GDPR is here…the healthcare journey has only just begun

GDPR is here…the healthcare journey has only just begun

The much heralded GDPR Day on 25 May has come and gone with Information Governance managers getting to grips with keeping records of processing activities, privacy notices, updating contracts, policies and completing impact assessments.

Significantly there can no longer be a charge for Subject to Access Requests unless it is manifestly unfounded or excessive or a repeated request. The time limit has been reduced to one month rather than 40 calendar days although it can be extended for particularly complex or numerous requests. The ability to charge has also been removed from applications for records of deceased patients but unlike SARs the time period for a response for the records of deceased patients remains the same (21 or 40 days depending on the last addition to the record).

NB: this is distinct from solicitors seeking records by use of Forms of Authority signed by Claimants. It has even been suggested that advising a Claimant to make a SAR to disclose certain records including health records is a criminal offence under S.184 (2) DPA 2018 however in reality no offence is committed if the Claimant is given a genuine choice as to whether to provide authority for access to his/her lawyer and a right to decline to sign forms of authority.  

Penalties for data protection breaches will increase under a new two tier system; breaches of controller or processor obligations are fined within the first tier up to €10 million or 2% of global turnover or for breaches of data subjects’ rights and freedoms, the higher level of up to €20 million or 4% of global annual turnover.

These maximum penalties however will be considered in context by the ICO in relation to nature, gravity and duration of the breach as well as the type of personal data affected any previous infringements and level of cooperation. ICO has described the changes as “an evolution in data protection, not a burdensome revolution”.