The Data Protection Act 2018 and General Data Protection Regulation (GDPR)

The duty of confidentiality in the UK is entrenched in common law and dictates that when information is disclosed in certain circumstances, such as in medical practice, it would be unethical for that information to be shared.

This is also highlighted in Article 8 of the European Convention on Human Rights: Right to respect for private and family life, home and correspondence (https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf):

1. Everyone has the right to respect for his private and family life, his home and his correspondence. 

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

In UK law the Data Protection Act 2018 and the General Data Protection Regulation outline how data must be kept and stored (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/) . 

GDPR principle 5 highlights seven key principles which must be followed:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’); 

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” 

Article 5(2) adds that: 

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

The above can be summarised to highlight the following core principles of:

• Lawfulness, fairness and transparency

• Purpose limitation

• Data minimisation

• Accuracy

• Storage limitation

• Integrity and confidentiality (security)

• Accountability

  
  
  

“Article 9 of the GDPR also highlights a category of data called Special Category Data which includes:

• personal data revealing racial or ethnic origin;

• personal data revealing political opinions;

• personal data revealing religious or philosophical beliefs;

• personal data revealing trade union membership;

• genetic data;

• biometric data (where used for identification purposes);

• data concerning health;

• data concerning a person’s sex life; and

• data concerning a person’s sexual orientation.”

It goes onto list specific conditions for processing ‘special category data’ which includes medical data - “Article 9 lists the conditions for processing special category data:

(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

(c) Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims or judicial acts

(g) Reasons of substantial public interest (with a basis in law)

(h) Health or social care (with a basis in law)

(i) Public health (with a basis in law)

(j) Archiving, research and statistics (with a basis in law)”

To ensure the implementation of GDPR practices and NHS organisations are required to implement a Data Protection Officer (DPO) - you can find out more about this position by following the link below:

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance

For a video summary on GDPR check out the video below: