Data Protection and GDPR Compliance
VerifiedAdded on 2020/10/22
|44
|11500
|325
AI Summary
This document provides essential guidelines on data protection and GDPR compliance for a medical practice. It outlines key definitions, consent requirements, and processing procedures to be followed. The document also includes supporting documents such as records retention policies, confidentiality agreements, and consent forms.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
The impact of new GDPR
regulation for GP Practices
1
regulation for GP Practices
1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TABLE OF CONTENTS
ISSUE 1
AIMS AND OBJECTIVES 2
LITERATURE REVIEW 3
GDPR regulations 3
Implications of GDPR on practices of general practitioners 3
Impact of GDPR regulation for patients and health care services 4
PROPOSED ACTION 6
EVALUATION OF ACTIONS AND REFLECTION ON PROCESS 7
REFLECTION 9
RECOMMENDATION 10
REFERENCES 11
APPENDIX 13
2
ISSUE 1
AIMS AND OBJECTIVES 2
LITERATURE REVIEW 3
GDPR regulations 3
Implications of GDPR on practices of general practitioners 3
Impact of GDPR regulation for patients and health care services 4
PROPOSED ACTION 6
EVALUATION OF ACTIONS AND REFLECTION ON PROCESS 7
REFLECTION 9
RECOMMENDATION 10
REFERENCES 11
APPENDIX 13
2
1 ISSUE
General data protection regulation (GDPR) which came into enforcement in 2018 has
affected the data privacy and management techniques followed by general practitioners as well
as health care organisations. The regulation has influenced all organisations processing and
dealing with the personal records and information of EU citizens. Contrary to the data protection
act the GDPR has extended the range of personal data which needs protection so that individual's
privacy and rights can be protected (Voigt and Von dem Bussche, 2017). However apart from
the businesses the act has significant implications on the practices of general practitioners (GP).
The health care professionals sustain the extremely personal records of their patients along with
their genetic information. Thus, the regulation has critical impact upon practices of GP and
overall health care services.
With the principles of GDPR regulations several enhancements have been made to
existing data protection act (DPA). Within health care services the regulation allow patients to
access their personal health records as well as to decide the extent of data sharing and privacy.
The regulation covers both digital records and physical records. In this context the biggest issues
for GP is to compliance with the new regulation GP has to incorporate several changes in their
practices and health care settings. Thus, it is very essential for the GP to understand the scope
and range of the GDPR so that safety and privacy rights of the patient's can be secured.
The regulation influences to both processors and controllers of data and thus it becomes
essential for the general practitioners to understand the range and methods of using the personal
and health records of the EU patients. For this purpose the GP will require introducing several
changes to their practices and to identify the challenges in health care settings which can affect
the integration of their practices and new legislation (Lovell and Foy, 2018). To make the data
sharing fair and cost effective GP will also need to assess their practices so that legal aspects are
not violated and necessary changes can be made to health care practices.
Apart from the GDPR UK also has data protect act which aims at assuring the privacy of
user data. The user data may consist of their contact details, account details and biometric
information. The data protection act consist of data regulations which are applicable to UK only
while contrary to this GDPR has broader aspect and is applicable to all nations of European
3
General data protection regulation (GDPR) which came into enforcement in 2018 has
affected the data privacy and management techniques followed by general practitioners as well
as health care organisations. The regulation has influenced all organisations processing and
dealing with the personal records and information of EU citizens. Contrary to the data protection
act the GDPR has extended the range of personal data which needs protection so that individual's
privacy and rights can be protected (Voigt and Von dem Bussche, 2017). However apart from
the businesses the act has significant implications on the practices of general practitioners (GP).
The health care professionals sustain the extremely personal records of their patients along with
their genetic information. Thus, the regulation has critical impact upon practices of GP and
overall health care services.
With the principles of GDPR regulations several enhancements have been made to
existing data protection act (DPA). Within health care services the regulation allow patients to
access their personal health records as well as to decide the extent of data sharing and privacy.
The regulation covers both digital records and physical records. In this context the biggest issues
for GP is to compliance with the new regulation GP has to incorporate several changes in their
practices and health care settings. Thus, it is very essential for the GP to understand the scope
and range of the GDPR so that safety and privacy rights of the patient's can be secured.
The regulation influences to both processors and controllers of data and thus it becomes
essential for the general practitioners to understand the range and methods of using the personal
and health records of the EU patients. For this purpose the GP will require introducing several
changes to their practices and to identify the challenges in health care settings which can affect
the integration of their practices and new legislation (Lovell and Foy, 2018). To make the data
sharing fair and cost effective GP will also need to assess their practices so that legal aspects are
not violated and necessary changes can be made to health care practices.
Apart from the GDPR UK also has data protect act which aims at assuring the privacy of
user data. The user data may consist of their contact details, account details and biometric
information. The data protection act consist of data regulations which are applicable to UK only
while contrary to this GDPR has broader aspect and is applicable to all nations of European
3
Union. Data protection act pertains information limited to identification of an individual while
contrary to the new regulation will also explore the genetic information, location, identification
marks as well as other biological parameters. The earlier data protection act did not have much
control and monitoring over the data used by general practitioners and healthcare services.
However, the new GDPR act will regulate the practices of GP and the way in which they store,
use and provide the data of service users.
4
contrary to the new regulation will also explore the genetic information, location, identification
marks as well as other biological parameters. The earlier data protection act did not have much
control and monitoring over the data used by general practitioners and healthcare services.
However, the new GDPR act will regulate the practices of GP and the way in which they store,
use and provide the data of service users.
4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
2 AIMS AND OBJECTIVES
The key aim and objective of the study are as follows:
Aim
To analyse and propose solutions regarding impact of new GDPR regulation for practices
of GP.
Objectives:
● To analyse the implications of GDPR regulations on GP
● To evaluate the impact of GDPR on health services and patients.
● To evaluate the possible actions and solutions in response to GDPR in health care
practices of GP.
● To recommend the appropriate solutions for GP's for meeting GDPR Regulations.
● To reflect upon the impact and proposed solutions for GDPR.
5
The key aim and objective of the study are as follows:
Aim
To analyse and propose solutions regarding impact of new GDPR regulation for practices
of GP.
Objectives:
● To analyse the implications of GDPR regulations on GP
● To evaluate the impact of GDPR on health services and patients.
● To evaluate the possible actions and solutions in response to GDPR in health care
practices of GP.
● To recommend the appropriate solutions for GP's for meeting GDPR Regulations.
● To reflect upon the impact and proposed solutions for GDPR.
5
3 LITERATURE REVIEW
1 GDPR regulations
GDPR provides the data protection to the personal details and sensitive data of the
individuals. According to Goddard, (2017) the GP holds the sensitive and personal health records
of the patients and thus the regulation needs compliance in the services provided by GP. The
most significant change incorporated by the regulation is that it has transformed and widen the
role of general practitioners as data controllers. The data defined as the personal information in
GDPR includes personal information such as name, IP address and NHS number as well as the
special category data such as health status and health records of the individuals.
It has been suggested from several studies that GDPR compliance need to be
demonstrated within health care setting and thus several processes must be incorporated within
care settings. Sousa and et.al., (2018) stated that with the new regulation GP will be required to
maintain updated records along with the effective data protection policies. Data protection
officers have become mandatory so that practices of GP can be made more accurate and reliable.
The regulation aims at encouraging the safe and easy flow the sensitive data of individuals.
GDPR also ensure that general practices does not impose any kind of fees or the financial
restrictions on patients for providing access to the health records. It has been analysed from prior
studies that general practitioners does not consider the security breaches or the database related
issue seriously. Thus, the regulation bounds general practitioners to essentially monitor the data
security and access.
As per the view of Rumbold and Pierscionek, (2017) the regulation aims at ensuring the
privacy of people but it must be assured that privacy notice must have lawful basis so that
information can be processed accurately and safely. The regulation also emphasis that each of
the patient must have information that how their personal details are used by the GP. Thus, it
becomes necessary for GP to have informed consent from the patients regarding the use of their
personal information. The regulation highlights the need of increasing accountability of GP and
to develop a more effective governance network for the data protection.
6
1 GDPR regulations
GDPR provides the data protection to the personal details and sensitive data of the
individuals. According to Goddard, (2017) the GP holds the sensitive and personal health records
of the patients and thus the regulation needs compliance in the services provided by GP. The
most significant change incorporated by the regulation is that it has transformed and widen the
role of general practitioners as data controllers. The data defined as the personal information in
GDPR includes personal information such as name, IP address and NHS number as well as the
special category data such as health status and health records of the individuals.
It has been suggested from several studies that GDPR compliance need to be
demonstrated within health care setting and thus several processes must be incorporated within
care settings. Sousa and et.al., (2018) stated that with the new regulation GP will be required to
maintain updated records along with the effective data protection policies. Data protection
officers have become mandatory so that practices of GP can be made more accurate and reliable.
The regulation aims at encouraging the safe and easy flow the sensitive data of individuals.
GDPR also ensure that general practices does not impose any kind of fees or the financial
restrictions on patients for providing access to the health records. It has been analysed from prior
studies that general practitioners does not consider the security breaches or the database related
issue seriously. Thus, the regulation bounds general practitioners to essentially monitor the data
security and access.
As per the view of Rumbold and Pierscionek, (2017) the regulation aims at ensuring the
privacy of people but it must be assured that privacy notice must have lawful basis so that
information can be processed accurately and safely. The regulation also emphasis that each of
the patient must have information that how their personal details are used by the GP. Thus, it
becomes necessary for GP to have informed consent from the patients regarding the use of their
personal information. The regulation highlights the need of increasing accountability of GP and
to develop a more effective governance network for the data protection.
6
2 Implications of GDPR on practices of general practitioners
In the view of Otto, (2018) GDPR will have critical impact on the existing policies and
practices followed by GP. It has been also analysed that general practitioners also use and
process the details of their patients with different agencies such as national health agencies or the
other organisations aiming at conducting health researches or improving the health outcomes.
Lindgren, (2016) stated that GDPR prepares guideline for the GP so that are accountable
and answerable that how their actions or using data is for the public welfare and does not cause
any harm to the privacy and identity of the individual. Prior to the sharing of data GP must
inform their patients that how they can resolve the issue. The data processing practices followed
by general practitioners are followed by principles such as accuracy, accountability, integrity,
confidentiality and transparency. With the implementation of GDPR in clinical settings GP are
regularly monitored that data is maintained and stored in a way and for the period it is necessary
and legal.
According to Chassang, (2017) GDPR has not only influenced the practices of GP but
has also explored to determine and implement suitable organisational and technical
measurements for protecting unauthorised and unlawful data processing. Another important
implication of GDPR is that along with the authorised access of data GP are also liable to have
concern for the destruction and accidental loss of data. Since general practitioners have access
and control to genetic and biological information it becomes mandatory for GP to ensure that
their care settings are also capable enough to prevent such accidental loss of data.
3 Impact of GDPR regulation for patients and health care services
According to GDPR Information pack, (2019) the key objective of GDPR is to provide
individual more authority and control over their personal data. Thus, patients have right to deny
the sharing of their records with external agencies or other individuals. However, this can have
serious implications for health professions as deletion of health records can have serious
concerns for patients as well as for communities. For instance the patient suffering from highly
contagious disease like HIV may prohibit GP to keep their data, however this can be harmful for
the other people as their vulnerability becomes high to get infected.
As per the view of Wachter, Mittelstadt and Floridi, (2017) GDPR will also be beneficial
for the patients as it will help GP to enhance the quality of services. Since practitioners will have
7
In the view of Otto, (2018) GDPR will have critical impact on the existing policies and
practices followed by GP. It has been also analysed that general practitioners also use and
process the details of their patients with different agencies such as national health agencies or the
other organisations aiming at conducting health researches or improving the health outcomes.
Lindgren, (2016) stated that GDPR prepares guideline for the GP so that are accountable
and answerable that how their actions or using data is for the public welfare and does not cause
any harm to the privacy and identity of the individual. Prior to the sharing of data GP must
inform their patients that how they can resolve the issue. The data processing practices followed
by general practitioners are followed by principles such as accuracy, accountability, integrity,
confidentiality and transparency. With the implementation of GDPR in clinical settings GP are
regularly monitored that data is maintained and stored in a way and for the period it is necessary
and legal.
According to Chassang, (2017) GDPR has not only influenced the practices of GP but
has also explored to determine and implement suitable organisational and technical
measurements for protecting unauthorised and unlawful data processing. Another important
implication of GDPR is that along with the authorised access of data GP are also liable to have
concern for the destruction and accidental loss of data. Since general practitioners have access
and control to genetic and biological information it becomes mandatory for GP to ensure that
their care settings are also capable enough to prevent such accidental loss of data.
3 Impact of GDPR regulation for patients and health care services
According to GDPR Information pack, (2019) the key objective of GDPR is to provide
individual more authority and control over their personal data. Thus, patients have right to deny
the sharing of their records with external agencies or other individuals. However, this can have
serious implications for health professions as deletion of health records can have serious
concerns for patients as well as for communities. For instance the patient suffering from highly
contagious disease like HIV may prohibit GP to keep their data, however this can be harmful for
the other people as their vulnerability becomes high to get infected.
As per the view of Wachter, Mittelstadt and Floridi, (2017) GDPR will also be beneficial
for the patients as it will help GP to enhance the quality of services. Since practitioners will have
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
records of patient's medical history it will be possible for them to provide more accurate health
care services on the basis of their medical records. The proper management of data also helps
national health agencies to analyse the data and to formulate suitable health improvement
strategies.
4. Possible actions and solutions in response to GDPR
The foremost change identified is the necessity of having data protection officer (DPO).
The GP service providers are authorised and accountable to public and thus they must have DPO
so that expertise knowledge and efficiency regarding data protection policies and law can be
integrated within GP practices. Carey, (2018) stated that developing systems and organisational
culture for secure management of data can be challenging in term of cost and skills. Thus, GP
must provide suitable training to their staff members so that they can integrate the new
regulations in their practices (Rumbold and Pierscionek, 2017). The staff members are
accountable to DPO and thus they must be trained enough so that they can effectively report the
data management concerns. Through training programs and regular monitoring DPO will assure
that each and every GP and staff member of the organisation is well aware of the type and nature
of information they are storing or accessing. After the implementation of GDPR there will be
regular tracking and monitoring of the information which is stored in the user systems.
8
care services on the basis of their medical records. The proper management of data also helps
national health agencies to analyse the data and to formulate suitable health improvement
strategies.
4. Possible actions and solutions in response to GDPR
The foremost change identified is the necessity of having data protection officer (DPO).
The GP service providers are authorised and accountable to public and thus they must have DPO
so that expertise knowledge and efficiency regarding data protection policies and law can be
integrated within GP practices. Carey, (2018) stated that developing systems and organisational
culture for secure management of data can be challenging in term of cost and skills. Thus, GP
must provide suitable training to their staff members so that they can integrate the new
regulations in their practices (Rumbold and Pierscionek, 2017). The staff members are
accountable to DPO and thus they must be trained enough so that they can effectively report the
data management concerns. Through training programs and regular monitoring DPO will assure
that each and every GP and staff member of the organisation is well aware of the type and nature
of information they are storing or accessing. After the implementation of GDPR there will be
regular tracking and monitoring of the information which is stored in the user systems.
8
4 PROPOSED ACTION
In order to solve the implications of GDPR training is necessary for GP so that they can
assure that data of their patients is shared and stored in lawful manner and their privacy and
security is not threatened. To manage the implications of GDPR health service providers must
initiate training programs. The training programs will help GP to understand the concepts and
principles related to GDPR. It will also help them to recognise the current organisational
resources and the identification of most appropriate data processing and controlling tools
(Hertzberg, 2018).
The practitioners must provide training to other members so that organisational needs and
data flow can be mapped and GDPR regulations can be effectively implemented. Another crucial
advantage by incorporating such training plans into the action is that it helps GP to deal with the
GDPR compliance is to develop suitable policies for the data monitoring, transfer and actions so
that all perspectives of GDPR can be integrated within practices. For providing more effective
solutions to incorporate changes of GDPR it is also necessary that in training programs GP must
be provided information regarding gap between existing data policies and the new GDPR policy.
It will help to understand the necessary changes to incorporate in the practice. Training program
will also assist in formulating policies for regular monitoring of the data and handling of health
service providers so that GDPR goals can be successfully achieved.
9
In order to solve the implications of GDPR training is necessary for GP so that they can
assure that data of their patients is shared and stored in lawful manner and their privacy and
security is not threatened. To manage the implications of GDPR health service providers must
initiate training programs. The training programs will help GP to understand the concepts and
principles related to GDPR. It will also help them to recognise the current organisational
resources and the identification of most appropriate data processing and controlling tools
(Hertzberg, 2018).
The practitioners must provide training to other members so that organisational needs and
data flow can be mapped and GDPR regulations can be effectively implemented. Another crucial
advantage by incorporating such training plans into the action is that it helps GP to deal with the
GDPR compliance is to develop suitable policies for the data monitoring, transfer and actions so
that all perspectives of GDPR can be integrated within practices. For providing more effective
solutions to incorporate changes of GDPR it is also necessary that in training programs GP must
be provided information regarding gap between existing data policies and the new GDPR policy.
It will help to understand the necessary changes to incorporate in the practice. Training program
will also assist in formulating policies for regular monitoring of the data and handling of health
service providers so that GDPR goals can be successfully achieved.
9
5 EVALUATION OF ACTIONS AND REFLECTION ON PROCESS
The actions discussed in above for the issue can be considered as effective. Since most of
the GP as well as other health professionals may not be aware of the actual implications of
GDPR. Thus, the action to make them aware with the regulation is mandatory and highly
effective. However, the general practitioners does not effectively implement the new and
improved data processing system without assuring the suitable analysis of the organisation. The
training programs can provide complete guidance on implementing and utilisation of such
system.
The existing data management system of the health care setting are not sufficient for such
type of controlled processing (Phillips, 2018). Thus, in such situation it can be said that the
assessment of the organisational resources can help GP to perform the current evaluation and to
suggest the necessary changes in the practices. GDPR also consist of extended version of data
protection policy thus there are several principles which are already incorporated by the
practitioners. The training programs will help to understand the impact and participation of every
GP within organisation.
The development of new policies in compliance with the data protection is also one of the
effective action. The data breach and unauthorised practices cannot be avoided without support
and cooperation from the other service providers. Thus, choice of providing training to GP and
other professionals is also beneficial (Lambrinoudakis, 2018). However, the training may not
proven to be effective until the professional skill of individuals are not identified. Thus, for
improving the efficiency of training session GP must also assure that the training and
development programs are developed which helps to improve the professional capability of the
individuals.
However, the current policies and training programs does not incorporate any training
schemes which makes GP efficient in term of data management and processing skills. The
management must communicate with the service users, general practitioners and other
stakeholders so that each and every individual can become aware of the ongoing development
and improvement process. Further the suggested actions does not consider the system efficiency
and technological advancements which can influence the data privacy and role of users in
maintaining the integrity of data.
10
The actions discussed in above for the issue can be considered as effective. Since most of
the GP as well as other health professionals may not be aware of the actual implications of
GDPR. Thus, the action to make them aware with the regulation is mandatory and highly
effective. However, the general practitioners does not effectively implement the new and
improved data processing system without assuring the suitable analysis of the organisation. The
training programs can provide complete guidance on implementing and utilisation of such
system.
The existing data management system of the health care setting are not sufficient for such
type of controlled processing (Phillips, 2018). Thus, in such situation it can be said that the
assessment of the organisational resources can help GP to perform the current evaluation and to
suggest the necessary changes in the practices. GDPR also consist of extended version of data
protection policy thus there are several principles which are already incorporated by the
practitioners. The training programs will help to understand the impact and participation of every
GP within organisation.
The development of new policies in compliance with the data protection is also one of the
effective action. The data breach and unauthorised practices cannot be avoided without support
and cooperation from the other service providers. Thus, choice of providing training to GP and
other professionals is also beneficial (Lambrinoudakis, 2018). However, the training may not
proven to be effective until the professional skill of individuals are not identified. Thus, for
improving the efficiency of training session GP must also assure that the training and
development programs are developed which helps to improve the professional capability of the
individuals.
However, the current policies and training programs does not incorporate any training
schemes which makes GP efficient in term of data management and processing skills. The
management must communicate with the service users, general practitioners and other
stakeholders so that each and every individual can become aware of the ongoing development
and improvement process. Further the suggested actions does not consider the system efficiency
and technological advancements which can influence the data privacy and role of users in
maintaining the integrity of data.
10
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
For instance the consent of patients is obtained from the online form but there are
possibilities that some service users such as minors or the individuals suffering with critical
diseases may not favour the process (Tikkinen-Piri, Rohunen and Markkula, 2018). Thus, GP
must also develop policies which can help to overcome such crisis. Within training programs
practitioners and employees must be trained so that they can manage the online records and
system. The proposed actions also consider the legal perspective of the regulation. However, the
data processing and management may give rise to conflict between GP and the service users.
Hence, it is also suggested that actions must also include the suitable policies for the conflicting
situation.
Within health care profession interest of an individual may collide with the other and thus
it depends upon GP or the patient to decide that how data must be shared and processed. Such
type of conflicting situations occur when service users are not willing to share their records
(Wilkinson, 2018). For dealing with such conflicting aspect action plan including strong
legislative support is highly appropriate. The data mapping used in the implementation is also
significant and integral part of the GDPR regulation as it helps in assessing and monitoring the
ethical and legal flow of data securely and safely.
11
possibilities that some service users such as minors or the individuals suffering with critical
diseases may not favour the process (Tikkinen-Piri, Rohunen and Markkula, 2018). Thus, GP
must also develop policies which can help to overcome such crisis. Within training programs
practitioners and employees must be trained so that they can manage the online records and
system. The proposed actions also consider the legal perspective of the regulation. However, the
data processing and management may give rise to conflict between GP and the service users.
Hence, it is also suggested that actions must also include the suitable policies for the conflicting
situation.
Within health care profession interest of an individual may collide with the other and thus
it depends upon GP or the patient to decide that how data must be shared and processed. Such
type of conflicting situations occur when service users are not willing to share their records
(Wilkinson, 2018). For dealing with such conflicting aspect action plan including strong
legislative support is highly appropriate. The data mapping used in the implementation is also
significant and integral part of the GDPR regulation as it helps in assessing and monitoring the
ethical and legal flow of data securely and safely.
11
6 REFLECTION
Time management is an important part of conducting any study. However, by improving
and using suitable approaches the time management can be improved and efficiency of the study
outcomes can be encouraged. While conducting the study I tried to follow a well planned
structured so that I can accomplish my tasks on time. Though I experienced difficulties in
analysis and understanding of the issue but gradually I improved my research skills. The study
also helped me to enhance my research capabilities and to explore different aspects associated
with the study topic. Through the report I also understood that what significant changes can be
introduced by data protection regulation. As a part of health care sector the study has helped me
to gain the perspective of patient as well as regulatory authorities towards data protection.
The study has helped to explore the extent up to which data management will change in
health care practices. I also learned the difference between data protection act and GDPR and
that how new act will influence the actions of GP. I have also attached time frame in appendix to
demonstrate the time management used by me to accomplish this project.
12
Time management is an important part of conducting any study. However, by improving
and using suitable approaches the time management can be improved and efficiency of the study
outcomes can be encouraged. While conducting the study I tried to follow a well planned
structured so that I can accomplish my tasks on time. Though I experienced difficulties in
analysis and understanding of the issue but gradually I improved my research skills. The study
also helped me to enhance my research capabilities and to explore different aspects associated
with the study topic. Through the report I also understood that what significant changes can be
introduced by data protection regulation. As a part of health care sector the study has helped me
to gain the perspective of patient as well as regulatory authorities towards data protection.
The study has helped to explore the extent up to which data management will change in
health care practices. I also learned the difference between data protection act and GDPR and
that how new act will influence the actions of GP. I have also attached time frame in appendix to
demonstrate the time management used by me to accomplish this project.
12
7 RECOMMENDATION
In the context of issue identified and the suggested actions it is recommended that both
service users and general practitioners must understand the importance and need of GDPR (Voss,
2016). The GP must provide training to the staff members so that security breach issues can be
easily managed by the service providers. The major challenges which can be experience in
implementing training programs for the GP is the awareness and budget considerations. In my
opinion the training needs to include all general practitioners. However, there are several budget
limitations which makes it possible to provide training to all the members. Thus, there is a need
to prepare a cost effective training plan. In addition to this I can also find it hard to manage the
schedule because in the highly engaged schedule it can be tough to participate in the training
programs. It is also recommended that while analysing the data flow within organisation GP
must also consider service users, service vendors and other stakeholders into consideration. It
will help to minimise the threats of data security due to technical errors or negligence. Further
GP must employ system and software which integrates and align the organisational goals, public
welfare and GDPR regulation.
Further, in order to improve my learning skills I can discuss the regulation with other Gps
and service providers. Though improvement in planning skill can help to enhance learning but
there is need to assess and regularly improve time management so that data collection can be
enhanced (Cornock, 2018). To improve the innovation and quality of findings it is also
recommended exploring variety of secondary sources and primary researches so that realistic
situations and GP practices can be identified.
13
In the context of issue identified and the suggested actions it is recommended that both
service users and general practitioners must understand the importance and need of GDPR (Voss,
2016). The GP must provide training to the staff members so that security breach issues can be
easily managed by the service providers. The major challenges which can be experience in
implementing training programs for the GP is the awareness and budget considerations. In my
opinion the training needs to include all general practitioners. However, there are several budget
limitations which makes it possible to provide training to all the members. Thus, there is a need
to prepare a cost effective training plan. In addition to this I can also find it hard to manage the
schedule because in the highly engaged schedule it can be tough to participate in the training
programs. It is also recommended that while analysing the data flow within organisation GP
must also consider service users, service vendors and other stakeholders into consideration. It
will help to minimise the threats of data security due to technical errors or negligence. Further
GP must employ system and software which integrates and align the organisational goals, public
welfare and GDPR regulation.
Further, in order to improve my learning skills I can discuss the regulation with other Gps
and service providers. Though improvement in planning skill can help to enhance learning but
there is need to assess and regularly improve time management so that data collection can be
enhanced (Cornock, 2018). To improve the innovation and quality of findings it is also
recommended exploring variety of secondary sources and primary researches so that realistic
situations and GP practices can be identified.
13
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
8 REFERENCES
Books and Journals
Carey, P., 2018. Data protection: a practical guide to UK and EU law. Oxford University Press,
Inc..
Chassang, G., 2017. The impact of the EU general data protection regulation on scientific
research. Ecancermedicalscience. 11.
Cornock, M., 2018. General Data Protection Regulation (GDPR) and implications for
research. Maturitas. 111. p.A1.
Goddard, M., 2017. The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research. 59(6). pp.703-705.
Hertzberg, J., 2018. GDPR AND INTERNAL AUDIT: Auditors can help their organization
navigate the compliance risks posed by Europe's General Data Protection
Regulation. Internal Auditor, 75(4), pp.22-24.
Lambrinoudakis, C., 2018, September. The General Data Protection Regulation (GDPR) Era:
Ten Steps for Compliance of Data Processors and Data Controllers. In International
Conference on Trust and Privacy in Digital Business (pp. 3-8). Springer, Cham.
Lindgren, P., 2016. GDPR regulation impact on different business models and
businesses. Journal of Multi Business Model Innovation and Technology. 4(3). pp.241-
254.
Lovell, M. and Foy, M.A., 2018. General Data Protection Regulation May 2018 (GDPR) How
does it affect us?. Bone & Joint 360. 7(4). pp.41-42.
Otto, M., 2018, September. Regulation (EU) 2016/679 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation–GDPR). In International and European Labour Law (pp.
958-981). Nomos Verlagsgesellschaft mbH & Co. KG.
Phillips, M., 2018. International data-sharing norms: from the OECD to the General Data
Protection Regulation (GDPR). Human genetics. 137(8). pp.575-582.
Rumbold, J.M.M. and Pierscionek, B., 2017. The effect of the general data protection regulation
on medical research. Journal of medical Internet research. 19(2). p.e47.
14
Books and Journals
Carey, P., 2018. Data protection: a practical guide to UK and EU law. Oxford University Press,
Inc..
Chassang, G., 2017. The impact of the EU general data protection regulation on scientific
research. Ecancermedicalscience. 11.
Cornock, M., 2018. General Data Protection Regulation (GDPR) and implications for
research. Maturitas. 111. p.A1.
Goddard, M., 2017. The EU General Data Protection Regulation (GDPR): European regulation
that has a global impact. International Journal of Market Research. 59(6). pp.703-705.
Hertzberg, J., 2018. GDPR AND INTERNAL AUDIT: Auditors can help their organization
navigate the compliance risks posed by Europe's General Data Protection
Regulation. Internal Auditor, 75(4), pp.22-24.
Lambrinoudakis, C., 2018, September. The General Data Protection Regulation (GDPR) Era:
Ten Steps for Compliance of Data Processors and Data Controllers. In International
Conference on Trust and Privacy in Digital Business (pp. 3-8). Springer, Cham.
Lindgren, P., 2016. GDPR regulation impact on different business models and
businesses. Journal of Multi Business Model Innovation and Technology. 4(3). pp.241-
254.
Lovell, M. and Foy, M.A., 2018. General Data Protection Regulation May 2018 (GDPR) How
does it affect us?. Bone & Joint 360. 7(4). pp.41-42.
Otto, M., 2018, September. Regulation (EU) 2016/679 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation–GDPR). In International and European Labour Law (pp.
958-981). Nomos Verlagsgesellschaft mbH & Co. KG.
Phillips, M., 2018. International data-sharing norms: from the OECD to the General Data
Protection Regulation (GDPR). Human genetics. 137(8). pp.575-582.
Rumbold, J.M.M. and Pierscionek, B., 2017. The effect of the general data protection regulation
on medical research. Journal of medical Internet research. 19(2). p.e47.
14
Sousa, M. and et.al., 2018. OpenEHR Based Systems and the General Data Protection
Regulation (GDPR). Building Continents of Knowledge in Oceans of Data: The Future of
Co-Created eHealth.
Tikkinen-Piri, C., Rohunen, A. and Markkula, J., 2018. EU General Data Protection Regulation:
Changes and implications for personal data collecting companies. Computer Law &
Security Review. 34(1). pp.134-153.
Voigt, P. and Von dem Bussche, A., 2017. The EU General Data Protection Regulation
(GDPR). A Practical Guide, 1st Ed., Cham: Springer International Publishing.
Voss, W.G., 2016. European union data privacy law reform: General data protection regulation,
privacy shield, and the right to delisting. Business Lawyer. 72(1). pp.221-233.
Wachter, S., Mittelstadt, B. and Floridi, L., 2017. Why a right to explanation of automated
decision-making does not exist in the general data protection regulation. International
Data Privacy Law. 7(2). pp.76-99.
Wilkinson, G., 2018. General Data Protection Regulation: No silver bullet for small and
medium-sized enterprises. Journal of Payments Strategy & Systems. 12(2). pp.139-149.
Online
GDPR Information pack. 2019. [Online]. Access through
<http://www.llrlmc.co.uk/gdprinformationpack>
15
Regulation (GDPR). Building Continents of Knowledge in Oceans of Data: The Future of
Co-Created eHealth.
Tikkinen-Piri, C., Rohunen, A. and Markkula, J., 2018. EU General Data Protection Regulation:
Changes and implications for personal data collecting companies. Computer Law &
Security Review. 34(1). pp.134-153.
Voigt, P. and Von dem Bussche, A., 2017. The EU General Data Protection Regulation
(GDPR). A Practical Guide, 1st Ed., Cham: Springer International Publishing.
Voss, W.G., 2016. European union data privacy law reform: General data protection regulation,
privacy shield, and the right to delisting. Business Lawyer. 72(1). pp.221-233.
Wachter, S., Mittelstadt, B. and Floridi, L., 2017. Why a right to explanation of automated
decision-making does not exist in the general data protection regulation. International
Data Privacy Law. 7(2). pp.76-99.
Wilkinson, G., 2018. General Data Protection Regulation: No silver bullet for small and
medium-sized enterprises. Journal of Payments Strategy & Systems. 12(2). pp.139-149.
Online
GDPR Information pack. 2019. [Online]. Access through
<http://www.llrlmc.co.uk/gdprinformationpack>
15
9 APPENDIX
Time management
Week Actions Reflection
Week 1 Choosing the research topic
and developing aims and
objectives
At first I was very confused regarding
choosing a suitable topic. However then I
thought that GDPR will affect all
individuals as health services are crucial
to all so I choose this topic.
Week 2 Exploring the impact of
GDPR on GP
For completing this action quickly I
searched variety of journals, articles and
secondary sources.
Week 3 Identifying challenges for
implementation of GDPR
To identify the challenges along with the
secondary sources I interacted and
analysed the actual difficulties faced by
GP and other staff members in
implementing GDPR.
Week 4 Evaluating literature search To enhance support for my findings I
refereed to quality literature sources. The
selection of relevant and specific sources
saved my time and helped me to gain
quality findings.
Week 5 Implementation of GDPR It was quite challenging but support from
relevant knowledge resources and
organisational culture helped me to
accomplish this action.
Week 6 Communication with staff
members
It helped me to identify the drawbacks
however it can be improved by
16
Time management
Week Actions Reflection
Week 1 Choosing the research topic
and developing aims and
objectives
At first I was very confused regarding
choosing a suitable topic. However then I
thought that GDPR will affect all
individuals as health services are crucial
to all so I choose this topic.
Week 2 Exploring the impact of
GDPR on GP
For completing this action quickly I
searched variety of journals, articles and
secondary sources.
Week 3 Identifying challenges for
implementation of GDPR
To identify the challenges along with the
secondary sources I interacted and
analysed the actual difficulties faced by
GP and other staff members in
implementing GDPR.
Week 4 Evaluating literature search To enhance support for my findings I
refereed to quality literature sources. The
selection of relevant and specific sources
saved my time and helped me to gain
quality findings.
Week 5 Implementation of GDPR It was quite challenging but support from
relevant knowledge resources and
organisational culture helped me to
accomplish this action.
Week 6 Communication with staff
members
It helped me to identify the drawbacks
however it can be improved by
16
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
employing feedback mechanism so that
issues can be identified and resolved.
17
issues can be identified and resolved.
17
Appendix 2
GDPR Policy – Consent
● Document Control
A. Confidentiality Notice
This document and the information contained therein is the property of Freuchen Medical
Centre.
This document contains information that is privileged, confidential or otherwise protected
from disclosure. It must not be used by, or its contents reproduced or otherwise copied or
disclosed without the prior consent in writing from Freuchen Medical Centre.
● Brief
The General Data Protection Regulation (GDPR) came into effect in the UK from May
2018 and replaces the Data Protection Act 1998 (DPA).
The GDPR sets a high standard for consent. It builds on the DPA standard of consent
in a number of areas and it contains significantly more detail that codifies existing
European guidance and good practice.
This policy details our approach to compliance and discusses what counts as valid
consent. It also provides practical help to decide when to rely on consent, and when
to look at alternatives. This policy relates to consent with regards to processing
data only.
For consent for providing medical treatment, please refer to our Consent
Policy
● About this policy
This policy should be read in conjunction with the other GDPR related policies
concerning data processing to give more detailed, practical guidance on
consent under the GDPR.
The GDPR sets a high standard for consent. Consent means offering patients
genuine choice and control over how we use their data. When consent is used
properly, it helps us build trust and enhances our reputation.
18
GDPR Policy – Consent
● Document Control
A. Confidentiality Notice
This document and the information contained therein is the property of Freuchen Medical
Centre.
This document contains information that is privileged, confidential or otherwise protected
from disclosure. It must not be used by, or its contents reproduced or otherwise copied or
disclosed without the prior consent in writing from Freuchen Medical Centre.
● Brief
The General Data Protection Regulation (GDPR) came into effect in the UK from May
2018 and replaces the Data Protection Act 1998 (DPA).
The GDPR sets a high standard for consent. It builds on the DPA standard of consent
in a number of areas and it contains significantly more detail that codifies existing
European guidance and good practice.
This policy details our approach to compliance and discusses what counts as valid
consent. It also provides practical help to decide when to rely on consent, and when
to look at alternatives. This policy relates to consent with regards to processing
data only.
For consent for providing medical treatment, please refer to our Consent
Policy
● About this policy
This policy should be read in conjunction with the other GDPR related policies
concerning data processing to give more detailed, practical guidance on
consent under the GDPR.
The GDPR sets a high standard for consent. Consent means offering patients
genuine choice and control over how we use their data. When consent is used
properly, it helps us build trust and enhances our reputation.
18
This policy will explain when to rely on consent for processing and when to look
at alternatives. It explains what counts as valid consent, and how to obtain and
manage consent in a way that complies with the GDPR.
The policy sets out how the Information Commissioner’s Office (ICO) interprets
the GDPR, and our general recommended approach to compliance and good
practice.
● Summary
● Why is consent important?
● What role does consent play in the GDPR?
For processing to be lawful under the GDPR, we need to identify (and document)
our lawful basis for the processing. There are six lawful bases listed in Article
6(1), which are:
● Consent
● Contractual Necessity
● Compliance with Legal Obligations
● Vital Interests
● Public Interest or in exercise of official authority
19
Consent must be unambiguous and involve a clear affirmative
action.
Consent should be separate from other terms and conditions. It should not
generally be a precondition of signing up to a service.
The practice will not use pre-ticked opt-in boxes.
Granular consent is required for distinct processing operations.
We must keep clear records to demonstrate consent.
Patients have the right to withdraw consent, and we must offer them easy ways
to withdraw consent at any time.
If we have relied on consent for processing, patients have the right to erasure
Consent should only be used as the legal basis for data processing, if there is
no other alternative
at alternatives. It explains what counts as valid consent, and how to obtain and
manage consent in a way that complies with the GDPR.
The policy sets out how the Information Commissioner’s Office (ICO) interprets
the GDPR, and our general recommended approach to compliance and good
practice.
● Summary
● Why is consent important?
● What role does consent play in the GDPR?
For processing to be lawful under the GDPR, we need to identify (and document)
our lawful basis for the processing. There are six lawful bases listed in Article
6(1), which are:
● Consent
● Contractual Necessity
● Compliance with Legal Obligations
● Vital Interests
● Public Interest or in exercise of official authority
19
Consent must be unambiguous and involve a clear affirmative
action.
Consent should be separate from other terms and conditions. It should not
generally be a precondition of signing up to a service.
The practice will not use pre-ticked opt-in boxes.
Granular consent is required for distinct processing operations.
We must keep clear records to demonstrate consent.
Patients have the right to withdraw consent, and we must offer them easy ways
to withdraw consent at any time.
If we have relied on consent for processing, patients have the right to erasure
Consent should only be used as the legal basis for data processing, if there is
no other alternative
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
● Legitimate interests. (This does not apply to public authority, and should
therefore not be used by the practice as a legal basis for data-processing)
As an NHS organisation, it is likely that the majority of data processed by the
practice will be health related. This is considered a special category (sensitive)
If you want to process special category (sensitive) personal data, you also need
to apply one of the conditions in Article 9(2). ‘Explicit consent’ is one option for
legitimising the use of special category data. The others are:
● Vital Interests
● Charity or not-for profit bodies
● Manifestly made public by data subject
● Legal Claims
● Substantial public interest
● Health and Social Care
● Public Health
● Historical, statistical or scientific purposes
Consent can also legitimise restricted processing, and explicit consent can
legitimise automated decision-making (including profiling), or overseas transfers
by private-sector organisations in the absence of adequate safeguards.
If you rely on consent, this will affect individuals’ rights. People will generally
have stronger rights when processing is based on consent – for example, the
right to erasure (also known as ‘the right to be forgotten’) and the right to
data portability. It is therefore essential that consent be only used as the legal
basis for data processing when there is no suitable alternative. In most
instances where data is processed for the purpose of healthcare, consent is
not required to be the legal basis.
Consent is only appropriate if we can offer patients real choice and control over
how you use their data, and want to build their trust and engagement. But if you
cannot offer a genuine choice, consent is not appropriate. If you would still
process the personal data without consent, asking for consent is misleading and
20
therefore not be used by the practice as a legal basis for data-processing)
As an NHS organisation, it is likely that the majority of data processed by the
practice will be health related. This is considered a special category (sensitive)
If you want to process special category (sensitive) personal data, you also need
to apply one of the conditions in Article 9(2). ‘Explicit consent’ is one option for
legitimising the use of special category data. The others are:
● Vital Interests
● Charity or not-for profit bodies
● Manifestly made public by data subject
● Legal Claims
● Substantial public interest
● Health and Social Care
● Public Health
● Historical, statistical or scientific purposes
Consent can also legitimise restricted processing, and explicit consent can
legitimise automated decision-making (including profiling), or overseas transfers
by private-sector organisations in the absence of adequate safeguards.
If you rely on consent, this will affect individuals’ rights. People will generally
have stronger rights when processing is based on consent – for example, the
right to erasure (also known as ‘the right to be forgotten’) and the right to
data portability. It is therefore essential that consent be only used as the legal
basis for data processing when there is no suitable alternative. In most
instances where data is processed for the purpose of healthcare, consent is
not required to be the legal basis.
Consent is only appropriate if we can offer patients real choice and control over
how you use their data, and want to build their trust and engagement. But if you
cannot offer a genuine choice, consent is not appropriate. If you would still
process the personal data without consent, asking for consent is misleading and
20
inherently unfair.
What are the penalties for getting it wrong?
Making mistakes around consent could leave the practice at risk of substantial fines
under the GDPR. Article 83(5)(a) states that infringements of the basic principles for
processing personal data, including the conditions for consent, are subject to the
highest tier of administrative fines. This could mean a fine of up to €20 million, or
4% of total worldwide annual turnover, whichever is higher.
When are we likely to require consent?
There will be times when it is appropriate to rely on consent as the legal basis.
These include but are not exclusive to:
● Subject Access Requests
● Sharing information for research purposes
● Disclosing information to a third party
● Sharing information in an unexpected or intrusive way
● Sharing information for a purpose other than healthcare
● Sharing information for marketing purposes
In these instances consent should always be explicit. This means the patient (or
their representative if they have legal authority, or parental responsibility), has
signed a document to confirm they fully understand what information will be
disclosed. There is more information on capacity & consent for children below.
Processing data without consent
If you would still process the data (e.g. record the details of a consultation) then
consent cannot be the legal basis for processing the data. In this instance the
patient cannot choose for information they have disclosed to the clinician to be
omitted. It is also unlikely the information would be ever be erased, so the patient
does not have a ‘choice’. In this instance, seeking consent from the patient is
misleading and inherently unfair. Instead we should inform the patient of how we
will process their data, to ensure fairness and transparency.
Using Consent as the legal basis for data processing
The GDPR sets out requirements for using consent as a legal basis
21
What are the penalties for getting it wrong?
Making mistakes around consent could leave the practice at risk of substantial fines
under the GDPR. Article 83(5)(a) states that infringements of the basic principles for
processing personal data, including the conditions for consent, are subject to the
highest tier of administrative fines. This could mean a fine of up to €20 million, or
4% of total worldwide annual turnover, whichever is higher.
When are we likely to require consent?
There will be times when it is appropriate to rely on consent as the legal basis.
These include but are not exclusive to:
● Subject Access Requests
● Sharing information for research purposes
● Disclosing information to a third party
● Sharing information in an unexpected or intrusive way
● Sharing information for a purpose other than healthcare
● Sharing information for marketing purposes
In these instances consent should always be explicit. This means the patient (or
their representative if they have legal authority, or parental responsibility), has
signed a document to confirm they fully understand what information will be
disclosed. There is more information on capacity & consent for children below.
Processing data without consent
If you would still process the data (e.g. record the details of a consultation) then
consent cannot be the legal basis for processing the data. In this instance the
patient cannot choose for information they have disclosed to the clinician to be
omitted. It is also unlikely the information would be ever be erased, so the patient
does not have a ‘choice’. In this instance, seeking consent from the patient is
misleading and inherently unfair. Instead we should inform the patient of how we
will process their data, to ensure fairness and transparency.
Using Consent as the legal basis for data processing
The GDPR sets out requirements for using consent as a legal basis
21
● Consent must be freely given; this means giving patients genuine
ongoing choice and control over how you use their data.
● Consent must specifically cover the controller’s name (the Practice).
We must also name any third parties who will be relying on consent.
● Consent must cover the purposes of the processing and the types of
processing activity. When required there should be granular options,
e.g. we should list each separate part, and the patients should
confirm consent for each
● Consent requests must be prominent, unbundled from other terms
and conditions, concise and easy to understand, and user-friendly.
● Consent should be obvious and require a positive action to opt in.
● The patient has the right to withdraw consent at any time and we
should provide details of how they can do this.
● Explicit consent must be expressly confirmed in words, rather than
by any other positive action. Explicit consent should always be
obtained when processing healthcare (sensitive) data.
● Information provided to patients should be prominent, concise and in
plain language. It should not be included in ‘terms and conditions’ of
service.
● There is no set time limit for consent. How long it lasts will depend on
the context. You should review and refresh consent as appropriate.
22
ongoing choice and control over how you use their data.
● Consent must specifically cover the controller’s name (the Practice).
We must also name any third parties who will be relying on consent.
● Consent must cover the purposes of the processing and the types of
processing activity. When required there should be granular options,
e.g. we should list each separate part, and the patients should
confirm consent for each
● Consent requests must be prominent, unbundled from other terms
and conditions, concise and easy to understand, and user-friendly.
● Consent should be obvious and require a positive action to opt in.
● The patient has the right to withdraw consent at any time and we
should provide details of how they can do this.
● Explicit consent must be expressly confirmed in words, rather than
by any other positive action. Explicit consent should always be
obtained when processing healthcare (sensitive) data.
● Information provided to patients should be prominent, concise and in
plain language. It should not be included in ‘terms and conditions’ of
service.
● There is no set time limit for consent. How long it lasts will depend on
the context. You should review and refresh consent as appropriate.
22
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Unambiguous indication (by statement or clear affirmative action)
It must be obvious that the patient has consented, and what they have consented
to. This requires more than just a confirmation that they have read terms and
conditions – there must be a clear signal that they agree. If there is any room for
doubt, it is not valid consent.
Therefore all consent documentation created by the practice should include tick
boxes for the patient to “opt in” or have a clearly worded written statement for
them to sign.
The practice will never use pre-ticked ‘opt in’ or ‘opt out’ boxes.
How long does consent last?
The GDPR does not set a specific time limit for consent. Consent is likely
to degrade over time, but how long it lasts will depend on the context.
We need to consider the scope of the original consent and the individual’s
expectation. If in doubt, please speak to the practice’s Data Protection Officer (DPO)
or the Caldicott Guardian.
If the patient withdraws consent, we need to cease processing as soon as possible
in the circumstances unless you have another lawful basis. This does not affect the
lawfulness of the processing up to that point.
Parental consent will always expire when the child reaches the age at which they
can consent for themselves. We therefore should review and refresh children’s
consent at appropriate milestones. If in doubt, please speak to the practice’s Data
Protection Officer (DPO) or the Caldicott Guardian.
Capacity to consent?
The GDPR does not contain specific provisions on capacity to consent, but issues of
capacity are bound up in the concept of ‘informed’ consent.
Generally, we can assume that adults have the capacity to consent unless we have
reason to believe the contrary (e.g. diagnosis of dementia). If in doubt, you should
speak to the Practice’s Caldicott Guardian.
It may be that you do have reason to believe that someone lacks the capacity to
understand the consequences of consenting and so cannot give informed consent. If
so, a third party with the legal right to make decisions on their behalf (eg under a
Power of Attorney) can give consent. A copy of the POA should be stored in the
medical record. We need to ensure that the POA relates to health and welfare, and
not just property and financial affairs.
Children’s consent
There are no global rules on children’s consent under the GDPR. If however, we are
relying on consent rather than another lawful basis for the processing, we must get
parental consent for all children under 13. For those 13 – 16 parental responsibility
may still apply. You should therefore seek advice from the practice DPO or Caldicott
Guardian if you have any doubt about the patient’s capacity to consent. They will
23
It must be obvious that the patient has consented, and what they have consented
to. This requires more than just a confirmation that they have read terms and
conditions – there must be a clear signal that they agree. If there is any room for
doubt, it is not valid consent.
Therefore all consent documentation created by the practice should include tick
boxes for the patient to “opt in” or have a clearly worded written statement for
them to sign.
The practice will never use pre-ticked ‘opt in’ or ‘opt out’ boxes.
How long does consent last?
The GDPR does not set a specific time limit for consent. Consent is likely
to degrade over time, but how long it lasts will depend on the context.
We need to consider the scope of the original consent and the individual’s
expectation. If in doubt, please speak to the practice’s Data Protection Officer (DPO)
or the Caldicott Guardian.
If the patient withdraws consent, we need to cease processing as soon as possible
in the circumstances unless you have another lawful basis. This does not affect the
lawfulness of the processing up to that point.
Parental consent will always expire when the child reaches the age at which they
can consent for themselves. We therefore should review and refresh children’s
consent at appropriate milestones. If in doubt, please speak to the practice’s Data
Protection Officer (DPO) or the Caldicott Guardian.
Capacity to consent?
The GDPR does not contain specific provisions on capacity to consent, but issues of
capacity are bound up in the concept of ‘informed’ consent.
Generally, we can assume that adults have the capacity to consent unless we have
reason to believe the contrary (e.g. diagnosis of dementia). If in doubt, you should
speak to the Practice’s Caldicott Guardian.
It may be that you do have reason to believe that someone lacks the capacity to
understand the consequences of consenting and so cannot give informed consent. If
so, a third party with the legal right to make decisions on their behalf (eg under a
Power of Attorney) can give consent. A copy of the POA should be stored in the
medical record. We need to ensure that the POA relates to health and welfare, and
not just property and financial affairs.
Children’s consent
There are no global rules on children’s consent under the GDPR. If however, we are
relying on consent rather than another lawful basis for the processing, we must get
parental consent for all children under 13. For those 13 – 16 parental responsibility
may still apply. You should therefore seek advice from the practice DPO or Caldicott
Guardian if you have any doubt about the patient’s capacity to consent. They will
23
consider whether the individual child has the competence to understand and
consent for themselves (the ‘Gillick competence test’).
The practice needs to ensure there are age-verification measures in place for
children, e.g. if we are registering a child who has not previously been registered
with the NHS, you should ask to see the birth certificate or passport to confirm the
age of the patient.
We are also expected to make ‘reasonable efforts’ to verify parental responsibility
for those under the relevant age.
Writing a consent request
Consent requests need to be prominent, concise, and easy to understand and
separate from any other information such as general terms and conditions. All
consents requests need to use clear, straightforward language, and adopt a simple
style that patients find easy to understand – this is particularly important if you are
asking children to consent. In this instance we need to prompt parental input and
consider age-verification and parental- authorisation issues.
What information should you include?
Consent must be specific and informed. As a minimum consent request must
include:
● The name of the practice and the names of any third parties who will rely on
the consent – consent for categories of third-party organisations will not be
specific enough;
● Why you want the data (the purposes of the processing);
● What you will do with the data (the processing activities); and
● That the patient can withdraw their consent at any time. It is good practice to
tell them how to withdraw consent.
Just in time notices
You could also consider using ‘just-in-time’ notices. These works by appearing on-
screen at the point the person inputs the relevant data, with a brief message about
what the data will be used for. This will help you provide more information in a
prominent, clear and specific way to ensure that consent is informed. However, you
will need to combine the notices with an active opt-in and ensure this is not unduly
disruptive to the user. This may be used booking appointments in the locality hub.
The patient can give consent verbally in these situations, as long as they are fully
informed. This consent should then be recorded in the patient record.
24
consent for themselves (the ‘Gillick competence test’).
The practice needs to ensure there are age-verification measures in place for
children, e.g. if we are registering a child who has not previously been registered
with the NHS, you should ask to see the birth certificate or passport to confirm the
age of the patient.
We are also expected to make ‘reasonable efforts’ to verify parental responsibility
for those under the relevant age.
Writing a consent request
Consent requests need to be prominent, concise, and easy to understand and
separate from any other information such as general terms and conditions. All
consents requests need to use clear, straightforward language, and adopt a simple
style that patients find easy to understand – this is particularly important if you are
asking children to consent. In this instance we need to prompt parental input and
consider age-verification and parental- authorisation issues.
What information should you include?
Consent must be specific and informed. As a minimum consent request must
include:
● The name of the practice and the names of any third parties who will rely on
the consent – consent for categories of third-party organisations will not be
specific enough;
● Why you want the data (the purposes of the processing);
● What you will do with the data (the processing activities); and
● That the patient can withdraw their consent at any time. It is good practice to
tell them how to withdraw consent.
Just in time notices
You could also consider using ‘just-in-time’ notices. These works by appearing on-
screen at the point the person inputs the relevant data, with a brief message about
what the data will be used for. This will help you provide more information in a
prominent, clear and specific way to ensure that consent is informed. However, you
will need to combine the notices with an active opt-in and ensure this is not unduly
disruptive to the user. This may be used booking appointments in the locality hub.
The patient can give consent verbally in these situations, as long as they are fully
informed. This consent should then be recorded in the patient record.
24
What methods can you use to obtain consent?
Whatever method you use must meet the standard of an unambiguous indication
by clear affirmative action. This means you must ask patients to actively opt in.
Examples of active opt-in mechanisms include:
● Signing a consent statement on a paper form;
● Ticking an opt-in box on paper or electronically;
● Clicking an opt-in button or link online;
● Responding to an email requesting consent;
● Answering yes to a clear oral consent request;
● Volunteering optional information for a specific purpose – e.g. filling optional
fields in a form
We cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default
settings or a blanket acceptance of terms and conditions.
The GDPR does not specifically ban opt-out boxes but they are essentially the same
as pre-ticked boxes, which are banned. Both methods bundle up consent with other
matters by default, and then rely on inactivity. The usual reason for using opt-out
boxes is to get more people to consent by taking advantage of inaction – but this is
a clear warning sign of a problem with the quality of the consent. We should
instead use specific opt-in boxes (or another active opt-in method) to obtain
consent.
How should you record consent?
Article 7(1) says:
This means we must have an effective audit trail of how and when consent was
given, so we can provide evidence if challenged. Our records must demonstrate the
following:
● Who consented: the name of the individual, or other identifier (e.g.,
online user name, session ID).
● When they consented: a copy of a dated document, or online records that
include an audit trail or timestamp; For oral consent there should always be
a record of the time and date of the conversation.
25
“Where processing is based on consent, the controller shall be able to
demonstrate that the data subject has consented to processing of his or her
personal data.”
Whatever method you use must meet the standard of an unambiguous indication
by clear affirmative action. This means you must ask patients to actively opt in.
Examples of active opt-in mechanisms include:
● Signing a consent statement on a paper form;
● Ticking an opt-in box on paper or electronically;
● Clicking an opt-in button or link online;
● Responding to an email requesting consent;
● Answering yes to a clear oral consent request;
● Volunteering optional information for a specific purpose – e.g. filling optional
fields in a form
We cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default
settings or a blanket acceptance of terms and conditions.
The GDPR does not specifically ban opt-out boxes but they are essentially the same
as pre-ticked boxes, which are banned. Both methods bundle up consent with other
matters by default, and then rely on inactivity. The usual reason for using opt-out
boxes is to get more people to consent by taking advantage of inaction – but this is
a clear warning sign of a problem with the quality of the consent. We should
instead use specific opt-in boxes (or another active opt-in method) to obtain
consent.
How should you record consent?
Article 7(1) says:
This means we must have an effective audit trail of how and when consent was
given, so we can provide evidence if challenged. Our records must demonstrate the
following:
● Who consented: the name of the individual, or other identifier (e.g.,
online user name, session ID).
● When they consented: a copy of a dated document, or online records that
include an audit trail or timestamp; For oral consent there should always be
a record of the time and date of the conversation.
25
“Where processing is based on consent, the controller shall be able to
demonstrate that the data subject has consented to processing of his or her
personal data.”
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
● What they were told at the time: ideally a scanned copy of the
document or a master copy of the data capture form containing the consent
statement in use at that time, along with any separate privacy policy,
including version numbers and dates matching the date consent was given.
If consent was given orally, your records should include a copy of the script
used at that time.
● How they consented: for written consent, a copy of the relevant
document or data captures form. If consent was given online, the records
should include the data submitted as well as a timestamp to link it to the
relevant version of the data capture form. If consent was given orally, we
should keep a note of this made at the time of the conversation - it doesn’t
need to be a full record of the conversation.
● Whether they have withdrawn consent: and if so, when.
How should you manage consent?
We will require new consent if anything changes – for example, if the processing
operations or purposes for requesting the information changes, the original consent
may not be specific or informed enough.
If we relied on parental consent, we will also need to refresh consent as the children
grow up and can consent for themselves. If we are in any doubt about whether the
consent is still valid, speak to the DPO or Caldicott Guardian.
We should also consider whether to automatically refresh consent at appropriate
intervals. How often it’s appropriate to do so will depend on the particular context,
including patient’s expectations, whether they are in regular contact, and how
disruptive repeated consent requests would be to the patient. In most cases we will
refresh consent at a maximum of every two years
How should you manage the right to withdraw consent?
The GDPR gives people a specific right to withdraw their consent, which can be
done ‘at any time’. We should not make this in anyway difficult for patients.
Withdrawal of consent can be made orally or in writing. We should ensure we record
the withdrawal in the record, and this should include who has withdrawn consent,
and the time and date of this. If possible, we should also record the reason why
consent is being withdrawn.
The GDPR does not prevent a third party acting on behalf of an individual to
withdraw their consent, but we need to be satisfied that the third party has the
authority to do so.
If someone withdraws their consent, this does not affect the lawfulness of the
processing up to that point. However, it does mean we can no longer rely on
consent as the lawful basis for processing. We either need to stop the processing or
identify another lawful basis and be able to justify why continued processing is fair.
We must include details of the right to withdraw consent in our privacy notices and
consent requests.
26
document or a master copy of the data capture form containing the consent
statement in use at that time, along with any separate privacy policy,
including version numbers and dates matching the date consent was given.
If consent was given orally, your records should include a copy of the script
used at that time.
● How they consented: for written consent, a copy of the relevant
document or data captures form. If consent was given online, the records
should include the data submitted as well as a timestamp to link it to the
relevant version of the data capture form. If consent was given orally, we
should keep a note of this made at the time of the conversation - it doesn’t
need to be a full record of the conversation.
● Whether they have withdrawn consent: and if so, when.
How should you manage consent?
We will require new consent if anything changes – for example, if the processing
operations or purposes for requesting the information changes, the original consent
may not be specific or informed enough.
If we relied on parental consent, we will also need to refresh consent as the children
grow up and can consent for themselves. If we are in any doubt about whether the
consent is still valid, speak to the DPO or Caldicott Guardian.
We should also consider whether to automatically refresh consent at appropriate
intervals. How often it’s appropriate to do so will depend on the particular context,
including patient’s expectations, whether they are in regular contact, and how
disruptive repeated consent requests would be to the patient. In most cases we will
refresh consent at a maximum of every two years
How should you manage the right to withdraw consent?
The GDPR gives people a specific right to withdraw their consent, which can be
done ‘at any time’. We should not make this in anyway difficult for patients.
Withdrawal of consent can be made orally or in writing. We should ensure we record
the withdrawal in the record, and this should include who has withdrawn consent,
and the time and date of this. If possible, we should also record the reason why
consent is being withdrawn.
The GDPR does not prevent a third party acting on behalf of an individual to
withdraw their consent, but we need to be satisfied that the third party has the
authority to do so.
If someone withdraws their consent, this does not affect the lawfulness of the
processing up to that point. However, it does mean we can no longer rely on
consent as the lawful basis for processing. We either need to stop the processing or
identify another lawful basis and be able to justify why continued processing is fair.
We must include details of the right to withdraw consent in our privacy notices and
consent requests.
26
Checklist
● Asking for consent
□ We have checked that consent is the most appropriate lawful basis for
processing.
□ We have made the request for consent prominent and separate from our
terms and conditions.
□ We ask people to positively opt in.
□ We don’t use pre-ticked boxes, or any other type of consent by default.
□ We use clear, plain language that is easy to understand.
□ We specify why we want the data and what we’re going to do with it.
□ We give granular options to consent to independent processing
operations.
□ We have named our practice and any third parties.
27
● Asking for consent
□ We have checked that consent is the most appropriate lawful basis for
processing.
□ We have made the request for consent prominent and separate from our
terms and conditions.
□ We ask people to positively opt in.
□ We don’t use pre-ticked boxes, or any other type of consent by default.
□ We use clear, plain language that is easy to understand.
□ We specify why we want the data and what we’re going to do with it.
□ We give granular options to consent to independent processing
operations.
□ We have named our practice and any third parties.
27
□ We tell individuals they can withdraw their consent.
□ We ensure that the individual can refuse to consent without detriment.
□ We don’t make consent a precondition of a service.
□ If we offer online services directly to children, we only seek consent if we
have age-verification and parental-consent measures in place.
● Recording consent
□ We keep a record of when and how we got consent from the individual.
□ We keep a record of exactly what they were told at the time.
● Managing consent
□ We regularly review consents to check that the relationship, the
processing and the purposes have not changed.
□ We have processes in place to refresh consent at appropriate intervals,
including any parental consents.
□ We make it easy for patients to withdraw their consent at any time, and
publicise how to do so.
□ We act on withdrawals of consent as soon as we can.
□ We don’t penalise patients who wish to withdraw consent.
Appendix 3
DATA PROTECTION & GDPR
This document explains the provisions of the GDPR, helping practices understand and comply
with its requirements.
28
□ We ensure that the individual can refuse to consent without detriment.
□ We don’t make consent a precondition of a service.
□ If we offer online services directly to children, we only seek consent if we
have age-verification and parental-consent measures in place.
● Recording consent
□ We keep a record of when and how we got consent from the individual.
□ We keep a record of exactly what they were told at the time.
● Managing consent
□ We regularly review consents to check that the relationship, the
processing and the purposes have not changed.
□ We have processes in place to refresh consent at appropriate intervals,
including any parental consents.
□ We make it easy for patients to withdraw their consent at any time, and
publicise how to do so.
□ We act on withdrawals of consent as soon as we can.
□ We don’t penalise patients who wish to withdraw consent.
Appendix 3
DATA PROTECTION & GDPR
This document explains the provisions of the GDPR, helping practices understand and comply
with its requirements.
28
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
The new Data Protection Bill (DPB) currently going through Parliament will transpose the GDPR
into UK law, and FPM will continue to add further updates and resources to this document as
more information becomes available.
1. What is the current position? The principles under the Data Protection Act
2. Introducing the General Data Protection Regulations (GDPR)
3. What is changing? The principles under the General Data Protection Regulations
4A. What is changing under the GDPR? Obligations
4B. What is changing under the GDPR? Consent and lawful the lawful for processing personal
data
29
The information in this section will help you and your practice comply with data protection
regulations by protecting the information that is stored, collected and shared by the organisation.
The Data Protection Act 1998 is an act of UK Parliament that ensures information collected by
organisations is used fairly, stored safely and not disclosed to any other person unlawfully.
The GDPR is European Union (EU) legislation through which the European Parliament, the Council of
the EU and the European Commission intend to strengthen and unify data protection for all
individuals within the EU. This change in legislation intends to strengthen and unify data protection
rights for all citizens residing within the EU, as well as addressing the export of data outside of the
EU.
It will be implemented into UK law before the UK leaves the EU, and will almost certainly remain in
place after Brexit.
into UK law, and FPM will continue to add further updates and resources to this document as
more information becomes available.
1. What is the current position? The principles under the Data Protection Act
2. Introducing the General Data Protection Regulations (GDPR)
3. What is changing? The principles under the General Data Protection Regulations
4A. What is changing under the GDPR? Obligations
4B. What is changing under the GDPR? Consent and lawful the lawful for processing personal
data
29
The information in this section will help you and your practice comply with data protection
regulations by protecting the information that is stored, collected and shared by the organisation.
The Data Protection Act 1998 is an act of UK Parliament that ensures information collected by
organisations is used fairly, stored safely and not disclosed to any other person unlawfully.
The GDPR is European Union (EU) legislation through which the European Parliament, the Council of
the EU and the European Commission intend to strengthen and unify data protection for all
individuals within the EU. This change in legislation intends to strengthen and unify data protection
rights for all citizens residing within the EU, as well as addressing the export of data outside of the
EU.
It will be implemented into UK law before the UK leaves the EU, and will almost certainly remain in
place after Brexit.
4C. What is changing under the GDPR? Enhanced employee privacy and individual rights
5. What is the current position under the DPA? The employee file & data protection
6. Breach notification
7. Accountability
8. Data Subject Access requests
9. Data protection definitions
30
5. What is the current position under the DPA? The employee file & data protection
6. Breach notification
7. Accountability
8. Data Subject Access requests
9. Data protection definitions
30
1. What is the current position? The principles under the Data Protection Act
Anyone processing personal data must comply with the eight enforceable principles of good
practice:
● One: The information to be contained in personal data shall be obtained, and personal
data shall be processed, fairly and lawfully.
● Two: Personal data shall be held only for one or more specified lawful purposes.
● Three: Personal data held for any purpose or purposes shall not be used or disclosed in
any matter incompatible with that purpose or those purposes. The data shall be
adequate, relevant and not excessive in relation to that purpose or those purposes.
● Four: Personal data shall be accurate and, where necessary, kept up to date.
● Five: No data shall be kept for longer than is necessary for those purposes.
● Six: An individual shall be entitled, at reasonable intervals and without undue delay or
expense, to be informed by any data user whether they hold personal data of which that
individual is the subject; and they can have access to any such data held by a data user,
which may incur an administration charge.
● Seven: An individual shall be entitled, where appropriate, to have such data corrected
or erased. Appropriate security measures shall be taken against unauthorised access to,
or alteration, disclosure or destruction of, personal data and against accidental loss or
destruction of personal data.
● Eight: Personal data held for any purpose or purposes shall not be transferred to
countries without adequate protection.
In accordance with the Data Protection Act 1998, the Practice will only process data on the
following basis:
● If the data subject has given consent
● If it is necessary in relation to the performance or formation of contracts in relation to
the data subject
● If it is required under a legal obligation
● If it is necessary to protect the vital interests of the data subject
31
Anyone processing personal data must comply with the eight enforceable principles of good
practice:
● One: The information to be contained in personal data shall be obtained, and personal
data shall be processed, fairly and lawfully.
● Two: Personal data shall be held only for one or more specified lawful purposes.
● Three: Personal data held for any purpose or purposes shall not be used or disclosed in
any matter incompatible with that purpose or those purposes. The data shall be
adequate, relevant and not excessive in relation to that purpose or those purposes.
● Four: Personal data shall be accurate and, where necessary, kept up to date.
● Five: No data shall be kept for longer than is necessary for those purposes.
● Six: An individual shall be entitled, at reasonable intervals and without undue delay or
expense, to be informed by any data user whether they hold personal data of which that
individual is the subject; and they can have access to any such data held by a data user,
which may incur an administration charge.
● Seven: An individual shall be entitled, where appropriate, to have such data corrected
or erased. Appropriate security measures shall be taken against unauthorised access to,
or alteration, disclosure or destruction of, personal data and against accidental loss or
destruction of personal data.
● Eight: Personal data held for any purpose or purposes shall not be transferred to
countries without adequate protection.
In accordance with the Data Protection Act 1998, the Practice will only process data on the
following basis:
● If the data subject has given consent
● If it is necessary in relation to the performance or formation of contracts in relation to
the data subject
● If it is required under a legal obligation
● If it is necessary to protect the vital interests of the data subject
31
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
● If it is necessary to carry out public functions
● If it is necessary to pursue the legitimate interests of the data controller or third party
(unless it could prejudice the data subject’s interests)
Sensitive personal data will only be processed:
● With explicit consent of the data subject, if the data subject has made the information
public
● If the data is required by law and is in respect of employment purposes
● If it is necessary in order to protect the vital interests of the data subject or another in
relation to the administration of justice or legal proceedings for medical purposes by
health professionals in order to safeguard racial equality
32
● If it is necessary to pursue the legitimate interests of the data controller or third party
(unless it could prejudice the data subject’s interests)
Sensitive personal data will only be processed:
● With explicit consent of the data subject, if the data subject has made the information
public
● If the data is required by law and is in respect of employment purposes
● If it is necessary in order to protect the vital interests of the data subject or another in
relation to the administration of justice or legal proceedings for medical purposes by
health professionals in order to safeguard racial equality
32
2. Introducing the General Data Protection Regulations (GDPR)
A new Data Protection Bill ("DPB") in the UK will enact the General Data Protection Regulations
with effect from 25 May 2018. The Information Commissioners Office, responsible to regulating
data use in the UK, has stated that the introduction of the new legislation is “the biggest change
to data protection law for a generation". They go on to say that "if your organisation cannot
demonstrate that good data protection is a cornerstone of your business policy and practices,
you are leaving your organisation open to enforcement action that can damage both public
reputation and bank balance.”
They have advised that their primary focus will be safeguarding customer and client data, and
most organisations have good grounds for requesting, retaining and processing employee data.
However, this does not exempt GP practices from having to comply. In addition to the financial
risks of the practice not complying with data protection law, individuals will also have greater
rights to challenge the organisation’s use of their data, which could lead to costly legal action.
Introduction to the GDPR (ICO): ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/
12 Steps to Prepare for GDPR (ICO): ico.org.uk/media/1624219/preparing-for-the-gdpr-12-
steps.pdf
If you are having trouble opening this link copy and paste it into your internet browser search
bar
33
A new Data Protection Bill ("DPB") in the UK will enact the General Data Protection Regulations
with effect from 25 May 2018. The Information Commissioners Office, responsible to regulating
data use in the UK, has stated that the introduction of the new legislation is “the biggest change
to data protection law for a generation". They go on to say that "if your organisation cannot
demonstrate that good data protection is a cornerstone of your business policy and practices,
you are leaving your organisation open to enforcement action that can damage both public
reputation and bank balance.”
They have advised that their primary focus will be safeguarding customer and client data, and
most organisations have good grounds for requesting, retaining and processing employee data.
However, this does not exempt GP practices from having to comply. In addition to the financial
risks of the practice not complying with data protection law, individuals will also have greater
rights to challenge the organisation’s use of their data, which could lead to costly legal action.
Introduction to the GDPR (ICO): ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/
12 Steps to Prepare for GDPR (ICO): ico.org.uk/media/1624219/preparing-for-the-gdpr-12-
steps.pdf
If you are having trouble opening this link copy and paste it into your internet browser search
bar
33
3. What is changing? The principles under the General Data Protection Regulations
Below are the key principles under GDPR, which all organisations must comply with when
processing employee personal data:
Three of these are consistent with the Data Protection Act:
● Purpose Limitation - Personal information is collected for specific, explicit and
legitimate purposes
● Storage Limitation - Personal information is retained for only as long as is necessary
● Integrity and Confidentiality - Personal information is processed in a way that ensures
appropriate security of the data
Three of these have been further strengthened under GDPR:
● Lawfulness, fairness and transparency – The fair, lawful and transparent processing of
personal information
● Data minimisation – Stored personal information is “adequate, relevant and limited to
what is necessary.”
● Accuracy - Stored personal information is “accurate and, where necessary, kept up to
date”
A new principle has also been introduced:
● Accountability - “the controller shall be responsible for, and be able to demonstrate,
compliance with the principles.”
34
Below are the key principles under GDPR, which all organisations must comply with when
processing employee personal data:
Three of these are consistent with the Data Protection Act:
● Purpose Limitation - Personal information is collected for specific, explicit and
legitimate purposes
● Storage Limitation - Personal information is retained for only as long as is necessary
● Integrity and Confidentiality - Personal information is processed in a way that ensures
appropriate security of the data
Three of these have been further strengthened under GDPR:
● Lawfulness, fairness and transparency – The fair, lawful and transparent processing of
personal information
● Data minimisation – Stored personal information is “adequate, relevant and limited to
what is necessary.”
● Accuracy - Stored personal information is “accurate and, where necessary, kept up to
date”
A new principle has also been introduced:
● Accountability - “the controller shall be responsible for, and be able to demonstrate,
compliance with the principles.”
34
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4. a) What is changing under the GDPR? Obligations
Privacy measures will now need to be built into all data processing activities to identify privacy
problems at an early stage. These measures will be embedded throughout the employee life
cycle.
Practices will need to show that they have considered and integrated data protection into
processing activities at every level, including raising awareness of privacy and data protection
within the practice. The result is that your activities are less likely to be privacy intrusive,
enabling you to meet your legal obligations and avoid breaching GDPR.
Checklists for Data Controllers and Data Processors (ICO):
ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-
ready-for-the-gdpr/
Self-Assessment Tool (ICO):
ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
35
Privacy measures will now need to be built into all data processing activities to identify privacy
problems at an early stage. These measures will be embedded throughout the employee life
cycle.
Practices will need to show that they have considered and integrated data protection into
processing activities at every level, including raising awareness of privacy and data protection
within the practice. The result is that your activities are less likely to be privacy intrusive,
enabling you to meet your legal obligations and avoid breaching GDPR.
Checklists for Data Controllers and Data Processors (ICO):
ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-
ready-for-the-gdpr/
Self-Assessment Tool (ICO):
ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
35
4. b) What is changing under the GDPR? Consent and the lawful processing of personal
data
In order to process employee data, you must meet at least one of the following criteria for each
piece of data:
● The data subject has given explicit written consent to their data being processed, which
they have the right to withdraw.
● The data is being processed for the performance of a contract with the data subject
(such as staff administration), or the data is being processed at the request of the data
subject prior to entering into a contract (such as reference checks)
● The data is being processed in compliance with a legal obligation (such as HMRC. PAYE,
sick pay and auto enrolment)
● The data is being processed to protect the individual’s ‘vital interests’. This condition
only applies in cases of life or death, such as where an individual’s medical history is
disclosed to a hospital’s A&E department treating them after a serious road accident.
● The data is being processed in the exercise of official authority, covering public functions
and powers that are set out in law, or to perform a specific task in the public interest
that is set out in law.
● The data is being processed in pursuit of the employer’s ‘legitimate interests’ (such as
transmitting personal data within the company for internal admin purposes)
The ICO have advised employers not to use consent as the basis to process employee data if
they have another legal basis under GDPR, e.g. ‘the performance of the contract’ or
‘compliance with a legal obligation’ are likely to be the strongest grounds, depending on the
type of data.
36
data
In order to process employee data, you must meet at least one of the following criteria for each
piece of data:
● The data subject has given explicit written consent to their data being processed, which
they have the right to withdraw.
● The data is being processed for the performance of a contract with the data subject
(such as staff administration), or the data is being processed at the request of the data
subject prior to entering into a contract (such as reference checks)
● The data is being processed in compliance with a legal obligation (such as HMRC. PAYE,
sick pay and auto enrolment)
● The data is being processed to protect the individual’s ‘vital interests’. This condition
only applies in cases of life or death, such as where an individual’s medical history is
disclosed to a hospital’s A&E department treating them after a serious road accident.
● The data is being processed in the exercise of official authority, covering public functions
and powers that are set out in law, or to perform a specific task in the public interest
that is set out in law.
● The data is being processed in pursuit of the employer’s ‘legitimate interests’ (such as
transmitting personal data within the company for internal admin purposes)
The ICO have advised employers not to use consent as the basis to process employee data if
they have another legal basis under GDPR, e.g. ‘the performance of the contract’ or
‘compliance with a legal obligation’ are likely to be the strongest grounds, depending on the
type of data.
36
4. c) What is changing under the GDPR? Enhanced employee privacy and individual rights
Under the new legislation, the employee will have the following personal data rights:● The right to be informed – data processors must provide ‘fair processing information’,
usually through a privacy notice.● The right of access – GDPR gives enhanced rights of Data Subject access. They are
entitled to more information than under the DPA. In general, no fee can be charged by a
Data Controller for providing a Data Subject with copies of their personal data and the
timescale for a Data Controller to respond to a request will now be one month.● The right to rectification - The GDPR gives individuals the right to have personal data
rectified if it is inaccurate or incomplete.● The right to erasure - GDPR provides Data Subjects with a new enhanced right to
request erasure of their personal data.● The right to restrict processing - Individuals have a right to ‘block’ or suppress processing
of personal data.● The right to data portability - The right to data portability allows individuals to obtain
and reuse their personal data for their own purposes across different services. It allows
them to move, copy or transfer personal data easily from one IT environment to another
in a safe and secure way, without hindrance to usability.● The right to object - Individuals have the right to object to: processing based on
legitimate interests or the performance of a task in the public interest/exercise of
official authority (including profiling); direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
● Rights in relation to automated decision making and profiling - for example, if you use
the Bradford Factor for absence monitoring).
Privacy and Enhanced Individual Rights
There are several scenarios facing employers with regard to how they store and manage
employee information:
1. All employee information is held centrally on a server.
2. Some employee information is held electronically on a central system and some
information is held electronically in managers’ sub-folders.
37
Under the new legislation, the employee will have the following personal data rights:● The right to be informed – data processors must provide ‘fair processing information’,
usually through a privacy notice.● The right of access – GDPR gives enhanced rights of Data Subject access. They are
entitled to more information than under the DPA. In general, no fee can be charged by a
Data Controller for providing a Data Subject with copies of their personal data and the
timescale for a Data Controller to respond to a request will now be one month.● The right to rectification - The GDPR gives individuals the right to have personal data
rectified if it is inaccurate or incomplete.● The right to erasure - GDPR provides Data Subjects with a new enhanced right to
request erasure of their personal data.● The right to restrict processing - Individuals have a right to ‘block’ or suppress processing
of personal data.● The right to data portability - The right to data portability allows individuals to obtain
and reuse their personal data for their own purposes across different services. It allows
them to move, copy or transfer personal data easily from one IT environment to another
in a safe and secure way, without hindrance to usability.● The right to object - Individuals have the right to object to: processing based on
legitimate interests or the performance of a task in the public interest/exercise of
official authority (including profiling); direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics.
● Rights in relation to automated decision making and profiling - for example, if you use
the Bradford Factor for absence monitoring).
Privacy and Enhanced Individual Rights
There are several scenarios facing employers with regard to how they store and manage
employee information:
1. All employee information is held centrally on a server.
2. Some employee information is held electronically on a central system and some
information is held electronically in managers’ sub-folders.
37
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
3. Some employee information is held electronically on a central system and some
information is held electronically in managers’ sub-folders. Information is also held
manually across a variety of different sites.
4. Some employee information is held electronically on a central system and some
information is held electronically in managers’ sub-folders. Information is also held
manually across a variety of different sites. Further information about the employee is
stored at home or on managers’ computers.
You should audit your employee information to see what data you have and how it is stored.
You can then use this data map to carry out a minimisation exercise - consider what
information you need to store and how it can comply with the enhanced responsibilities.
FPM is working on a GDPR audit tool for members - watch out for updates on our website,
email bulletin and social media channels.
38
information is held electronically in managers’ sub-folders. Information is also held
manually across a variety of different sites.
4. Some employee information is held electronically on a central system and some
information is held electronically in managers’ sub-folders. Information is also held
manually across a variety of different sites. Further information about the employee is
stored at home or on managers’ computers.
You should audit your employee information to see what data you have and how it is stored.
You can then use this data map to carry out a minimisation exercise - consider what
information you need to store and how it can comply with the enhanced responsibilities.
FPM is working on a GDPR audit tool for members - watch out for updates on our website,
email bulletin and social media channels.
38
5. What is the current position under the DPA? The employee file & data protection
● Ensure that all workers are aware of the nature and source of any information kept
about them, how it will be used and who it will be disclosed to.
● Nominate a member of staff to be responsible for keeping and maintaining this file on
each employee.
In principle, employee files must be kept to satisfy statutory requirements. These cover, for
example:
● Hours of work (employment law legislation);
● Holidays taken (employment regulation inspections/health and safety);
● Statutory Sick Pay, Maternity Pay, Adoptive Parental Leave and Pay, time-off taken for
dependant emergencies, time off without Pay for Parental Leave;
● Recovery from the Inland Revenue of Maternity, Adoption and / or Paternity Pay
Disciplinary action and the outcome of grievances (employment legislation);
● Minimum wage compliance (employment legislation);
● Accidents at work (Health and Safety regulations)
Perhaps more importantly, they can help the growth and development of the practice because
they are a record of how the talents and skills of the individual are being developed.
They can also help employers to:
● Identify any patterns of absence, lateness and / or sickness;
● Ensure disciplinary matters are dealt with consistently throughout the Practice;
● Assist with identification of training needs;
● Defend the Employer's actions if Employee's claims are made to Employment Tribunals
or the Courts
● Supply information to insurers and others for them to handle claims e.g. accidents.
The following information and documents should be kept on the employee file as
appropriate:
39
● Ensure that all workers are aware of the nature and source of any information kept
about them, how it will be used and who it will be disclosed to.
● Nominate a member of staff to be responsible for keeping and maintaining this file on
each employee.
In principle, employee files must be kept to satisfy statutory requirements. These cover, for
example:
● Hours of work (employment law legislation);
● Holidays taken (employment regulation inspections/health and safety);
● Statutory Sick Pay, Maternity Pay, Adoptive Parental Leave and Pay, time-off taken for
dependant emergencies, time off without Pay for Parental Leave;
● Recovery from the Inland Revenue of Maternity, Adoption and / or Paternity Pay
Disciplinary action and the outcome of grievances (employment legislation);
● Minimum wage compliance (employment legislation);
● Accidents at work (Health and Safety regulations)
Perhaps more importantly, they can help the growth and development of the practice because
they are a record of how the talents and skills of the individual are being developed.
They can also help employers to:
● Identify any patterns of absence, lateness and / or sickness;
● Ensure disciplinary matters are dealt with consistently throughout the Practice;
● Assist with identification of training needs;
● Defend the Employer's actions if Employee's claims are made to Employment Tribunals
or the Courts
● Supply information to insurers and others for them to handle claims e.g. accidents.
The following information and documents should be kept on the employee file as
appropriate:
39
● Completed Application for Employment and Equal Opportunity Forms.
● Interview notes.
● Job offer letter and acceptance.
● Any references.
● Any checks made, such as CRB (if applicable), right to work in UK.
● Any medical reports.
● Completed induction checklist.
● Copy of the written Statement of Terms and Conditions of Employment and any
subsequent notes issued which amend it (e.g. salary changes – amounts & dates).
● Details of any Probationary arrangements, reviews and related correspondence.
● Any holiday request forms for the relevant periods.
● Individual employee absence record, coded by reason for absence.
● Copies of any disciplinary warnings, appeals, agreed actions and outcomes.
● Copies of any grievances raised and outcomes.
● A copy of the 'Details of Employee' Form.
● The file should contain a signed copy of the Written Statement of Terms and Conditions
of Employment which should be issued with the Employee Handbook.
● Any and all agreed amendments to their Written Statement of Terms and Conditions of
Employment should also be placed on the Employee's file.
● Ensure that all workers are aware of the nature and source of any information kept
about them, how it will be used and who it will be disclosed to.
The Information Commissioner has yet to update the Employment Practices Code and other
existing codes, and has not confirmed when it will published revised versions in line with GDPR.
Practices are therefore encouraged to familiarise themselves with the current codes and ensure
they are complying with current law. The codes are available at the following links:
40
● Interview notes.
● Job offer letter and acceptance.
● Any references.
● Any checks made, such as CRB (if applicable), right to work in UK.
● Any medical reports.
● Completed induction checklist.
● Copy of the written Statement of Terms and Conditions of Employment and any
subsequent notes issued which amend it (e.g. salary changes – amounts & dates).
● Details of any Probationary arrangements, reviews and related correspondence.
● Any holiday request forms for the relevant periods.
● Individual employee absence record, coded by reason for absence.
● Copies of any disciplinary warnings, appeals, agreed actions and outcomes.
● Copies of any grievances raised and outcomes.
● A copy of the 'Details of Employee' Form.
● The file should contain a signed copy of the Written Statement of Terms and Conditions
of Employment which should be issued with the Employee Handbook.
● Any and all agreed amendments to their Written Statement of Terms and Conditions of
Employment should also be placed on the Employee's file.
● Ensure that all workers are aware of the nature and source of any information kept
about them, how it will be used and who it will be disclosed to.
The Information Commissioner has yet to update the Employment Practices Code and other
existing codes, and has not confirmed when it will published revised versions in line with GDPR.
Practices are therefore encouraged to familiarise themselves with the current codes and ensure
they are complying with current law. The codes are available at the following links:
40
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Employment Practices Code
ico.org.uk/for-organisations/guide-to-data-protection/employment/
41
ico.org.uk/for-organisations/guide-to-data-protection/employment/
41
6. Breach Notification
A personal data breach is any breach of security, either accidental or deliberate, that leads to
the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data.
Circumstances in which a breach may occur
● Loss of control/limitation of employee rights
● Discrimination
● Identity theft or fraud
● Financial loss
● Damage to reputation
● Loss of confidentiality
● Other significant social disadvantage
Under the regulations, employers must document any breach, specifically:
● Facts relating to the breach
● The effect of the breach
● Any remedial action taken to prevent recurrence.
To notify or not to notify – that is the question!
● You must notify the relevant supervisory authority (ICO and NHS) within 72 hours of
becoming aware of a breach IF the breach is likely to result in a risk to the rights and
freedoms of individuals. In the HR context, this is unlikely.
● You need to notify individuals without undue delay IF the breach is likely to result in a
high risk to the rights and freedoms of the employee.
42
A personal data breach is any breach of security, either accidental or deliberate, that leads to
the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data.
Circumstances in which a breach may occur
● Loss of control/limitation of employee rights
● Discrimination
● Identity theft or fraud
● Financial loss
● Damage to reputation
● Loss of confidentiality
● Other significant social disadvantage
Under the regulations, employers must document any breach, specifically:
● Facts relating to the breach
● The effect of the breach
● Any remedial action taken to prevent recurrence.
To notify or not to notify – that is the question!
● You must notify the relevant supervisory authority (ICO and NHS) within 72 hours of
becoming aware of a breach IF the breach is likely to result in a risk to the rights and
freedoms of individuals. In the HR context, this is unlikely.
● You need to notify individuals without undue delay IF the breach is likely to result in a
high risk to the rights and freedoms of the employee.
42
7. Accountability
You need to be able to demonstrate that any processing is carried out in accordance with the
first 6 GDPR principles.
Specifically, you will need to update your written policies and processes and be able to provide
evidence of an audit process of your own internal processes (e.g. a data map) and those of third
parties (e.g. a data map or statement from any third parties such as payroll providers). You also
need to make sure that any policies are adhered to or risk falling to meet your accountability
obligations as per the legislation.
Public authority bodies that process personal information to appoint a nominated Data
Protection officer (DPO), who will be responsible for GDPR compliance. The DPO should report
to the highest level of management and must be informed of all data protection issues within
the organisation.
The DPO may be an employee of the practice, or an individual who represents several
practices at a federated/CCG/health board/LMC level.
43
You need to be able to demonstrate that any processing is carried out in accordance with the
first 6 GDPR principles.
Specifically, you will need to update your written policies and processes and be able to provide
evidence of an audit process of your own internal processes (e.g. a data map) and those of third
parties (e.g. a data map or statement from any third parties such as payroll providers). You also
need to make sure that any policies are adhered to or risk falling to meet your accountability
obligations as per the legislation.
Public authority bodies that process personal information to appoint a nominated Data
Protection officer (DPO), who will be responsible for GDPR compliance. The DPO should report
to the highest level of management and must be informed of all data protection issues within
the organisation.
The DPO may be an employee of the practice, or an individual who represents several
practices at a federated/CCG/health board/LMC level.
43
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
8. Data Subject Access Requests
Under the Data Protection Act, any individual can make a 'subject access request' to any
organisation that s/he believes is processing his or her personal data. This request must be in
writing, for example by letter or e-mail. Once an organisation receives such a request it must
respond promptly, or at the most within 40 calendar days. It must produce copies of the
information it holds in an intelligible form. The organisation can charge up to £10 for doing this.
Under the GDPR, the right to submit a Subject Access Request and receive the information
without undue delay is shortened to within 1 month. An extension of 2 months can be allowed
if necessary taking into account the complexity of the request. A fee cannot be charged unless
the request is “manifestly unfounded or excessive”, in which case a fee may be charged or the
request refused.
Retention and disposal of staff records
The Data Protection Act 1998 itself does not specify any particular retention periods for
employment data and records. However, it does specify that personal data should not be kept
longer than necessary for the purpose for which it was processed and this is consistent with the
GDPR.
It is recommended that employers assess retention times for different categories of
employment data for job applicants, current employees and former employers. The retention
times should be based on business needs, taking into account relevant professional guidelines
and a risk analysis approach. When records are disposed of, this should be done securely and
effectively, particularly with sensitive information.
44
Under the Data Protection Act, any individual can make a 'subject access request' to any
organisation that s/he believes is processing his or her personal data. This request must be in
writing, for example by letter or e-mail. Once an organisation receives such a request it must
respond promptly, or at the most within 40 calendar days. It must produce copies of the
information it holds in an intelligible form. The organisation can charge up to £10 for doing this.
Under the GDPR, the right to submit a Subject Access Request and receive the information
without undue delay is shortened to within 1 month. An extension of 2 months can be allowed
if necessary taking into account the complexity of the request. A fee cannot be charged unless
the request is “manifestly unfounded or excessive”, in which case a fee may be charged or the
request refused.
Retention and disposal of staff records
The Data Protection Act 1998 itself does not specify any particular retention periods for
employment data and records. However, it does specify that personal data should not be kept
longer than necessary for the purpose for which it was processed and this is consistent with the
GDPR.
It is recommended that employers assess retention times for different categories of
employment data for job applicants, current employees and former employers. The retention
times should be based on business needs, taking into account relevant professional guidelines
and a risk analysis approach. When records are disposed of, this should be done securely and
effectively, particularly with sensitive information.
44
1 out of 44
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.