What is personal data?

For the purposes of the GDPR, personal data is any information that relates to or is about a living person. It includes facts, opinions, and intentions, in respect of individuals. Examples of personal data include names, addresses, telephone numbers or e-mail addresses, the content of medical records, and CCTV footage. There is a sub-category of personal data known as special category data. This category of data is considered to be more sensitive and examples include information relating to race, ethnicity, sexual orientation, political or religious beliefs, health (including genetics) and biometrics.  This is similar to the existing concept of ‘sensitive personal data’

What is processing?

This is defined as

“…any operation or set of operations which is performed on personal data … such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

In other words doing anything with personal data is ‘processing’ it.

Does it affect me?

Yes. The GDPR will apply to all organisations in the European Union responsible for processing personal data and will impose new requirements on the way personal data is processed and held. We expect the provisions of the GDPR will remain in force beyond the UK’s anticipated departure from the European Union in 2019.

For those acting in a claims-handling capacity within NHS Trusts, you will be dealing with special category data on a daily basis. The most obvious example of this will be disclosure of patient medical records which constitute ‘special category data.’ Therefore anyone acting in a claims-handling capacity will be subject to the provisions of GDPR and will need to demonstrate their compliance with those provisions.

What do I need to consider?

The GDPR provides six key principles which must normally be adhered to when processing personal data:

  1. Processing of data is lawful, fair and transparent
  2. Processing is for a specified, explicit and legitimate purpose
  3. Processing is adequate, relevant and limited to what is necessary
  4. Personal data should be accurate
  5. Personal data should not be kept for longer than necessary
  6. Processing should ensure the data is kept confidential, safe and secure.

There are some exemptions from the obligations to be fair and transparent where data is being processed for the purposes of establishing, exercising or defending legal rights. This largely reflects the existing law.

As well as acting in accordance with the six principles above, you need to be able to justify the use of data. From a claims-handling perspective the processing of personal data, such as medical records, could be justified on the following grounds:

  1. Processing is necessary for the purposes of the management of healthcare services.
  2. Processing of the data is necessary for the establishment, exercise or defence of legal claims;
  3. Processing of the data is necessary to protect the vital interests of the patient where the patient is physically or legally incapable of giving consent;

In other words, you do not need consent for handling personal data for the purposes of GDPR (and particularly in the case of legal claims). However, in appropriate circumstances having patient authority is fairer and more respectful, and also helps you to comply with other requirements, such as common law confidentiality.

How will GDPR affect me?

The GDPR will provide enhanced individual rights to patients in respect of their access to data and how it can processed. For claims handlers the most important points are:

  • Patients will now have access to their records free of charge
    • A ‘reasonable’ fee can be charged but only for requests for further copies of the same information or where requests are unfounded or excessive.
      • Requests for updated records must be provided free of charge. However requests for records which have previously been provided can be charged
    • Remember GDPR only applies to living individuals. Requests for records relating to a deceased person are not covered by GDPR and remain subject to Access to Health Records Act 1990 for which a fee is payable
    • You should still verify the patient’s identity.
  • The timescale for provision of records is one month from receipt of the request.
    • This can be extended by a further two months where necessary, taking into account the complexity and number of the requests
    • If this extension is required, the patient must be informed within one month of receipt of the request, together with the reasons for the extension
  • The exemptions from subject access are very similar to the existing law and will be set out in the Data Protection Act 2018.
  • Patients will have increased rights to receive data in a structured, commonly used and machine readable format and can also request it is transmitted to another controller
    • For the majority of claims, requests for records will come from solicitors rather the patient themselves. Provided explicit authority has been given, records can be transferred to solicitors

More broadly, data controllers are required to be able to ‘demonstrate compliance’ with the GDPR. This means having systems, policies, processes and training in place to ensure that everyone that interacts with personal data knows how it should be used. Your organisation should have a ‘Data Protection Officer’ in place and they are a point of contact and advice. The organisation should maintain a (general) record of its processing activities and this should include the work of the legal services and records departments. Obligations to report incidents (which are already mandatory for NHS organisations under the Information Governance Incident Reporting framework) are put on a statutory footing.

What is the most important thing to get right?

We would always advocate the security of personal data as a key priority. The use of privacy enhancing technology (such as encryption of CDs of records), and taking care that the right information is seen by the right people (for instance carefully reviewing records prior to disclosure to ensure that the correct information is being disclosed).

What are the penalties for non-compliance?

There are a range of enforcement options available to the Information Commissioner to investigate and take action if processing does not comply with the law. As is well known, financial penalties under the GDPR are up to a maximum of €20 million or 4% of turnover, but there are many other enforcement options available. Additionally, individuals can bring a legal claim on their own account if they believe their data protection rights have been infringed.