You have no items in your shopping basket.
The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018, extending the rights of individuals regarding the collection and processing of their personal data. The GDPR acts as a means of protecting personal data for EU residents across the globe.
Health and social care organisations are subject to stricter guidelines on the collection, processing and storage of individuals’ data. The penalty for
noncompliance with the GDPR significantly increased from the powers given to the Information Commissioner’s Office (ICO) under the DPA (Data Protection Act 2018).
It is essential for health and social care workers to understand their responsibilities under GDPR fully. Since health and social care and other voluntary sector organisations handle huge amounts of personal and sensitive data, GDPR is an important development. Serious failures to comply with legislation can result in fines of up to 20 million euros or 4% of annual global revenue. Charities are not exempted from the said fines.
Learn anytime, anywhere on any device. Choose from over 500 CPDUK accredited
e-learning courses and approved qualifications.
Learn new skills in various subjects to improve your personal productivity, career development and employability opportunities.
Meet the UK and international legislative and regulatory requirements, industry standards and best practice recommendations.
FREE GDPR in Health and Social Care Training Course with Certificate - Online GDPR and Data Security Awareness E-Learning Course - Information Governance (IG) Compliant .
Here at The Mandatory Training Group, we receive many enquiries from health and social care providers relating to GDPR and data security awareness training. Below, we have listed the most frequently asked questions relating to GDPR in health and social care settings.
GDPR stands for General Data Protection Regulation which is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).
The EU GDPR (General Data Protection Regulation) came into effect on 25 May 2018, extending the rights of individuals regarding the collection and processing of their personal data. Health and social care organisations are subject to stricter guidelines on the collection, processing and storage of individuals' data.
From May 25, 2018, the General Data Protection Regulation (GDPR) will significantly change the way healthcare organisations use and store all their personal information. The changes for data protection will be the biggest across Europe since 1995 and the UK since the Data Protection Act (DPA) in 1998. Most data security professionals agree it’s a radical change and long overdue.
Personal data must be adequate, relevant and limited to what is necessary and care providers should only have access to relevant health and medical records. Personal data shall be kept for no longer than is necessary and personal data no longer needed should be destroyed or anonymised.
The GDPR acts as a means of protecting personal data for EU residents across the globe. This means that any business or organization that processes or stores the data of EU residents are subject to GDPR rules and regulations regardless of whether the healthcare facility physically operates in European Union countries.
Yes, the NHS is Implementing GDPR within NHS Digital. They have built on their track record of data security and compliance with the Data Protection Act 1998 (DPA) to remain compliant with changing data protection law. They established an internal working group to implement the GDPR before it came into effect.
All organisations handling personal data need to have comprehensive and proportionate arrangements for collecting, storing, and sharing information. The GDPR and Data Protection Act 2018 does not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe.
GDPR compliance checklist for health and social care. The EU GDPR (General Data Protection Regulation) came into effect on 25 May 2018, extending the rights of individuals regarding the collection and processing of their personal data.
The European Union's General Data Protection Regulation (GDPR) comes into force on 25th May 2018, regardless of Brexit. The legislation gives new rights and greater protection to data subjects.
GDPR enhanced existing protections for the personal data and privacy of individuals in the EU. It also extended the reach of those protections beyond organizations based in the EU, including US-based hospitals that “offer goods and services” to individuals in the EU or “monitor the behaviour” of such individuals. Organizations subject to GDPR on one or both of these bases must comply with restrictions on data that go beyond the reach of the Health Insurance Portability and Accountability Act (HIPAA).
General Data Protection Regulation (GDPR) guidance. This guidance from the national GDPR working group and IGA will help the NHS, social care and partner organisations prepare for EU General Data Protection Regulation (GDPR) when it begins in May 2018.
Yes. It applies to all companies processing personal data where the data subject resides within the European Union, except when processing takes place for law enforcement purposes. GDPR refers to The General Data Protection Regulation.
The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernise laws that protect the personal information of individuals. It also boosts the rights of individuals and gives them more control over their information.
Yes, the GDPR is extending the rights of individuals regarding the collection and processing of their personal data. The NHS Digital will collect personal data in the form of patients' NHS Numbers. The NHS Number is a unique number used to identify patients and match them to their health records. It is an identifiable, personal data item. No other personal data items, such as Name, Address, Postcode or Date of Birth, will be collected.
The GDPR sets out seven key principles. These principles should lie at the heart of your approach to processing personal data.
Under the GDPR and Data Protection Act 2018 you may share information if:
Sharing of information between practitioners and organisations is essential for effective identification, assessment, risk management and service provision. Fears about sharing information cannot be allowed to stand in the way of the need to safeguard and promote the welfare of children and young people at risk of abuse or neglect.
In certain cases, personal data cannot be shared unless you have the explicit consent of the data subject especially in sharing of personal data that is sensitive or confidential.
Despite all the noise around GDPR, the eight principles of data protection laid out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles.
Below are the eight principles of the Data Protection Act:
The General Data Protection Regulation (GDPR), which comes into effect at the end of May, will modernise and overhaul the legal framework for privacy and the protection of personal data including health and medical records across the EU.
The previous European Data Protection Directive utilised much more of a light-touch approach than GDPR, setting out aims and requirements for data protection standards that were then implemented through national legislation, such as the UK's Data Protection Act. By contrast, GDPR is a binding piece of regulation, which will be legally enforceable as soon as it comes into effect on May 25th, and will apply to all EU nations and every company holding data on EU citizens.
Information governance and GDPR are mutually reinforcing. At the heart of both is the need to understand what information an organization has, how it is used, how it needs to be managed, how it needs to be protected, and its importance to the organization’s operations. For those organizations looking for a catalyst to advance information governance, the GDPR is the perfect stimulus. For those organizations with mature information governance programs, preparing for the GDPR will be more streamlined.
A recruitment company's clients will drive compliance with their supply chain. Recruitment agencies will be required to verify that they are GDPR compliant. This is simply a case of larger organisations managing risk.
GDPR affects all companies with offices in the EU and any companies processing the data of European residents irrespective of where they are in the world.
Records management in the context of GDPR deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and email.
Candidates are the data subjects because they can be identified through personal data they give to companies. For example, their resumes may include their names, physical addresses or phone numbers. The GDPR exists to protect this kind of data.
This will depend upon whether you are providing healthcare as part of the NHS or on a private basis. Public authorities such as NHS trusts and NHS foundation trusts, and private providers who have been commissioned by NHS England or a CCG to provide NHS services, are carrying out a ‘public task’ and may lawfully process a patient’s personal data where necessary for this purpose.
Providers of private healthcare need to find a different lawful basis, for example, that the processing is necessary for the performance of a contract with that patient.
Yes, there are no exemptions. All controllers and processors of personal data must maintain up-to-date records of processing activities under their responsibility (this is sometimes called information asset management or data flow mapping).
Yes, Whenever you collect personal data, you must provide accessible information to individuals detailing how you plan to use their data; the most common way to provide this information is in a privacy (or fair processing) notice. The GDPR specifically states what information must be provided, so you need to make sure your privacy notice covers this.
It depends. You must appoint a DPO if you are a public authority or treated as one under the Freedom of Information Act 2000 (e.g. if you are an NHS primary care contractor).
If your organisation is not a public authority, whether or not you need a DPO depends upon whether you process special category data as part of your core activities, or perform regular or systematic monitoring of data subjects, on a large scale. EU guidelines suggest that processing of patient data by a hospital is large-scale, whereas processing by an individual healthcare professional is not. If you find yourself somewhere between these two examples, we recommend that you consider the appointment of a DPO; this will both ensure compliance with GDPR and enhance the accountability and governance of your organisation.
The Access to Health Records Act 1990 has been amended and no longer permits you to charge for an application to access the health records of a deceased patient.
The most likely policies requiring review (or implementation if you don’t have one already) for GDPR compliance are:
There will be a two-tiered system for fines: up to €10 million or 2% of global annual turnover, or up to €20 million or 4% of global annual turnover.
Generally speaking, breaches of controller or processor obligations will be fined within the first tier, and breaches of data subjects’ rights and freedoms will result in the higher-level fine. Both tiers are significantly higher than the previous maximum penalty (£500,000).
Remember, these are maximum penalties. Not all GDPR breaches will incur the maximum fine; the ICO will consider the nature, gravity and duration of the infringement, as well as the types of personal data affected, any previous infringements and level of cooperation.
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
There are additional rules in the GDPR for organisations processing special category data. This includes information about an individual’s health.Click here to access our FREE GDPR in health and social care online course.
Not as such, as privacy notices must be specific to the processing in question. However, we have summarised the information that should be included in a privacy notice in our right to be informed section of the Guide to the GDPR.
Probably. The Data Protection Act (when passed) will define ‘public authority’. However, it is likely that if you are a public authority as defined under the Freedom of Information Act 2000, or Freedom of Information (Scotland) Act 2002, as many GP practices, dental practices, other health practitioners and pharmacies that carry out NHS work are, you will be a public authority for the purposes of the GDPR.
Holding back-up data has implications for an individual’s rights, especially the rights to rectification, erasure, restriction and objection. There is more detail on individual rights in the Guide to the GDPR.Click here to sign up for our FREE GDPR in health and social care online course.
If you needed to register under the Data Protection Act 1998, then you will probably need to pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
This means that paying the fee is now a legal requirement. However, this doesn’t mean everyone now has to pay the new fee. Although GDPR came into effect on 25 May 2018, some organisations will be exempt, and Data Controllers who have a current registration (or notification) under the 1998 Data Protection Act will not have to pay the new fee until that registration has expired.
Not necessarily. You must have a valid lawful basis in order to process personal data. Consent is one of the lawful bases, but there are alternatives. There are six bases available in total and no single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on your purpose and relationship with the individual.
You must have a lawful basis for processing all personal data within your organisation and this needs to be recorded in your register for processing activities. The six reasons are set out in Article 6 of the GDPR.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Under the GDPR, organisations must notify the ICO of a breach within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals. Organisations must also notify those concerned, where a breach is likely to result in a high risk to their rights and freedoms without undue delay.
If you use a data processor, and they suffer a breach, then they must inform you without undue delay as soon as they become aware. You are responsible for the breach-reporting obligations under the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Data plays a critical part in both digital and direct marketing strategies and therefore marketers must ensure they have demonstrated clear compliance and consent. CMOs and marketers must demonstrate how the data subject has consented to the processing of their personal data. Marketing databases have to be cleansed and reviewed to ensure that the organisation can identify consent which has been granted lawfully and fairly. Although GDPR only affects citizens living in the European Union, it is recommended that companies that operate internationally ensure all of their global audience is GDPR compliant to meet stringent data regulations in the future.
Parental consent is required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
If the GDPR deadline has been missed, it is imperative that the business in question acts urgently to become compliant. Demonstrating strong data rights management is important to both customers and employees; they should understand why the data is collected and how it is handled on a legal basis. Current business data processes need to be looked at as an immediate priority so that the company doesn’t risk non-compliance penalties.
This online GDPR for Health and Social Care training course should be completed by those who work in health and social care services, including:
There is no absolute ‘right to be forgotten’.
People can ask for their personal data to be erased, but only when there is no compelling reason for its continued processing.
Requests will have to be assessed on their own merits. However, care providers, for example, will likely have a very good reason for processing much of the personal data they hold for the purposes of providing medical care.
Any organisation which processes and holds the personal data of data subjects residing in the EU is obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states.
Under GDPR, organisations have to ensure that personal data is gathered legally and with consent from the individual. Those who do collect it are obliged to protect it from misuse and exploitation.
If a data breach does happen, if information gets lost or stolen, for example, organisations are required under GDPR to report them to the relevant supervisory authority within 72 hours of them becoming aware of it.
Much like the Data Protection Act 1998, GDPR applies to personal data, meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
The GDPR has introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.
If a company processes data about individuals in the context of selling goods or services to citizens in other EU countries then it will need to comply with the GDPR, regardless as to whether or not the UK retains the GDPR post-Brexit. If activities are limited to the UK, then the position after the initial exit period is less clear.
The following are the rights of individuals under the GDPR:
The UK Information Commissioner’s Office (ICO) states that if an organisation processes personal data of EU residents, it is obligated to instil comprehensive, yet commensurate, means of governing that data. Processing includes collecting, storing, altering, retrieving, transmitting, using, erasing, or otherwise performing any operation on data. Practices and tools championed by the ICO (e.g., privacy impact assessments and privacy by design) are now legally required by GDPR. Consequently, organizations whose activities fall within the scope of GDPR must implement new policies and procedures to comply with GDPR. The goal of these measures is to reduce the occurrence of breaches while safeguarding personal data.
The Mandatory Training Group is the leading UK provider of accredited health and social care training courses, e-learning programmes and regulated qualifications.
All our information governance (IG), GDPR and data security awareness courses are externally peer reviewed and accredited by the CPD Certification Service (CPDUK).