General Data Protection Regulation 2016 (GDPR)
The EU General Data Production Regulation (GDPR) came into UK law on 25 May 2018. It replaces the Directive that is the basis of the UK Data Protection Act 1998 (DPA), which has been replaced by the DPA 2018. It is expected that the provisions of the GDPR will remain in force post-Brexit.
Although in general the principles of data protection remain similar to the DPA (1998), there is greater focus on evidence-based compliance for transparency and openness of data processing in King’s College Hospital NHS Foundation Trust (the Trust); demonstrating compliance with regulations and delivery of your rights.
The GDPR introduces the principle of ‘accountability’ that requires us to demonstrate compliance with the processing of personal data. Personal data refers to information that can identify an individual.
The key obligations to support this include:
- The recording of all data processing activities identifying the lawful justification and data retention periods
- Routinely conducting and reviewing data protection impact assessments where processing is likely to pose a high risk to individuals’ rights and freedoms
- Assessing the need for data protection consideration at an early stage, and incorporating data protection measures by default in the design and operation of our information systems and processes
- Ensuring demonstrable compliance with enhanced requirements for transparency and fair processing, including notification of rights
- Ensuring that data subjects’ rights are respected. This includes the provision of copies of information held by the Trust, rights to rectification, erasure, to restrict processing, data portability, to object, and to prevent automated decision-making.
- Notification of personal data security breaches to the Information Commissioner, which is a the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The appointment of a suitably qualified and experienced Data Protection Officer (DPO)
- The General Data Production Regulation and the new Data Protection Act 2018, requires us to take specified actions, and have evidence to demonstrate that we have done so.
Trust must comply with the new law and in many areas its “spirit” of
transparency and openness. At this time the Trust is working extensively to
support implementation of the new Data Protection Legislation, but has
recognised that across our services we have some areas where we are unable to
comply at this time (based around technical capabilities of our systems and
procedures) but continue to seek solutions to do this within reasonable time.
GDPR, Medical Research and BOPPP
The GDPR requirements governing the processing (holding or using) of personal data mirror current good practice that the medical research community maintained before the GDPR came into law. This is in part, because medical research is assessed by Research Ethics Committees (REC’s) that protect the rights and welfare of patients and processing of personal data. REC’s included members of the public and are commissioned by the Health Research Authority who provide approvals for medical research to be carried out in the UK. BOPPP gained favourable opinion form the Yorkshire and the Humber – Leeds West REC (https://www.hra.nhs.uk/about-us/committees-and-services/res-and-recs/search-research-ethics-committees/yorkshire-and-humber-leeds-west/).
The trust and the BOPPP management team are committed to run this clinical trial to the highest standards and that involves protection of research participants’ rights whilst processing their data. This is achieved by collecting only relevant data to answer the research question and work against strict operating procedures to ensure confidentiality and security for the management of identifiable data. How the trial team do this is included in the information given to patients for them to consider taking part. A trust and research specific statement about the GDPR and medical research can be downloaded here [hyperlinked to pdf].
- If you have any questions about GDPR and what this means to you please contact our DPO at firstname.lastname@example.org
- The UKs Information Commissioner website is https://ico.org.uk/
- The HRA website is https://www.hra.nhs.uk/
The views expressed are those of the author(s) and not necessarily those of the NIHR or the Department of Health and Social Care.