The following Q&A has been produced following the local multi-agency GDPR event held at Exeter Racecourse in January and captures some of the themes raised:
Storage limitation: How will we see this covered, as we cannot delete old patient records from clinical systems?
Current guidance on the retention of electronic records is that they are not deleted, so this would need to be changed, if this were to become a requirement. See NHS Records Retention Schedule
Transfer of medical records: who is the data controller when City Link collect/deliver medical records?
City Link become the data processor, then the eventual recipient has responsibility transferred on receipt.
Does the Royal Mail count as a data processor?
As the data is sealed, how was the data sent? Recorded delivery should really be used for any sensitive data, so that a signature is available to prove receipt.
Transfer of notes: where does the responsibility sit if lost in transit?
Notes transfer becomes the responsibility of the data processor, i.e. Capita, whilst in transit.
What about out of pocket expenses for GPs in regard to SARs?
This would have to be reviewed on a case by case basis. All SARs should be addressed as part of your normal business processes, so we would need to know what would constitute out of pocket expense. Printing off the records of a patient, to comply with a SAR, cannot be charged for. Copying the data for a patient on to an encrypted memory stick, debatable, as these are expensive. If the request is for multiple copies of records, then reasonable charges can be applied. Encouraging patients to use Patient Online access to records, to include detailed coded records, which is contractual, is probably the best way of avoiding additional expense.
How does GDPR affect summary care records?
As it stands, NHS England/NHS Digital do not plan to change this, but this is something that will be addressed, as we receive further guidance on the processes currently/historically used by the NHS.
What about practices who participate in research?
There are specific requirements in relation to research, and for most instances, explicit consent is required for processing high risk data, which includes health. The Health Research Agency is currently looking to provide additional guidance in relation to this, but all research should already be compliant with good governance, and compliance with the current DPA.
Referral via DRSS? What happens if a patient opts out of sharing data?
This is highly unlikely, as this is encompassed under direct care, and if the patient wants to be treated, the National Data Opt-out does not apply. If the patient has opted out of any sharing of information, this would need to be upheld, but it should not stop the referral process.
Do we legally have to inform/send our privacy notice to all registered patients?
This should be included on practice websites, in leaflets available from the practice, and on any other medium practices wish to employ. Practices do not have to write to all their patients with the privacy notice.
Do we need a privacy notice for employees?
Yes, this is best practice.
Employee records: How do we know what to keep and for how long eg HMRC and NHS Pensions can request info years later.
Guidance on document retention schedules are provided here.
What are the risks of ‘cloud’ data?
NHS Digital has recently produced guidance on the use of “Cloud”: More information is available here.
What are the implications for off-site storage of paper records?
Where this has been implemented, the contract with the storage company, as a Data Processor, should cover all aspects of data protection in relation to this question. If it doesn’t, then contact the supplier to request that it does. Under GDPR, data processors are equally liable for the protection of data subject rights, as the data controller.
How do we find out what data we might store but not knowingly eg website; electronic surveys?
This should become evident as part of your data mapping process schedule. If you use electronic surveys, where is the data stored, i.e. SurveyMonkey is an American company, so any storage of personal data as part of the survey, should have been risk assessed.
What are the implications around staff/other details on a PM’s mobile phone/minutes of meetings discussing a staff member’s behaviour?
Storage of personal data on a personal mobile device should be discouraged, but appreciate that expediency is not always the best policy, as this could restrict the job role of the individual. This should really be covered by a practice policy, even if it only applies to a single individual.
What is a reasonable effort/disproportionate effort to protect data/comply with GDPR and at what point would this apply?
The GDPR states that multiple SARs, multiple requests for copies of data, etc, can be charged for, but there is no definition of reasonable effort/disproportionate effort in relation to GDPR compliance.
Will the new act have different timescales for holding data?
We record all telephone calls and this is stored on a computer – do we have to tell callers again that the call is being recorded as well as on the welcome message?
If you have informed via the welcome message, then this is sufficient.
When patients call the surgery we have a message informing them that all calls are recorded – should we be telling patients that calls are recorded when we call them?
If they are, then yes, they should be informed, and also the right to object may have to be applied. Can you turn this off, or is it automatic? What is your retention schedule for keeping the recordings?
Patient participation groups – we have a list of emails on an internal website which does not identify patients. How should we manage this?
If the PPG members are also patients, and they are, email addresses are considered as personal data, so the same process should be applied to this list, and it should be treated as an information asset.
In my practice we have a room in which letters are put into doctor’s trays. This room is accessible to all staff including cleaners.
CQC would expect this room to have a locked door, or simplex lock to protect the information stored within. Letters are personal data, so should be treated in the same way as all other confidential records.
Documents for shredding go into unlocked cupboards which are potentially accessible.
Lock the cupboards.
Sharing for data referrals – this is often pre-determined by the receiver. Should we be concerned by this?
See previous answer on referrals
Does consent need to be reviewed/renewed?
Is consent the correct legal basis for whichever service/process it is being applied for? General guidance, is that wherever possible, consent should not be used as the legal basis. See the Information Commissioner’s Office website for further definition.
EMIS keeps data on inactive patients – we have no control over this. How will this affect us when it comes to storage limitation?
Data retention for electronic records applies here as well, but this question should also be addressed to your clinical system supplier. Access to Inactive records should be restricted, if possible.
SARs – is online access acceptable?
Yes, and this should be the default for access to electronic records: Article 15 of the GDPR states: The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Where do we log changes to SARS?
Maintain a local SAR log, which will include your current processes.
How long should records be held eg complaints, solicitors, coroner, police, safeguarding, DVLA, DWP, schools?
What is the guidance on requesting SAR info on teenagers?
GDPR and the UKDPA2018, introduce the age for processing information on Teenagers to 13. The ICO are still out to consultation on this provision under GDPR, current guidance is still likely to apply.
Can we charge for copying records under a SAR?
GDPR introduces a No Fee process for SARs. However, Article 12 states:
Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
A: charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
B: refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
How should we deal with vexatious requests?
See answer above.
Will there be any funding from NHS England to help with the cost of appointing a DPO; for training; for compliance?
Doubtful, but the Five Year Forward View monies may be applicable to this request, but this is not a question we can really answer.
System One – we get tasks ‘accessed by another organisation’ and we don’t know who and unless we action it stays there. Can we say ok?
New guidelines for TPP’s Enhanced Data Sharing Module (EDSM) are likely to address this issue.
If a file of a previous staff member is retained for a long time – eg pension info – is this valid even when other info in there may not need to be kept?