Layered Fair Processing – No. 10

Layered Fair Processing – No. 10

Introduction

Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.

To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.

Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.

This week we looked at what information we need to provide our patients and the methods we can use. We have provided exemplars to help practices meet these requirements. We have updated the Fair Processing Notice (synonymous with ‘Privacy Notice’) in poster form and revised the more detailed document which can now replace your interim privacy notices on your websites. Where possible, when explaining how we use their data, we should use principles rather than specifics and try to give consistent advice, so that patients get the same message across a range of community healthcare settings. We have based the updated Privacy Notices on a detailed assessment of the data flows, information asset registers and records of processing in two local practices. We believe these will now cover most of the bases for how GPs in NWL share patient data. However, it is important, if you are sharing data in ways which are different from the norm, that your own Privacy Notices reflect this. Please let us know if you identify any omissions which you think should be included for yours or for other practices.

As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:

  • Direct conversation
  • Paper and electronic documents
  • YouTube videos
  • Social media
  • Radio/TV and other ‘broadcasting’
  • Public engagement meetings

Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.

Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.

Review of Action Points from the previous session

  • To do 34 – Ensure your access to record policy is up to date with new data protection legislation
  • To do 35 – Review current procedure for granting access to online patient records
  • To do 36 – Ensure  you have sufficient verification processes in place for access to records
  • To do 37 – Ensure responsible staff members know how to grant permissions on the organisation’s online system, and how to redact information when required

 

Work covered this week

Content

Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:

  • Contact details of the controller and the controller’s data protection officer
  • Purposes of processing
  • The lawful basis for processing
  • Recipients of personal data
  • Retention of data
  • Data subject rights

Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail.  Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.

Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.

Method

Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.

To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.

These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.

Resources

Output Documentation

A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:

PLEASE NOTE: These are based on information analysis from two GP Practice. You should review this to ensure that they include all data flows within your own practices, and check that all the purposes you use data for are covered. If you identify other data flows or other purposes which have not been included please let us know (nwl.infogovernance@nhs.net). We will wait for a further 2 weeks to receive any feedback before finalising the content of the A4 Fair Processing Notice and printing (and formatting with updated links) the A3 posters for use across NWL GP practices.

Learning Points

  • Your Practice should have an up to date fair processing campaign
  • This information should be available to patients in both electronic and paper form
  • Fair processing information must be available at both high level and detailed level

Practice Checklist

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Comments are closed.