The GDPR was enacted into UK Law as the Data Protection Act 2018. It imposes legal obligations on medical and healthcare organisations around how they must manage and process personal data.
The new legislation complements the NHS Data Security and Protection Toolkit (DSPT) and requirements for Caldicott Guardians. It gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties for non-compliance.
This, along with the increased focus on data collection and developments in AI for healthcare, are making the need for robust personal data protection practices essential.
This page explains what the new legislation means for medical and healthcare organisations and the key areas they need to consider when managing and protecting personal data.
WHAT DOES THE LEGISLATION MEAN FOR MEDICAL AND HEALTHCARE ORGANISATIONS?
Like all other organisations, medical and healthcare organisations must:
- Access the data stored on them
- Ensure it is correct and modify it as necessary
- Have it deleted (unless needed for legitimate reasons)
- Are a public body
- Process data on a large scale especially special category data or data relating to criminal convictions
- Use the data for automated decision making