The GDPR deadline is only months away. But, the National Health Service has yet to publish its proposed new data protection guidance for the health sector.
This is creating much uncertainty for health centres and GP practices up and down the country responsible for primary care.
Over the past 2 years I've been privileged to work with the Practice Managers Association (PMA) delivering workshops on governance, compliance and risk. Medical practices, health centres and doctors surgeries are fast having to turn themselves into sustainable businesses to cope with the current economic climate and high patient demand. To help practice managers obtain the recognised skills they need to better understand the business aspects of general practice, the PMA provides a membership community to give those involved in practice management throughout the UK the opportunity to access a wide range of resources such as training, professional advice, educational events, conferences and peer networking.
Entrepreneurship is always balanced with the need to manage business risk. Our governance workshops show the interrelation between business, risk and compliance strategies are like constantly-turning cogs in a practice engine which managers are oiling regularly to keep the business ticking over. In recent months, however, the GDPR (General Data Protection Regulation) has crept into the engine and become grit for practice managers seeking to implement the new EU data protection rules by 25th May 2018.
The concern is not about complying with the GDPR. Primary care organisations already have a high level of compliance with data protection laws due to the sensitive, special category of personal data involved with health records. Compliance with GDPR will be an evolution not a revolution.
But, organisations work in clusters, sharing good practice that is handed down from the NHS. By standardising working practices in primary care organisations aim to reduce costs, inefficiencies and errors.
With 3 months to go before the 25th May deadline, the NHS is yet to publish its intended guidance on the GDPR.
Delay in NHS GDPR Guidance
The policy and guidance is being developed by the national GDPR working group, chaired by NHS England, for publication by the Information Governance Alliance (IGA).Those with senior responsibility for Information Governance can use the guidance to learn how to comply with the GDPR. This includes Caldicott Guardians, operational Information Governance leads and managers, plus all employees.
However, the IGA is experiencing delays in the publication of the General Data Protection Regulation (GDPR) advice material.
Health-sector organisations have to take a collaborative, sector-driven approach to GDPR compliance to provide a consistent service across clusters. These delays are creating uncertainty and placing unwanted pressure on practice managers already firefighting with day-to-day issues.
Clearly not an acceptable situation. Patients have become more discerning in recent years about their health care and how records are held. From 25th May they will start to challenge doctors and medical staff, and hold them to account on GDPR compliance.
These guidelines needs publishing now.
List of intended NHS GDPR Guidance
- Changes to Data Protection legislation: why this matters to you (CEO briefing on GDPR and Accountability for Data Protection)
- Data protection accountability and governance
- Privacy by design and default
- Implications of the GDPR for Health and Social Care Research
- Health and Social Care Research: legal basis and safeguards
- Transparency, consent and subjects rights
- Personal data breaches and notification
- Profiling and risk stratification
- GDPR overview
- What's new and what changes
* Guidance highlighted in bold already published