- Faculty of Occupational Medicine - http://www.fom.ac.uk -

Dealing Dutifully with Data

So, have you and your colleagues been pondering the implications of new EU General Data Protection Regulation (GDPR) and whether it will still apply to us in the UK post Brexit? Well, some of our members have been thinking about this and our legal and ethical experts, Steve Boorman, Diana Kloss and Mark Landon have shared their thoughts on the subject. I am sharing a summary of their views below.

Since we will still be in the EU in May 2018 the Regulation will automatically come into force as it does not need implementing domestic legislation. The Information Commissioner’s Office (ICO) has published a statement confirming that, after leaving the EU, the GDPR will not directly apply to the UK but that if the UK wants to trade with the Single Market on equal terms then it will have to prove “adequacy” by May 2018. We also understand that last October the Secretary of State, Karen Bradley MP, confirmed to the Culture, Media and Sports Select Committee that the UK will be implementing the GDPR in May 2018. Further information is being regularly published by the Information Commissioner on his website, https://ico.org.uk [1].

So, in a nutshell, the regulation will apply to us. However, our FOM experts don’t think it will mean fundamental changes for Occupational Physicians and OH providers because the data protection principles now contained in the Data Protection Act will remain. However, the regulation will substantially increase penalties for breach and in some cases require the appointment of a data protection officer. Legal duties will be imposed not only on data controllers but also on data processors.

Interestingly (and positively), the regulation will also outlaw obtaining consent by requiring the deletion of a tick in a box rather than obtaining a positive agreement by ticking a box (something of which high profile companies have been guilty). In addition, it will require notification of any breach and allow the data subject in some cases to ask for data to be deleted. Pseudonymised data is for the first time defined and will be able to be used in research without individual consent as long as the researcher is in practice unable to identify the patient.

At present, there is no clear statement regarding if and how health records in manual form are included, nor whether there will continue to be exceptions to the right of subject access to medical records and whether the exemption for medical records disclosed in the public interest (eg cancer registries) will continue. EU member states are permitted to derogate from the GDPR in some circumstances so we may see new UK derogations or re-enactments of existing derogations in future.

What is certain is that the issue of consent is highly pertinent here. January 2017 saw the publication of the GMC’s revised confidentiality guidance, which you can access here http://www.gmc-uk.org/guidance/news_consultation/30319.asp [2]. And it is important that patients and employees actively engage in the current GMC consultation on consent. Do please encourage participation by visiting http://www.gmc-uk.org/guidance/news_consultation/30001.asp [3].

Do contact us [4] if you have any questions or comments of a legal or ethical nature and we shall endeavour to respond where we can.

[5] [6]