GDPR and the Data Protection Act 2018 - key matters for healthcare professionals and care providers

Date published




A year on from the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 coming into force, we take a look at some of the questions we are most frequently asked by healthcare professionals and care providers.

Do we need consent to lawfully process data about an individual’s health?

No. In fact, we advise against relying on consent in those circumstances.

This is obviously distinct from the issue of patient consent for treatment. A requirement to get consent to medical treatment does not mean that there is a corresponding requirement to get GDPR consent for the inevitable associated processing of personal data.

GDPR sets a high bar for consent that can be difficult to achieve. It needs to be freely and positively given – an opt in “tick here to consent” approach, as opposed to the old opt out “tick here if you do not consent”. Relying on consent also grants additional rights to the patient and as GDPR consent can be withdrawn at any time, it is always advisable to rely upon one of the other lawful bases available to you in the provision of healthcare.

Public authorities such as NHS trusts/foundation trusts and private providers commissioned by NHS England to provide NHS services, are carrying out a ‘public task’ and may lawfully process a patient’s personal data where necessary for this purpose.

For private sector healthcare providers, in most cases the processing will be necessary for the performance of a contract with that patient – also a lawful basis for processing data.

Furthermore, all registered healthcare providers are under a legal obligation to maintain health records, including a record of the care and treatment provided and of decisions taken, which is itself a lawful basis for processing.

As we are talking about the processing of special category data (which you may previously have known as “sensitive personal data”), i.e. information about an individual’s health is, it isn’t enough to simply have a lawful basis for processing. You will also need to satisfy one of the 10 special category data processing conditions. However, this generally will not be difficult as it includes where the processing is necessary for the purposes of medical diagnosis or healthcare.

Do we need to have a privacy notice?

If you process personal data, then yes.

Privacy notices (which detail what data you will be processing, how and why) must be provided to patients when you first collect their personal data from them, or if the personal data is collected from another source (such as the patient’s GP), within a reasonable period (no later than one month).

We have heard about the “right to be forgotten”. Does this apply to patients?

Not as a rule, no.

Patients do have the right to request that their data is rectified if it is inaccurate or incomplete. However, this right does not extend to medical opinions as long as what is recorded accurately reflects the opinion of the caregiver in question.

The right to have personal data erased does not apply to health records unless there is no compelling reason to continue with the processing. In reality, aside from the obvious potential impact on future care, you have a legal obligation to maintain health records and are entitled to retain them to defend potential legal claims, so it is difficult to envisage many examples where there would be no compelling reason to retain the data.

What are the penalties for not complying with GDPR?

Generally speaking, up to €10 million or 2% of global annual turnover for breaches relating to data controller or data processor obligations, and up to €20 million or 4% of global annual turnover for breaches of data subjects rights and freedoms.

This is potentially a significant hike on the previous maximum penalty of £500,000.

Under GDPR, organisations must notify the Information Commissioner’s Office of a breach within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals - a personal data breach being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Will Brexit signal the end of GDPR?

In short, no. GDPR is here to stay, for now at least.

Although parliament could potentially make changes to UK data protection legislation once we are no longer a member of the EU, it is unlikely to do so. If we want to maintain continued and secure flow of data to and from the UK, the government considers that it will be vital to maintain an equivalent level of data protection in the UK as is required in the EU.

Read other items in Healthcare Brief - June 2019