Being informed about how their data is used.
- To have access to their own data.
- To ask to have incorrect information changed.
- To restrict how their data is used.
- Move their patients/staff data from one organisation to another.
- To object to their personal information being processed (in certain circumstances).
GDPR will supersede the Data Protection Act. It is similar to the Data Protection Act (DPA) 1998, which the practice already complies with, but strengthens many of the DPA's principles.
The main changes are:-
- The Practice must comply with Subject Access Requests - a written signed request from an individual to see what information is held about them - like where we require your consent to process data. This must be freely given, specific, informed and unambiguous.
- New special protection for personal data.
- The Information Commissioner's Office must be notified within 72 hours of a data breach.
- Higher fines for data breaches.
What is personal data?
Personal data is information that is related to a single person, such as his/her name, age, medical history, diagnosis etc.
What is consent?
Consent is permission from patients/staff - an individual's consent is defined as:
- Any freely given
- Specific and informed
- Indication of his/her wishes by which the data subject (patients/staff) agrees to relevant personal data being processed.
The changes in GDPR mean that we must obtain explicit permission from patients/staff when using their data. This is to protect your right to privacy and we may ask you to provide consent to do certain things like contact you or record certain information about you in your clinical/staff records.
Individuals have a right to withdraw consent at any time.
Please see the links below for our GDPR compliant Privacy Notices and a SAR request form.
For further information about GDPR please refer to the Information Commissioner’s website: www.ico.org.uk
Data Protection Officer
This Practice have appointed Barry Jackson to be the Data Protection Officer (DPO).
He is employed by N3i and can be contacted through their service desk on phone: 0300 002 0001 or email: N3i.firstname.lastname@example.org