Month: September 2018

Summary Blog – No. 11

Summary Blog – No. 11


The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.


Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019
Layered Fair Processing – No. 10

Layered Fair Processing – No. 10


Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required


Work covered this week


Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.


Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.


Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know ( We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it
Right of Access – No. 9

Right of Access – No. 9


Obtaining access to their own information is one of the most exercised rights afforded to data subjects. Those rights have changed under the new data protection legislation, making it easier for them to access their medical records.  Controllers can no longer charge for providing data subjects with their personal data and have to respond within a month when previously they had 40 calendar days.

This week we look at how to manage these requests, how GP systems can be utilised to help compliance, and how to manage requests which aren’t always straightforward.

What would be the cost to your practice of a large number of patients requesting Subject Access Requests (SARs), to which you are obliged to respond without charge? Those costs will be minimised by not having to print out and post reams of paper records, and this can be achieved by allowing patients access to their full record – electronically. There remains a resource issue related to checking the records, but the effort of doing so would have other benefits. How much time would be freed at reception if your patients had instant access to their results without having to telephone first?  Could we train non-clinical staff to identify (and flag) third party or harmful data and might such a role be centralised?  Why not consider these issues at your practice and discuss ways of delivering solutions at scale in your network meetings and with your CCG and Federation? More below.

Review of action points from prior session

  • To do 26  Check whether information risks have been recorded in your risk registers and that mitigating controls are in place. Look at your data flow mapping and DPIAs.
  • To do 27   Conduct a physical audit in your practice – test staff awareness and processes, to see if there are any potential information risks or training needs
  • To do 28  Review the example information risk register and update for your practice
  • To do 29  Review the Information Governance Staff Handbook to check you are following best practice, if not update your information risk register
  • To do 30  Discuss the future provision of a DPO for your practice (at a practice or CCG or Federation level) and if you have not done so already make arrangements to appoint one in 2019.
  • To do 31  Ensure you have decision-making function and approval process in place (Practice Caldicott Guardian)
  • To do 32  Make sure you have an incident reporting policy in place. The policy should include the reporting mechanism and roles the breach is reported to.
  • To do 33  Review the NHS Digital’s Incident Reporting guidance, and ensure you follow guidance.

Work covered this week

Right of Access

GDPR provides a right of access to individuals for a copy of their personal data held by a Data Controller. As Data Controllers, GP Practices must now supply a copy of all information they hold about an individual on request for no fee and within a month.

Since March 2016, it has been a contractual obligation to allow patients access to their medical records via the organisation’ Patient Online system (SystemOne or EMIS). Both clinical systems allow patients to register and access all information held about them, which will ensure they have up to date and timely information at hand. Many patients currently use Patient Online to book for appointments and obtain prescriptions through the Electronic Prescription Service (EPS), but a smaller proportion uses this system to access their medical record. Allowing access to electronic records is not a binary decision and there are significant resource implications. You should have a system in place for allowing patients to apply for access their records online and any system you have should take into account the resources required. The priority you place on this process will be decided by the practice partnership. If resources are limited, you can and should have a waiting list. However it is worth recognising that if a patient does request electronic access to their record, and if this is declined (put on a waiting list), they are entitled to request a SAR and practically speaking the quickest and easiest way of responding to this within one month will be to provide them with full access to their record through Patient Online. If your practice requires help in providing this service there is a wealth of useful information from the RCGP which is signposted below in the Resources section.

Where an adult patient is requesting access to their own records online, you should be assured that they are who they say they are. In most cases this will be by them providing two forms of ID, one photographic (such as a driving license or passport); and one showing their address (such as a recent utility bill). If you can vouch the person is who they say they are (for example they regularly come to the surgery) then this can also be a form of assurance before granting access.

Coded Data or Free Text?

SystemOne system allows the patient to have access to either only their read-code data or a copy of the full record including free text. Each Controller should make a decision regarding whether they want to patients to access just coded information or additionally the free text. As we have already noted, patients have a right to request the full record, and the coded information on its own would be insufficient to provide a response to a SAR.

Before access is granted, it is essential that the information on the record is reviewed to ensure that it is suitable to be disclosed to the patient. The right of access is not an absolute right, and information can be withheld in a number of limited scenarios, including where it is regarding third parties, or where it could be considered harmful or distressing to the patient to disclose. It is noted that this could cause resource issues, however, this is something that should be weighed up against the resource of handling requests for access in paper form now that no fee can be charged.

Specific data entries can be hidden from the patients’ view of online access, so it is important to ensure each query in a given consultation is recorded as a separate entity (a new section) so that if the information does need to be redacted later then this can be done at a more granular level.

Access by Proxy

Access to children’s records

It is important to note that the right of access always applies to the data subject, so there is no automatic right for a parent to access a child’s record. However, if an adult has parental responsibility of a child or is a legal guardian, a GP can make a decision about whether to allow the individual access to the child’s record if it is the child’s best interest. There is no statutory age in England and Wales where a child is considered to have sufficient knowledge to exercise their right of access, however, the new data protection legislation does stipulate that from the age of 13, a child will be deemed to have the capacity to consent to use ‘information society services’ which online access to records can be considered.

Therefore, any request for access to records by a parent or legal guardian where the child is under the age of 13 should be considered on a case by case basis, taking into account whether the child may have the capacity to understand the effects this may have and request their information is not shared with their parents.

Where a child is between the age of 13 and 18, again this should be on a case by case basis but it is generally assumed the child will have the capacity to decide whether the parent/legal guardian can access their record. Such requests should be granted and the parent’s consent only asked if the child is deemed to lack capacity or if the clinician feels that it is in the best interest of the child.

Access to elderly patients/adult lacking capacity

Where a request comes to access the records of an elderly individual (such as a mother or daughter requesting access to their elderly parents’ records) the individual should always be assessed as to whether they have the capacity to make such a decision themselves. If not, you should assure yourself the person requesting access to the record has either Power of Attorney, a court order, or it is in the patients best interest. It is important that you and your staff understand that these elderly patients are vulnerable and that on occasion such requests can be open to abuse and so where there is capacity you should ask direct questions to ensure there is no coercion and where there is not capacity, you should always be mindful of the possibility of coercion.

Real life case study

In 2016 a GP Practice was fined £40,000 for disclosing confidential information during a subject access request. The disclosure to a child’s father also included information relating to the mother (who had separated from the father and asked the Practice not to disclose her whereabouts), which included her contact details, information relating to her parents and another third party. The Information Commissioners Office found that the Practice had insufficient systems in place to manage such requests.

Therefore, in circumstances where they may be concerns regarding either safeguarding, domestic violence or other such situations which could cause harm to individuals, every effort should be made to ensure the disclosure is appropriate and lawful.

Do remember, before allowing a patient or guardian access to clinical records you must be certain that:

  • They are who they say they are
  • They are allowed access to the requested record
  • The record given to them does not contain harmful or third party data


There are a series of eLearning modules available via the RCGP eLearning website below. These include courses on coercion, identity verification, proxy access, children & young people, overview and benefits protecting patients and practice and online access for clinical care.

General Resources

Output Documentation

Learning Points

  • Your practice should have an up to date access to records policy
  • You should have a system in place for allowing patients to apply for access their records online
  • That system should take into account the resources required

Practice Checklist

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

Next session on 04.09.18

(Blog No. 9 due 11.09.18)

Taking all of the patient data identified in earlier blogs which is being processed through the practice, and looking at the ways in which we use that information we can now draw up a final Fair Process Notification.