General Data Protection Regulation (GDPR)

GDPR stands for General Data Protection Regulations and is a new European Directive. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.

The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles.

What does this mean for patients?

The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records. Individuals also have the right to withdraw their consent at any time.

  • Data must be processed lawfully, fairly and transparently
  • It must be collected for specific, explicit and legitimate purposes
  • It must be limited to what is necessary for the purposes for which it is processed
  • Information must be accurate and kept up to date
  • Data must be held securely
  • It can only be retained for as long as is necessary for the reasons it was collected

There are also stronger rights for patients regarding the information that practices hold about them including:

  • Being informed about how data is used
  • Patients having access to their own data
  • Patients can request to have incorrect information changed
  • Patients can restrict how their data is used
  • Patients can move their data from one health organisation to another
  • The right to object to patient information being processed (in certain circumstances)

Your surgery’s practice manager is the person to contact regarding Data Protection matters, or for more information, ask your reception team for a GDPR leaflet.