GDPR Frequently Asked Questions

Frequently Asked Questions

What is the GDPR?

The General Data Protection Regulation (GDPR) is an EU Regulation, developed to update data protection law and to unify all EU Member States (Countries) approach to data protection and ensure the law is applied identically in every EU Country.  It comes to effect 25 May 2018 in each of the member states.  

What is the difference between the GDPR and the Data Protection (DP) Bill?

The GDPR is EU legislation that will be applicable as law in EU member States (e.g. the UK) from 25 May 2018, irrespective of national legislation. The DP Bill will become law when enacted as the Data Protection Act 2018, replacing the existing DPA 1998. It will explicitly bring provisions of the GDPR in to UK law and establish continuity of the GDPR in the UK post Brexit. The Act will legislate in areas where the GDPR allows flexibility at national level.

Who must comply with the GDPR?

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller determines the purposes and means of processing personal data and the processor is responsible for processing personal data on behalf of a controller.

The Role of the CCG

GDPR applies to ‘controllers’ and ‘processors’ (including all NHS organisations) that process the data of EU citizens regardless of where in the world the actual ‘processing’ takes place.

The CCG is the data controller for services like Individual Funding Requests (IFR), Continuing Healthcare (CHC), and Medicines Management etc.  The NHS Commissioning Support Unit (SCW CSU) processes data on behalf of Oxfordshire CCG.

What information does the GDPR apply to?

Personal data

Like the DPA, the GDPR applies to ‘personal data’ (e.g. name, date of birth etc.). However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier e.g. an IP address (which is used by OCCG), genetic and biometric data e.g. finger prints, DNA information etc. can be personal data.

Sensitive personal data

The GDPR refers to sensitive personal data as 'special categories' of personal data. These categories are broadly the same as those in the DPA, and require additional conditions to process lawfully.  For example health data is classed as special category data.  The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

What Data Protection Principles Applies under GDPR?

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What are the Lawful Bases for Processing?

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.  This needs to be communicated to Data Subjects through a Privacy Notice in an effort to be transparent. The lawful bases for processing are set out in Article 6 of the GDPR if it relates to personal data and article 9 if it relates to Special Category Data.  At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

What about special category data?

If you are processing special category data, you need to identify both a lawful basis for processing (article 6 as mentioned above) and a special category condition for processing in compliance with Article 9. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.

Key areas to consider: 

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.  

Children's Personal Data

The GDPR contains new provisions intended to enhance the protection of children’s personal data. The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves (unless they are deemed to have sufficient capacity to consent for themselves from the age of 13 years old in the UK) and instead consent is required from a person holding ‘parental responsibility’.

Individual's rights

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.

The GDPR provides the following rights for Individuals:

Ø  The right to be informed - The right to be informed encompasses the obligation to provide a Privacy Notice.  It emphasises the need for transparency over how personal data is used.  
Ø  The right of access (Subject Access Requests) - The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing. 

A copy of the information must be provided free of charge.

There will be less time in which to comply with a subject access request under the GDPR.  Information should be provided within one month of receipt of the request.  

Ø  The rights to rectification- Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.  Certain exemptions apply to health related data and when it may be rectified.
Ø  The right to erasure (the right to be forgotten) - The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.   Again, certain exemptions apply.
Ø  The right to restrict processing - Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.  When processing is restricted, the personal data may continue to be stored, but not further processed.
Ø  The right to data portability - The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.  It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.  
Ø  The rights to object - Individuals have the right to object to:
  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • Direct marketing (including profiling); and
  • Processing for purposes of scientific/historical research and statistics.
Ø  Rights related to automated decision making and profiling - The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. 

Accountability and Governance

The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.  

Data Protection by Design and by Default

Under the GDPR, technical and organisational measures must be taken to show that data protection rules have been considered and integrated into processing activities.  

Data Protection Impact Assessments

Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify risks associated with new projects, processes and systems and where possible fix problems and mitigate against risks at an early stage. 

Appointing a Data Protection Officer   

Under the GDPR, a Data Protection Officer must be appointed if the organisation:

  • Is a public authority (except for courts acting in their judicial capacity);
  • Carries out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

The contact details of our Data Protection Officer are as follows:

Lesley Corfield, Governance Manager: lesley.corfield@nhs.net Tel: 01865 336795

Data Breach Notification

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected within 72 hours of becoming aware of the breach.  

Transfers of Data to Third Countries or International Organisations 

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.