General Data Protection Regulation (GDPR): implications for nurses and the NHS
What you can expect from the new data protection regulation and how it will affect your work
The General Data Protection Regulation (GDPR), the new regulation which replaces the Data Protection Directive, comes into force on 25 May.
It could mean heavy fines for any organisations that are non-compliant, and is likely to continue to apply in the UK after Brexit.
This new regulation was approved by the EU parliament in April 2016, but it is only in recent weeks that people have begun talking about it.
The aim of the GDPR is to protect EU citizens from data breaches and protect privacy in an increasingly data-driven world. It will apply to all companies processing personal data in the EU.
Fines for non-compliance
The NHS needs to comply and if it is found to be in breach of the regulations, it could be fined up to 20 million euros.
It is important to note that these regulations apply to the processing of all personal data for staff and patients.
Many of the principles of the current Data Protection Act will still apply. However, there are some notable changes to be aware of:
- Organisations must have an appointed data protection officer.
- Organisations will need to demonstrate how they have complied with the new law, including establishing and publishing the legal basis for processing data.
- Any security breaches must be reported to the supervisory body within 72 hours.
- Much tighter rules will apply to the recording of consent to process information, and the withdrawal of consent must be simple to achieve.
- Copies of personal data records must be provided free of charge, in electronic format where requested.
All health and social care providers are subject to statutory duty under the Health and Social Care Act 2012, to share information about a patient for their direct care. This duty is subject to the common law of confidence and in due course the Data Protection Act 2018 and GDPR.
GDPR does not affect the common law duty of confidentiality. Therefore, consent practices do not need to change to be compliant with GDPR – unless this is the legal basis of processing data.
GDPR, health and safeguarding
Article 9 of the GDPR provides conditions which are more appropriate than consent as the legal basis for processing personal data for direct care: 'medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems’.
Regarding safeguarding for children, the Children Act 1989 takes precedence over GDPR and information may be shared without consent if it is in the child’s best interest.
So, while it doesn’t appear that huge changes to daily practice are likely, individual practitioners must be mindful of the change in law.
They should make themselves familiar with the new regulation, not only to protect the rights of patients, but also to be informed of their own rights regarding their personal data.
Find out more
- NHS digital
- Guidance from the Information Governance Alliance
- Data protection in the NHS: what new regulation means for you
About the author
Janet Youd is emergency nurse consultant at Calderdale and Huddersfield NHS Foundation Trust and chair of the RCN Emergency Care Association