In May 2018, the General Data Protection Regulation (GDPR) replaced the Data Protection Act 1998 (DPA) in governing how personal data is managed by a 'controllers' or 'processors'.
'Personal data' is any data or information that can be attributed to a person. So, if you can identify an individual by the data, then this data becomes personal data.
A 'Data Subject' is a person whose data is being processed.
A data 'Controller' is a person (or business) who collects personal data. They are also responsible for how that data is processed.
A data 'processor' is anyone who processes personal data on behalf of the data controller (not including the data controller's own employees).
IGP acts as both a controller and processor of personal information.
As controller, IGP's processing activities include arranging appointments between the patient (data subject) and clinicians.
As processor, IGP's processing activities include arranging appointments between third party referrers acting on behalf of an individual data subject (patient) and IGP clinicians.
Information about an individual, that is likely to be of a sensitive or private nature and could be used in a discriminatory way, is described as sensitive personal information and identified as special category data. This type of information needs to be treated with greater care than other forms of personal data.
Sensitive personal information may include:
When a data subject presents for an appointment, they will be required to provide, or a clinician may generate and document information that may contain sensitive or special category data, including information relating to a physical or mental health or condition.
GDPR requires that personal data shall be:
It also requires that the controller shall be responsible for and be able to demonstrate compliance with the principles.
Controllers must also ensure that any processors are able to demonstrate compliance with the principles.
'Process all personal data lawfully, fairly and in a transparent manner'. This means that IGP need to ensure there is a reason why we have and retain personal data. It also means that the data subject should know how, why and where their data is being processed.
'Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes'
This means that IGP needs to make clear exactly what the data will be used for. If it is used for any other purpose than orignally intended, then IGP is in breach of GDPR rules. For instance, if IGP collects personal data to arrange an appointment, IGP cannot then use that information for marketing without explicit consent.
'Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.'
Adequate - if IGP collects information to book an appointment, it needs to collect enough information to ensure that the process can be completed. For instance, booking an appointment for "John Smith" with no other information will not be sufficient to fully identify a specific John Smith, who may have an appointment on a specific day and time.
Relevant and limited to what is necessary - For instance, a name, contact details, and a date of birth may all be relevant to contact and identify a particular person. However, the number of children they have, their occupation, etc. is not relevant for this purpose.
'Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.'
This means that where IGP collects information, IGP must make every effort to ensure that is correct. If it is not correct, then IGP needs to try and correct the information. For instance, where IGP have made two appointments for the same person but created two identities, then these records need to be merged or one of the identities be updated and the other deleted.
'kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.'
This relates to data retention and how long information should be kept after an appointment. IGP have a data retention policy which provides a specific timetable for when information should be deleted.
'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.'
This principle will be covered in more detail in Information Security training.
The Independent General Practice