1.1      Policy statement

The Village Surgery must be able to demonstrate compliance at all times with the UK General Data Protection Regulation (UK GDPR herein), which is incorporated in the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2. All staff must understand their responsibilities when accessing and processing personal data, ensuring they adhere to the data protection principles. 

1.2      Status

In accordance with the Equality Act 2010, we have considered how provisions within this policy might impact on different groups and individuals. This document and any procedures contained within it are non-contractual, which means they may be modified or withdrawn at any time. They apply to all employees and contractors working for the practice.

2.1      Data protection by design and default

The Information Commissioner’s Office (ICO) advises that the UK GDPR requires The Village Surgery to put in place appropriate technical and organisational measures to implement the data principles effectively; this is data protection by design and default. 

Data protection by design is about considering data protection and privacy issues upfront in everything that the organisation does. Data protection by default requires this organisation to only process the data that is necessary to achieve a specific purpose. 

This organisation will demonstrate data protection by design and default by:

·         Conducting a Data Protection Impact Assessment (DPIA)

·         Ensuring there are privacy notices on the website and in the waiting rooms that are written in simple, easy-to-understand language

·         Adhering to Articles 25(1) and 25(2) of the UK GDPR

·         Processing data only for the purpose(s) intended

·         Ensuring consent is obtained from the data subject prior to data being processed

·         Providing patients with access to their data on request (subject access requests)

·         Ensuring patients consent to access to their data by third parties

·         Processing data in a manner that prevents data subjects being identified unless additional information is provided (using a reference number as opposed to names – pseudonymisation)3       Roles of data controllers and processors

3.1      Data controller

The ICO defines a data controller as a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers are responsible for the compliance of their processor(s). 

The Village Surgery is the data controller for the data it holds about its patients. The Village Surgery must ensure and be able to demonstrate compliance with Article 5 of the UK GDPR which relates to the seven key principles of processing personal data: 

·         Lawfulness, fairness and transparency

·         Purpose limitation

·         Data minimisation

·         Accuracy

·         Storage limitation

·         Integrity and confidentiality (security)

·         Accountability

3.2      Data processor

The ICO defines a data processor as a person, public authority, agency or other body which processes personal data on behalf of the controller. Processors must ensure that processing conforms to Article 6 of the UK GDPR: 

·         The data subject has given consent to the processing of his/her personal data for one or more specific purposes

·         Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

·         Processing is necessary for compliance with a legal obligation to which the data controller is subject

·         Processing is necessary in order to protect the vital interests of the data subject or another natural person

·         Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller

·         Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular when the data subject is a child

At this organisation, all staff are classed as data processors as their individual roles will require them to access and process personal data

4.1      Right to be informed

The ICO explains that Articles 13 and 14 of the UK GDPR specify what individuals have the right to be informed about; this is referred to as ‘privacy information’.

4.2      Right of access

The Village Surgery ensures that all patients are aware of their right to access their data and has privacy notices displayed in the following locations:

·         Waiting room

·         Organisation website

·         Organisation information leaflet

To comply with the UK GDPR, all privacy notices are written in a language that is understandable to all patients and meet the criteria detailed in Articles 12, 13 and 14 of the UK GDPR. 

The ICO advises that the right of access is commonly referred to as subject access and gives individuals the right to obtain a copy of their personal data, as well as other supplementary information this organisation holds about them.

4.3      Right to rectification

As stated by the ICO, under Article 16 of the UK GDPR, data subjects have the right to have inaccurate personal data rectified and/or incomplete personal data completed. The Village Surgery, should a clinician enter a diagnosis that is later proved to be incorrect, the medical record should retain both the initial diagnosis and the subsequent accurate diagnosis with text to make it clear that the diagnosis has been updated. 

Patients can exercise their right to challenge the accuracy of their data and request that this is corrected. Should a request be received, the request should state the following:

·         What is believed to be inaccurate or incomplete

·         How this organisation should correct it

·         If able to, provide evidence of the inaccuracies

Detailed guidance from the ICO can be accessed here.

4.4      Right to erasure

The ICO explains that under Article 17 of the UK GDPR, data subjects have the right to have personal data erased. This is also known as the right to be forgotten. This right permits a data subject to request that personal data is deleted in situations when there is no compelling reason to retain the data. The right is not absolute and only applies in certain circumstances.

Additional information can be found at section 4.11 of the BMA Access to health records guidance.

When The Village Surgery has shared information with a third party, there is an obligation to inform the third party about the data subject’s request to erase their data providing it is achievable and reasonably practical to do so.

4.5      Right to restrict processing

The ICO states that Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data. This is not an absolute right, and only applies in certain circumstances, with the aim being to enable the individual to limit the way this organisation processes (uses) their data. This right can be used as an alternative to the right to erasure. 

4.6      Right to data portability

The ICO explains the right to data portability permits data subjects to receive and reuse their personal data for their own purposes and across different services.

4.7       Right to object

The ICO advises that, in accordance with Article 21 of the UK GDPR, individuals have the right to object to the processing of their personal data at any time. At The Village Surgery, individuals are requested to provide specific reasons why they object to the processing of their data. If the reasons are not an absolute right, The Village Surgery can refuse to comply. 

4.8      Rights in relation to automated decision making and profiling

The ICO explains that Article 22 of the UK GDPR prevents this organisation from using solely automated decision making. This includes profiling.

5.1      Recognising subject access requests (SAR)

The ICO states an individual can make a SAR verbally or in writing, including by social media. A request does not need to include the phrases ‘subject access request’, ‘right of access’, or ‘Article 15 of the UK GDPR’, it just needs to be clear that the individual is asking for their own personal data.  

Staff at The Village Surgery are to encourage the use of the SAR form (included in the organisation’s Access to Medical Records Policy). However, they must accept that any requests that do not use the SAR form are to be processed.

5.2      Responding to a subject access request

The ICO advises that The Village Surgery must respond to a SAR without delay and within one month of receipt of the request. This time limit may be extended by a further two months if the request is complex, or multiple requests are received from the individual. Should the request involve a large amount of information, The Village Surgery this organisation will ask the individual to specify what data they require before responding to the request. The time limit for responding to the request is paused until clarification is received.

5.3      Fees

As stated by the ICO, The Village Surgery is not permitted to charge a fee to comply with a SAR. However, a reasonable fee may be charged if the request is deemed to be manifestly unfounded or excessive, or if an individual requests further copies of their data.

5.4      Verifying the subject access request

The ICO explains that The Village Surgery must satisfy itself that the identity of the requestor is known or the identity of the person the request is made on behalf of. It is acceptable to request information to verify an individual’s identity. Note, the timescale for responding to a SAR does not begin until the requested information has been received. The organisation’s SAR form supports the data controller in verifying the request.

5.5      Supplying the requested information

ICO guidance explains that the decision on what format to provide the requested information in should take into consideration the circumstances of the request and whether the individual can access the data in the format provided. It is considered good practice to establish the individual’s preferred method before fulfilling their request.

5.6      Third party requests

The Village Surgery, as a data controller, must be able to satisfy itself that the person requesting the data has the authority of the data subject. The responsibility for providing the required authority rests with the third party. The Village Surgery will request that third parties use the BMA and Law Society consent form.  

5.7      Requests from solicitors 

The Village Surgery will receive SARs from third parties, such as solicitors, who have been authorised by a patient to make a SAR on their behalf. It is the responsibility of the third party to provide evidence that they are permitted to make a SAR on behalf of their client. If concern or doubt arises, The Village Surgery will contact the patient to explain the extent of disclosure sought by the third party. 

The Village Surgery can then provide the patient with the data as opposed to directly disclosing it to the third party. The patient is then given the opportunity to review their data and decide whether they are content to share the information with the third party.

5.8      Requests from insurers 

SARs are not appropriate should an insurance company require health data to assess a claim. The correct process for this at The Village Surgery is for the insurer to use the Access to Medical Reports Act 1988 when requesting a GP report. 

5.9      Refusing to comply with a SAR

As detailed by the ICO, The Village Surgery will only refuse to comply with a SAR when exemption applies or when the request is manifestly unfounded or manifestly excessive. In such situations, The Village Surgery will inform the individual of:

·         The reasons why the SAR was refused

·         Their right to submit a complaint to the ICO

·         Their ability to seek enforcement of this right through the courts 

Each request must be given careful consideration and, should this organisation refuse to comply, this must be recorded and the reasons for refusal justifiable

The ICO defines a data breach as a security incident that has affected the confidentiality, integrity or availability of personal data, including whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it without proper authorisation; or if the data is made unavailable and this has a negative effect on individuals. Examples of data breaches include:

·         Access by an unauthorised third party

·         Deliberate or accidental action (or inaction) by a data controller or processor

·         Sending personal data to an incorrect recipient

·         Loss or theft of computer devices containing personal data

·         Alteration of personal data without permission

·         Loss of availability of personal data

 6.2      Reporting a data breach

The ICO explains that the UK GDPR introduced a duty on all organisations to report certain types of data breach to the relevant supervisory authority (the ICO) within 72 hours of becoming aware of the breach. If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR states that those individuals must also be informed directly and without undue delay. 

The above must be assessed on a case-by-case basis by the organisation’s Data Protection Officer (DPO) and Senior Information Risk Officer (SIRO)/Caldicott Guardian. Therefore, a breach MUST be reported to the Information Governance Lead, DPO and SIRO/Caldicott Guardian within 24 hours of the organisation becoming aware of it so that an appropriate assessment can take place.

The Village Surgery will report the breach using the Data Security and Protection Incident Reporting Tool. Article 33 of the UK GDPR outlines the information required when reporting a breach. The ICO explains this information must contain:

·         A description of the nature of the breach, including, where possible:

o   The categories and approximate number of individuals concerned

o   The categories and approximate number of personal data records concerned

·         The name and contact details for the DPO

·         A description of the likely consequences of the data breach

·         A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects

6.3      Notifying a data subject of a breach

The ICO explains that if a breach is likely to result in a high risk to the rights and freedoms of individuals, this organisation must inform those concerned directly and without undue delay and before notifying the ICO. One of the main reasons for doing so is to permit those affected to take the necessary steps to protect themselves from the effects of a breach.

When the decision has been made to notify a data subject of a breach, this organisation is to provide those affected with the following information in a clear, comprehensible manner:

·         The circumstances surrounding the breach

·         The details of the person who will be managing the breach

·         Any actions taken to contain and manage the breach

·         Any other pertinent information to support the data subject

7.1      Obtaining consent

The ICO states that consent must be specific, informed, given by a clear affirmative action (an opt-in) and properly documented.. Consent is one of the lawful bases of processing and, if appropriate, The Village Surgery is to offer people real choice and control over how their data is used. If it is deemed appropriate to obtain consent, the following must be explained to the data subject:

·         Why the organisation wants the data

·         How the data will be used by the organisation

·         The names of any third-party data controllers with whom the data will be shared

·         Their right to withdraw consent at any time

All requests for consent are to be recorded, with the record showing:

·         The details of the data subject consenting

·         When they consented

·         How they consented

·         What information the data subject was told

Consent is to be clearly identifiable and separate from other comments entered into the healthcare record. Furthermore, The Village Surgery must ensure that data subjects (patients) are fully aware of their right to withdraw consent at any time and must facilitate withdrawal as and when it is requested. 

7.2      Parental consent

The DPA 2018 states that parental consent (in relation to personal data) is required for a child under the age of 13. Additionally, the principle of Gillick competence remains unaffected and parental consent is not necessary when a child is receiving counselling or preventative care.

For further information, refer to the organisation’s Consent Guidance. 

8.1      Data mapping

Data mapping is a means of determining the information flow throughout an organisation. Understanding the why, who, what, when and where of the information pathway will enable this organisation to undertake a thorough assessment of the risks associated with current data processes.

Effective data mapping will identify what data is being processed, the format of the data, how it is being transferred, if the data is being shared and where it is stored (including off-site storage if applicable). The organisation’s Register of Processing Activities (ROPA) details the process of data mapping at this organisation.

8.2      Data mapping and the Data Protection Impact Assessment

Data mapping is linked to the Data Protection Impact Assessment (DPIA) and, when the risk analysis element of the DPIA process is undertaken, the information ascertained during the mapping process can be used.

8.3      Data Protection Impact Assessment

The ICO explains that conducting a DPIA is a legal requirement for any type of processing, and a DPIA is the most efficient way for this organisation to meet its data protection obligations and the expectations of its data subjects. DPIAs are also commonly referred to as Privacy Impact Assessments or PIAs. In accordance with Article 35 of the UK GDPR, a DPIA should be undertaken when:

• A type of processing, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks
• Extensive processing activities are undertaken, including large scale processing of personal and/or special data

DPIAs are to include the following:

·         A description of the processing operations, including the purpose of processing

·         An evaluation of the need for the processing in relation to the purpose

·         An assessment of the associated risks to the data subjects

·         Existing measures to mitigate and control the risk(s)

·         Evidence of compliance in relation to risk control

It is considered best practice to undertake DPIAs for existing processing procedures to ensure that this organisation meets its data protection obligations. DPIAs are classed as “live documents” and processes should be reviewed continually. As a minimum, a DPIA should be reviewed every three years or whenever there is a change in a process that involves personal data.    

8.4      Data Protection Impact Assessment process

The ICO explain that a DPIA process is formed of seven key elements:

1.    Identify the need for a DPIA

2.    Describe the processing

3.    Consider consultation

4.    Assess necessity and proportionality

5.    Identify and assess risks

6.    Identify measures to mitigate the risks

7.    Sign off and record outcomes.

After sign-off, The Village Surgery will integrate the outcomes of the DPIA into the project plan while keeping the DPIA under review.