The GDPR was enacted into UK Law as the Data Protection Act 2018. It imposes legal obligations on medical and healthcare organisations around how they must manage and process personal data.

The new legislation complements the NHS Data Security and Protection Toolkit (DSPT) and requirements for Caldicott Guardians. It gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties for non-compliance.

This, along with the increased focus on data collection and developments in AI for healthcare, are making the need for robust personal data protection practices essential.

This page explains what the new legislation means for medical and healthcare organisations and the key areas they need to consider when managing and protecting personal data.

WHAT DOES THE LEGISLATION MEAN FOR MEDICAL AND HEALTHCARE ORGANISATIONS?

Like all other organisations, medical and healthcare organisations must:

tick
Be transparent in the way they process personal data and accountable for doing so
tick
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Offfice (ICO)
tick
Understand the data they have, where it is stored and who has access to it
tick
Implement robust processes and procedures to protect personal data
tick
Allow patients, health care professionals, staff and employees, local authorities, family and next of kin, guardians and suppliers to:

  • Access the data stored on them
  • Ensure it is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

tick
Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale especially special category data or data relating to criminal convictions
  • Use the data for automated decision making

Medical

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR MEDICAL AND HEALTHCARE

Medical and healthcare organisations must protect personal data across all of their operations and be aware of multiple regulations. Major considerations include:

Complementary regulations, guidance and inspections

tick
NHS Data Security and Protection Toolkit (DSPT)
tick
GDPR and Data Protection Act (2018)
tick
Caldicott Guardianship
tick
CQC audits and inspections

Policies

tick
Privacy, retention and data protection policies
tick
Staff handbooks

Marketing, communications and consent management

tick
Social media and posting
tick
Emails, Bring Your Own Device (BYOD), NHSmail

Administration

tick
Maintaining network and server security
tick
Email systems
tick
Staff payroll, pension and HR records
tick
Visitors’ book and access systems

Sharing data with others

tick
Clinicians and healthcare professionals
tick
Local authorities

Managing sensitive information

tick
Data Protection Impact Assessments
tick
Managing sensitive medical information
tick
Safeguarding, family issues and DBS checks

Data gathering for predicting clinical outcomes

tick
Automated processing
tick
Data anonymisation and pseudo-anonymisation

Patient facing care and getting the job done

tick
Bedside data
tick
Patient notes
tick
Managing paper records

Care management systems and medical records

tick
Carer planning and management systems such as CarePlanner, Zuri, Access Care
tick
Electronic Medication Administration Records (eMAR)

Click one of the options below to speak to us about our Data Protection Services

 

Email Call Contact Form