Data Protection 2017 - the GDPR clock is ticking!

Data Protection 2017 - the GDPR clock is ticking!

The framework of the General Data Protection Regulation (GDPR) has been well publicised and will come into effect on 25 May 2018. To ensure an understanding of how GDPR will work in the UK a new Data Protection Bill 2017 has been published.

How it will work for the healthcare sector remains to be seen but processing of personal data is only lawful if it complies with Article 6 of the GDPR and is necessary for the performance of tasks carried out in the public interest; the functions will apply to all NHS bodies and local authorities and cover the commissioning and provision of health services by NHS Trusts and Foundation Trusts.

"Health Data” is in a special category of personal data and requires additional compliance under Article 9 GDPR. In particular processing can be justified in the context of:

 

• Preventive or occupational medicine.

• Medical diagnosis.

• Provision of healthcare or treatment.

• Assessment of the working capacity of an employee.

• The provision of social care.

• The management of healthcare systems or social care systems or services.

 

Data Subjects’ rights are already set out under the GDPR and are included within the Bill including Subject Access by which living patients and service users can access their health and social care records. No fees will be charged to patients and service users unless the request is obviously unfounded, excessive or repeated in which case a reasonable fee can be charged and regulation will follow on the extent of those fees.

There will be exceptions to disclosure in relation to personal data of third parties, circumstances where disclosure would be likely to cause serious harm to physical or mental health of the patient, service user or another individual. Disclosure will of course be permitted to police, Courts and solicitors where refusal to do so would prejudice the purpose for which information is required.