New EU data protection laws – the GDPR
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force across the EU. Click here for the full text of the Regulation. Our office worked substantially to influence these new rules to ensure the best possible outcome for the NHS.
The UK passed a new Data Protection Act (2018), which implements the derogations and brings the GDPR into domestic law in preparation for the UK leaving the EU.
The UK Government has set out its ambitions for securing an ‘adequacy plus’ agreement with the EU to ensure data is able to flow across borders after Brexit. During the Brexit negotiations, it will argue for building on standard adequacy approaches to reflect the close partnership between the UK and the EU on data protection issues.
Guidance for NHS organisations
The Information Governance Alliance has published a suite of guidance highlighting the actions that health organisations and arms’ length bodies need to consider to prepare for and comply with the EU General Data Protection Regulation (GDPR). Our office has provided support to the working group tasked with producing this advice. The guidance for NHS organisations can be found here.
For NHS organisations involved in research, the Health Research Authority (HRA) has also produced complementary guidance for the health and social care research community.
This blog from the Medical Research Council dispels some of the myths of the GDPR and explains what research organisations need to know about the new data rules, outlining what changes they will need to make to existing research practice.
In England, a new national patient data opt-out is being implemented at the same time as GDPR. This will allow patients to opt out of their confidential patient information being used for purposes beyond their individual care, and will be rolled out across all health and care organisations. This is in line with the recommendations of the National Data Guardian.
More information from across the EU
Our office has produced a briefing with the European Hospital and Healthcare Federation (HOPE) to prepare commissioners, hospitals and other health and care providers for the main changes that can be expected. Download your copy. Read also our blog on what the changes mean for NHS organisations and download our presentation on the impact of the General Data Protection Regulation on EU collaborative research from the May 2017 ISC seminar.
Work is also underway on drafting a code of conduct for health research. These codes are mentioned in the GDPR and if approved by the European Commission, could become ‘soft’ law in the future. Visit this page and subscribe for updates.
The Information Commissioner’s Office also has a helpful webpage to update UK stakeholders on GDPR implementation.