GDPR for Practice Managers General Data Protection Regulation Dr - PowerPoint PPT Presentation

GDPR for Practice Managers General Data Protection Regulation Dr Nick Lowe Stephen Toulmin (Senior Executive Lead) Lancashire & Cumbria Consortium of LMCs www.nwlmcs.org April-May 2018

GDPR Day : which one are you? 25th May 2018 Sorted ? Brave Face It’s all a fuss over nothing Fear DON’T PANIC but you should prioritise a plan now

Aims of the presentation today Collaborate and Share A Whistle Stop Tour – a lot to cover  Overview of the GDPR – Focus on issues that impact GPs/Health sector  Headline issues and changes from current Data rules  Key terminology, concepts and definitions  Practical advice on next steps  Resources : Health Sector specific guidance and keeping informed (DPA 2018 not in place yet)  If time : the new 10 NHS Data security rules – DSP toolkit  Questions & Answers and your views/concerns The information today has been drawn from key documents and other sources for general supportive guidance only. It is not intended to be taken as accurate legal advice. The LMC consortium is not undertaking the role of a DPO CCGs/CSU are expected to have a future role in providing DPO support to practices If in doubt obtain advice from an Information Governance Specialist or your DPO service

Practice Manager of the Year sends their best wishes for GDPR Rambo says : ‘ You need to have a GDPR and Data Security plan showing you understand the new requirements and are implementing them ’

True or False 1 Everything has to be sorted out and perfect for 25 May ? FALSE Two quotes from the Information Commissioner Elizabeth Denham’s blog best set this to rest: “GDPR compliance will be an ongoing journey”; and “… if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world ”.

True or False 2 Consent is needed for all processing of personal data ? FALSE The GDPR sets a high standard for relying on consent, especially where that data is health related. However, it also provides alternative conditions that can be relied on instead of consent.

True or False 3 The Information Commissioner’s Office (ICO) can levy fines of up to £17 million ? TRUE but The ICO has been a pragmatic and constructive regulator. It is likely that large fines will be only be used where organisations wilfully ignore their obligations and put data subjects (e.g. patients/individuals/citizens) at risk of harm because of their lack of legal compliance. As the Information Commissioner has said: “Issuing fines has always been and will continue to be, a last resort.”

Many current data protection rules still apply – so it’s not back to the starting line Remember we are already expected to follow good IG practice and much will not be new.  Confidentiality - Common Law duty  The Data Protection Act 1998 will go - will be replaced after Data protection Bill in 2018  (GDPR and DPA 2018 in place side-by-side)  Good record keeping – Good Practice In our core role, an NHS GP Practice is a Data Controller and a Public Authority using Special Category Data for Direct Care

Getting up to speed – cut to the chase - What do we need to do 1? Step by Step but have a plan!  Convene a small team – ideally PM group and at practice level  Use the LMC website (nwlmcs.org) GDPR page  Read the BMA, ICO (12 steps), IGA/NHS digital guidance, ICO GDPR webpages (detailed but good)  GPC GDPR document dropbox : Dr Paul Cundy (inc. Privacy Templates)  Alert Partners to responsibilities (NHS contract data controllers)  Designate a Practice DPO  Draw up a plan with target date e.g. 6/12 to full compliance – evidence of working towards  Staff awareness – everyone (ICO posters)  Ensure CCG IT agreement signed  Review data processes at practice  Incoming/Internal/External  Check with CCG what extractions are undertaken

Getting up to speed – cut to the chase - What do we need to do 2? Step by Step but have a plan!  Prepare new Privacy Notices (templates available)  Create an Information register  Review your SAR (subject access request) processes  Review data breach and report processes  Obtain consent for non-direct care processes  GDPR & IG Training for staff – annual/online  Periodic Audits (e.g leavers deleted)  Caution with offers of off-the-shelf solutions from providers

What should a practice manager be considering for GDPR 1 ? General message appears to be ‘don’t panic’ - don’t need to be fully compliant by 25 th May 2018 but making good progress towards……( but no room for complacency) All Practice staff need to be involved and aware of changes including GPs. BMA and other guidance is out now – still questions and clarifications and further changes are possible with DPA2018 Hopefully you have completed IG toolkit V14.1 - review your areas of weakness. New replacement DSP toolkit awaited.

What should a practice manager be considering for GDPR 2 ? Understand your data Can be done with collective knowledge and through collaboration What data do you hold ? How do you collect it? Where and how is that data stored? Who has access to it? How is the data currently used? Data flow mapping, information asset register How do you communicate your use of data to patients ? Transparency, patient rights, consent, how you keep data safe, when do you share ? Fair processing/privacy notice templates, ‘How we use your data’ on website and patient leaflet ? Providing patient information – basic notices with pointers to more detailed information NHS choices health record information

What should a practice manager be considering for GDPR 3 ? How do you demonstrate compliance and assurance ? Completing IG/DSP Toolkit – are you confident about your processes? Keep records, Training, staff DSP questionnaire, regular audit of processes Be ready to Implement key changes e.g. Breach Notifications – brief staff on new requirements and have a clear process. Log breaches on a spreadsheet or Datix ? IGA are to publish further breach guidance. Do a baseline survey of potential breaches, risks and near misses? Subject Access Requests – no fees – tighten processes and recording of response progress – 3 rd party redactions – New Negotiating with patient and Targeting the SAR to minimise processing. Open up records for direct access? Designating a DPO, undertaking a DPIA when appropriate. Get ready to change processes and ensure staff are aware

Two Key GP Documents Need to repeatedly read and discuss to familiarise with new concepts and requirements See links on the LMC website : GDPR support page : www.nwlmcs.org

ICO 12 Steps Guide : ico.org.uk Information Commissioners Office Do look at the website GDPR section Good source of detailed and practical advice Patients are Data Subjects (DS)

Think Check Share – Think Privacy Promote and demonstrate a culture of Data privacy and security Poster sets downloadable from ICO website : Think-Check-Share : Think Privacy https://ico.org.uk/media/for-organisations/think-check-share/1043597/think-check- share-toolkit.pdf

Dr Paul Cundy IT GPC – set of GP blogs, documents and template privacy notices Informed source of GP IG advice Access may be restricted from within a secured network https:// www.dropbox.com/sh/h22kak6pxlt8ily/AAB4gAuHKib_MZ44Xi3AbAf4a?dl=0 Be prepared for many new concepts and terms Personal opinion blogs and options discussed as well as official guidance. A new Hub Page for GDPR information has now been launched on the BMA website. https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr Periodic updates will be posted as the new rules become more understood and integrated See links on the LMC website : GDPR support page : www.nwlmcs.org

GDPR – applies to collection, storage and use of ‘personal’ data Aim: To protect citizens from privacy and data breaches/misuse Recognition of the 21 st Century Social Media World and risks to our data • New, Europe-wide law that replaces the Data Protection Act 1998 in the UK. • Part of a wider package of reform that includes the Data Protection Bill (DPA 2018) proceeding through parliament. Further changes may apply. • Sets out future legal requirements for handling personal data from 25th May 2018. Gives greater rights control of personal data to the individual . Their Data • Make it easier for individuals to access their data and be able to change the permissions for it to be used or shared. • Applies to both digital and paper records • Does not apply to deceased individuals • Applies to both data ‘controllers’ and ‘processors’ • Pseudonymised data can be included if not strongly unlinked from source

Positive legislation that should increase trust – but will involve new work Some Headline Impacts of GDPR 1 • New accountability requirements - organisations must comply with the new law and also demonstrate that they comply • You must keep records of data processing activities, Staff training and Audits • Significantly increased penalties possible for any breach of the regulation – not just data breaches. • Legal requirement for personal data breach notification to the ICO within 72 hours where risk to data subjects. • Removal of charges, in most cases, for providing copies of records to patients or staff who make a subject access request. Shorter timescales for SAR responses.