GDPR and General Practice: What you Need to Know
The EU General Data Protection Regulation, GDPR, comes into force on 25th May 2018. Its introduction will mark the most extensive alteration to worldwide privacy law in 20 years.
GDPR is set to affect any organisation that provides goods or services to or tracks or creates profiles of EU citizens. Brexit is not going to change anything immediately, because our exit is far from finalised and, until such times as it is, we are still bound by EU law. Furthermore, there is widespread belief that once Brexit is done and dusted, the UK will adopt its own legislation with a view to incorporating GDPR legislation.
What is GDPR?
The aim of GDPR is to improve and simplify data protection. It will sweep up all the many and conflicting directives that exist across the EU and tidy them into one single set of rules. Consumers will benefit from clarity as to their rights concerning how their data is held and processed, and organisations will find it easier to understand how they should be controlling the data they hold on consumers.
GDPR brings with it a raft of new data storage and processing rules that must be adhered to. Failure to comply will result in significant fines of up to €20 million or four per cent of group worldwide turnover.
In summary, the key requirements of GDPR are as follows:
- Consent – you'll need to ensure anyone you contact has opted in via a 'clear, affirmative action' to receive communications. Everyone has to agree that their data can be used, and that they can be contacted.
- Right to be forgotten – data can no longer be kept for any longer than needed, and for anything other than its intended purposes. Data cannot be kept indefinitely and any EU citizen will have the right to request that their data is removed where there is no legitimate reason to process it following withdrawal of consent for it to be used, or when it has been unlawfully processed.
- Personal data processing – there must be a legitimate reason for you to have gathered data, and it must be clear as to what you intend to do with it and for how long you will need to use it. This information must be clearly communicated to the data owner. Data can no longer be held just for the sake of it.
The GDPR clock is ticking. Now is the time to start planning your compliance strategy. Digital systems and marketing processes are very much governed by GDPR, so as part of your strategy, you are going to want to know how your website deals with data processing and storage.
For those with Tree View Designs websites, the following reassurances apply:
Tree View Designs websites and web servers only process personal information at the point where someone enters their details onto a secure electronic form and then submits that form. An email is generated and sent to an email address nominated by the practice. All data is encrypted throughout the process between the user's device and the Tree View Designs server, then from our server to our email service and then from there to the NHS servers. During this process, no other personal information is stored, and all personal information is deleted as soon as the transfer of the forms is complete.
All Tree View Designs email servers make use of 'transport layer security', also known as TLS, providing it is supported by the receiving mail server. The exchange process includes our mail servers making checks on the validity and legitimacy of the mail server's certificate.
NHS mail servers support 'opportunistic TLS'. This is the best way to use encryption. It involves the server that is sending the email attempting to send it in encrypted form. If, however, the receiving server is not geared up to accept encrypted messages, then the email will be sent unencrypted. It means that encryption is used wherever possible and emails therefore have the best chance possible of being accepted by all email providers.
Tree View Designs websites generally include links to other services. Passwords or personal data are not stored on our system in order to give access to these systems. We suggest to our GP practice clients that they research any third party services in use so that they are aware of their individual security and data handling policies.
Under GDPR, GP practices are fully responsible for their data handling processes. It's important to take charge of what needs to be done in order to comply.
There is useful guidance on the Information Commissioner's Office website.
In terms of your GP website, if it has been created by Tree View Designs then you can rest assured that the way it transfers data between electronic form and practice system is fully secure. Our websites do not store personal data and, because patient users do not access the site using an account or password, their data cannot be used for marketing or transactional purposes, which means there is no need to factor in the website processes when setting your GDPR policies and procedures.