Data protection in the NHS: what new regulation means for you

Senior nurses are being urged to see the General Data Protection Regulation (GDPR) as a chance to bolster patient confidence in how digital information about them and their care is used.

Senior nurses are being urged to see the General Data Protection Regulation (GDPR) as a chance to bolster patient confidence in how digital information about them and their care is used. 

Don’t panic. That’s the message from Dawn Monaghan, head of data sharing and privacy for NHS England, regarding the General Data Protection Regulation (GDPR), which comes into force on 25 May.

Picture: iStock

There is a small proviso, however, which Ms Monaghan raised at a recent information governance summit on ensuring compliance with the GDPR: everything will be fine as long as you are meeting obligations under existing data protection legislation.

‘If you are, you’re probably 70 to 75% there,’ she told the audience. If not, the new regulation could cause nurse managers serious headaches, not least because breaches carry the risk of huge fines.

Post-Brexit implications

What is the General Data Protection Regulation and why does it matter?

Its principle aim is to give individuals greater control over their personal data and how it is used. It requires organisations to have measures in place to protect this data by:

  • Documenting the data held
  • Having procedures to detect, report and investigate breaches
  • Assigning a data protection officer

Although the GDPR is European Union legislation, its principles will pass into UK legislation with a new Data Protection Act so the UK will maintain the same data protection regime as EU member states even after Brexit. Leaving the EU is therefore no excuse for ignoring the imminent arrival of the GDPR.

Under the new laws, some data protection principles will remain similar to existing measures. But as well as those harsher penalties and greater rights for data subjects, the GDPR requires organisations to demonstrate compliance.

They will have do this by, for example, recording all data processing activity, and undertaking impact assessments in cases where data processing is likely to pose high risk to a person’s rights and freedoms. 

RCN lead for e-health Ross Scrivener says much of the focus on the new legislation relates to the punitive actions resulting from non-compliance.

‘Senior nurses need to be cognisant of these as available funding for health outcomes should not be spent paying fines.’

Ross Scrivener

But he says it is important to look beyond the possible penalties and see what the GDPR offers.

‘It’s a real opportunity to build confidence in citizens about how data is used and secured. Citizen trust in systems and processes relating to their data will be critical as digital health and social care services are developed.’

He adds: ‘We’re all “data subjects”. We all produce data when we make daily transactions online. The GDPR will bring the data produced through health and social care transactions into line with these other sectors.’

Actions to be taken

For many nurses, the new regulation may well feel remote, bureaucratic even. But NHS England says it is a combination of large and smaller actions that will give patients confidence in how information about them is handled.

Beyond the high-level, information-governance procedures that health providers must adopt, there are simple but important things all nurses should do. Many of these, such as not sharing passwords, not leaving identifiable patient information on computer screens and logging out after using a computer, are common sense.

‘It’s a combination of the legal steps and individual nurse actions that provide the greatest confidence in patients about how their data is used,’ says an NHS England spokesperson.

In bigger NHS organisations, responsibility for compliance with the GDPR will be shared, but nurse managers in independent or charitable providers may well find themselves having to take the lead.

Nurse Ruth Mabika is chief of staff for Nouvita, a small company that provides specialist mental health and learning disability support. She says that, with no dedicated information governance team in the organisation, she initially felt overwhelmed by the potential impact of the GDPR. The solution was to seek out information, and doing so has reassured her that Nouvita’s existing approach to data protection is robust and requires no significant change when the GDPR comes into force (see case study).

‘GDPR is a real opportunity to build confidence in citizens about how data is used and secured’

Ross Scrivener


Dawn Monaghan, from NHS Digital, agrees. ‘Be wary of anyone who comes along and says you need to ditch everything you do at the moment,’ she told the recent GDPR compliance summit. ‘You don’t. You need to build on what you’ve already got.’

As Ross Scrivener points out, these days we are all data subjects and that, he suggests, is a helpful perspective for nurses to adopt when trying to unpick the complexities of the GDPR.

‘It’s important we understand our rights as citizens ourselves,’ he says. ‘That way we will be better advocates for what the GDPR is all about.’

Case study

Chief of staff Ruth Mabika and clinical director Iona Oughton are senior nurses who work for Nouvita, a specialist provider of care and support services.

They attended a recent information training summit on ensuring compliance with the General Data Protection Regulation (GDPR). Afterwards, Nursing Management asked for their reflections on what the regulation will mean for them.

What practical difference, if any, do you think GDPR will make to how you and your nurse colleagues handle data?

We completed a business risk analysis to assess the impact of GDPR, and that helped us identify any gaps and complete an action plan. As our nursing colleagues are expected to adhere to the current data protection legislation, we don’t see that there is a significant practical difference. The change required will be with regards to mindset and a shift in culture, particularly a full appreciation of people’s rights to access the records we hold about them. In practice, this may mean, for example, removing any jargon from record keeping, to facilitate better understanding of records. As data processors, nurses will also need to have a full understanding of their individual accountability to comply with the GDPR.

Iona Oughton

Do you feel adequately prepared for the introduction of GDPR? What steps have you taken to find out more?

We’re a relatively small organisation with a cluster of residential and nursing care homes providing learning disability and mental healthcare. We also have a mental health hospital providing locked rehabilitation services and a psychiatric intensive care unit. As we’re an organisation with a fairly flat senior management structure which doesn’t have a designated department for information governance, I was initially overwhelmed by the GDPR and its impact on our organisation.

I was concerned about the increased fines for non-compliance and information in the public domain reinforced my concerns. But my anxieties have been resolved and I have been able to see a formalised approach to this statutory change. We’ve subsequently accessed the website of the Information Commissioner’s Office website and found it to be a useful resource.

Ruth Mabika

Do you think nurses have a good understanding of data protection issues? Have you noticed particular gaps in their knowledge and training needs?

We’re confident that on the whole our nurses have a good grasp of data protection. We need to do further work on their understanding of the interplay between the Mental Capacity Act and the GDPR, ensuring that capacity is fully assessed and consent is adequately sought for each decision and all interventions. But our training has been updated to take into account the new regulation, and the ongoing learning around it will be through our current supervision structures and reflective practice.

Iona Oughton

From the learning you’ve undertaken so far around the GDPR, what would you say are the issues that other senior nurses need to take on board?

Accountability and transparency are enhanced in the new regulation. People who use and are in contact with our services must know from the outset what information we hold about them and what we do with it. This requires careful consideration, at each point of sharing information, of whether processing the information is necessary and that appropriate consent has been sought where it applies.

In terms of accountability, while organisationally there is an expectation that processes and systems are in place to support staff to be compliant with the legislation and to oversee and monitor them, there is now greater onus on individual responsibility. Senior nurses need to ensure that staff have a full understanding of their individual culpability.

Ruth Mabika


Further information

Reader offer

A Healthcare Conferences UK event on Information Governance in Health and Social Care: Ensuring Compliance with General Data Protection Regulation is being held on 8 June.

Claim your 20% discount off the ticket price by using the code hcuk20nm, or email kerry@hc-uk.org.uk

  • There is no shortage of information and advice about the General Data Protection Regulation (GDPR), most of which is continually being updated. A good place to begin is the guide available on the website of the Information Commissioner’s Office.
  • The healthcare focused Information Governance Alliance has also published guidance.
  • NHS England says NHS organisations may be producing their own operational guidance and nurses should look out for this as it may change how they handle and use information.
  • The government has warned of low awareness of the GDPR among charities and businesses, but highlights links to further sources of guidance and information. 
  • The RCN is represented on the National Data Opt-out Programme, the group developing guidance for patients on how identifiable health and care information is used.

RCNi resources

The RCNi collection of selected resources on digital literacy

This article is for subscribers only