Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is your medico-legal practice GDPR compliant?

Published byArron Lewis Modified over 5 years ago

Similar presentations

Presentation on theme: "Is your medico-legal practice GDPR compliant?"— Presentation transcript:

1 Is your medico-legal practice GDPR compliant?

2 What does that mean? The General Data Protection Regulations came into force in May 2018, replacing the Data Protection Act 1998 The GDPR sets out how organisations must handle personal data There are additional rules for health records as they are considered to be a special category NB. information about a deceased person is not subject to the GDPR The GDPR will still matter to the UK after Brexit. The Data Protection Act 2018 incorporates the GDPR into English law. After the UK has left the EU, our data protection laws will almost mirror those of the EU.

3 Why does it matter to me? As a medico-legal expert, you could be considered to be a data controller You will be using personal data, determining the means of the processing and the purpose of the processing As a data controller, you have specific obligations under the GDPR The ICO has the power to fine you if you do not comply NB. If you have already taken the following steps in relation to your private medical practice, you must still take these steps, separately, in respect of your medico-legal work You need to assess and minimise the risk to the data subject & your instructing solicitors. You must have an up to date record of what data you hold, why you hold it and where you hold it.

4 What are my obligations?
Register online with the Information Commissioner’s Office Pay the fee and be added to the Data Protection Register Report any data protection breach within 72 hours Follow the 7 principles set out in Article 6 of the GDPR …what are the 7 principles? Data controllers are accountable for what they do with personal data and how they protect it. You must need demonstrate how you comply with the legislation: clear, documented processes, ie. you must both comply AND demonstrate compliance.

5 GDPR 7 principles 1. Lawfulness, fairness & transparency
On what basis are you collecting and processing this data? GDPR Article 6(f) legitimate interests Healthcare records are a special category of personal data, so your reason for processing them must also meet a GDPR Article 9 ‘special condition’ for use. Use Article 9(2) ‘…establishment, exercise or defence of legal claims.’ Is your data processing for fair use? A negative effect on the data subject does not make your processing unfair Is your data processing transparent? Do people know who you are and why you are using their data? You would set this information out in your privacy notice and in your data audit records…documentation matters! Legitimate interest – that is, the litigation in which you are instructed to act. Still, always worth knowing that the claimant solicitor has the relevant consent for access to and use of the health records, including a that they have provided the claimant a summary of parties likely to access/use them.

6 GDPR 7 principles 2. Purpose Limitation
Why are you processing the data; what is your remit? 3. Data Minimisation Is the data you hold relevant for you to fulfil your remit? 4. Accuracy Is the data you are using accurate and up to date for your requirements? Documentation! It can be brief, but you should identify what information you have, what it is for, whether it is sufficient for your purpose.

7 GDPR 7 principles 5. Storage Limitation
How long should you keep the data and why? You must carry out periodic reviews/audits NB. 6 year limitation for professional negligence claims 6. Security Principle You are responsible for secure storage and transfer of the data Consider: encryption; data rooms; couriers for hard copies; secure filing Security: Tip: document all risks to the data and how those risks will be controlled. Eg. being ed to wrong person…you double check your before sending/disable autocomplete; being left on a bus…you don’t take them on public transport! Are your systems adequate to identify potential data breaches before they occur. Can you flag up adverse incidents in time to comply with the deadlines for reporting (72 hours). NB. Security also covers things like working on public transport – on laptops, on phones, in discussion with colleagues. See, for example: ICO Audit team say: The main areas of weakness that we have found when we have audited Records Management: lack of formal RM framework – including a lack of any training programme incorporating RM; and then a failure to monitor training attendance against KPIs lack of regular internal audit, compliance monitoring & reporting, or external assurance in the area of records management lack of effective security for manual records especially when being transported or transferred AND/OR a lack of effective retention and destruction controls for both electronic and manual records

8 GDPR 7 principles 7. Accountability
You are responsible for compliance and you must demonstrate how you do so Ensure those you work with are also compliant, eg. instructing solicitors, administrative assistants, storage facility Document everything: reasons for holding and processing the data; annual or regular review of data library; choice of encryption and storage of the data; maintain records with the ICO Maintain and publish an up to date privacy policy Do your contracts with data processors meet the GDPR requirements? You may well enter into a data processing or data sharing agreement. You must ensure they also have compliant processes and be satisfied that they will be implemented. Check they are on the register Your privacy policy must be concise, transparent, intelligible and easily accessible; written in clear and plain language; and free of charge. Many people post it on their website.

9 Additional resources Information Governance Alliance @NHSDigital
governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance#when-guidance-is- being-published Complete Guide to GDPR compliance (includes documents on which to base your privacy policy and data processing agreement) We don’t offer template policies. It is important to read what the required content is and then write your own. This is the best way to ensure you understand the requirements on you as a data controller and the practical implications for your business. However, it is of course helpful to have some documents to read by way of guidance.

10 Additional resources Write down your data audit policy, and then be sure to carry it out. Talk to colleagues about what they do, share good practice. Here's a sample register of information you might need. Do not overwrite info, add info. Write down how regularly you will review all the records, and do it. When there is a significant change in your role in a case (it settles, it is appealed etc) update that one record. It will save you time when you do a regular review if you know that your records are up to date. Make a note on this register if you are taking records out for any reason – conference/client appointment etc. And update risks/steps to mitigate. Note when they are returned. If you review and there’s been no change, perhaps contact instructing solicitors for an update. Mention why you’re asking!

Download ppt "Is your medico-legal practice GDPR compliant?"

Similar presentations

Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection Regulation

Data Protection Regulation
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
Accountability & Structured Privacy Management

Accountability & Structured Privacy Management
PowerPoint presentation

PowerPoint presentation
Overview General Data Protection Regulation (GDPR)

Overview General Data Protection Regulation (GDPR)
Microsoft 365 Get help with regulatory compliance

Microsoft 365 Get help with regulatory compliance
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
GDPR – What’s it all about???

GDPR – What’s it all about???
General Data Protection Regulations: what you really need to know

General Data Protection Regulations: what you really need to know
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
GDPR Overview GDPR - General Data Protection Regulations

GDPR Overview GDPR - General Data Protection Regulations
GDPR support January GDPR support January 2018.

GDPR support January GDPR support January 2018.

Similar presentations

Ads by Google