The European GDPR will come into force in the UK on 25 May 2018, replacing the current Data Protection Act 1998 ("DPA").
However, the GDPR is only a part of the overall data protection framework, and the Government has introduced the Data Protection Bill into Parliament, to become law in 2018. The new Data Protection Act will:
- Set out derogations from the GDPR in areas where Member States can create such provisions – for example around some exemptions;
- Cover those areas of law not covered by the GDPR so that there will be no gaps in the data protection regime in the UK.
The new data protection regime will apply to data controllers and processors, and will apply to general personal data as well as special categories of personal data (previously sensitive personal data under the DPA 1998).
The information below provides just a limited flavour of some aspects of that new regime.
Data Protection Principles
Under the GDPR the data protection principles (Article 5) set out organisational responsibilities. These are set out below. The GDPR requires that as an organisation you must be able to demonstrate compliance with the principles.
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Accurate, necessary and kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.
As indicated, the GDPR makes clear that "the Controller shall be responsible for, and be able to demonstrate compliance with the principles".
General Personal Data and Special Categories of Personal
The GDPR applies to personal data. Within the NHS you should assume that if you hold information which falls within the scope of the current DPA, it will also fall within the scope of the GDPR and data protection legislation.
Special categories of personal data (essentially sensitive personal data under the current DPA) are recognised under the GDPR as they are under the DPA. The GDPR indicates in relation to the processing of special categories of personal data that:
"Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a person's sex life or sexual orientation shall be prohibited".
This starting point can be overridden subject to the application of conditions for the processing of both general personal data and special categories of personal data in an approach very similar to that currently operated within the DPA 1998.
The Processing of Data
General Personal Data
That being said the conditions for the lawful processing of personal data (for which there must be at least one condition met from those set out in Article 6 of the GDPR) do have some changes compared to the current data protection legislation.
Special Categories of Personal Data
Further, the conditions for the processing of special categories of personal data must not only meet a condition from Article 6, but must also meet at least one condition from those set out in Article 9 of the GDPR. Again the conditions are slightly different compared to what we have been used to, although the concept of needing to meet conditions for the processing of what was sensitive personal data (but is now special categories of personal data) in a health context is, in itself not new.
The GDPR outlines in Article 23 areas in which Members States may place restrictions on individual obligations and rights in terms of data processing "as a necessary and proportionate measure" to safeguard national security, defence, public security and so on.
The Data Protection Bill therefore provides UK exemptions in relation to the processing of data in some circumstances, which includes, for example, in relation to crime and taxation, information required to be disclosed by law and more.
Overall there will continue to be lawful conditions and exemptions which will mean that personal data can, in the right circumstances, be disclosed and processed.
Likewise under the GDPR and the new data protection regime individuals will continue to have the right of access to their personal data.
The Right of Access
Under the GDPR individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data.
In contrast to the current DPA 1998, this must be provided free of charge subject to a few limited exceptions.
The timescales for compliance with a subject access request are also changing. From 25 May 2018, information provided as a result of a subject access request must be provided without delay and at the latest within one month of receipt of the request, although that timescale can be extended within certain criteria.
The process for how information should be provided to the Applicant is also set out within the new legislative framework as well as the exemptions which can be applied to restrict disclosure of some data to the Applicant. In relation to the latter, the exemptions have largely been transposed from the current Data Protection Act 1998 with little modification.
Overall the GDPR provides new rights and strengthens existing rights for individuals. The above (right of access) is just one area of many individual rights including but not limited to - the right to be informed, the right of access, the right of rectification, the right to erasure, the right to object and so on; which organisations must ensure legal compliance in their operation of the new data protection regime from 25 May 2018.
The above is just a flavour of some of the key areas which you will need to ensure compliance and adhere to from 25 May 2018. This is critical in the NHS which deals on a daily basis with special categories of personal data.
The NHS must act to ensure that both it and its members of staff understand and comply with the practical realities of dealing with data processing and disclosure under the new regime from 25 May 2018 and must ensure that relevant staff have a good practical knowledge and are trained in applying and operating within the new legislative regime.
To do nothing risks potential breach of the GDPR with tougher penalties and possible substantial fines. The health sector is at high risk in terms of the nature of patient information and records held, and has a track record to suggest that steps should be taken now to ensure staff have confidence to apply and operate within the new legal regime as soon as it takes effect.
Free Seminar – London, Bristol and Birmingham
Bevan Brittan LLP will be running three free half day seminars (10am to 13.00pm) within its London, Bristol and Birmingham Office in March 2018. The title of this seminar is - 'A Practical Approach to the GDPR for the NHS'. There will also be an opportunity to network with colleagues.
For further information on these seminars, please click on the following link:
Should you need any additional information about the seminar or any aspect of this article, please do contact Jane Bennett, Associate.