Summary Blog – No. 11

Summary Blog – No. 11


The past 10 weeks have seen us work through the core aspects of good information governance, which will allow you to demonstrate that your GP practice is compliant with GDPR and the new Data Protection Act 2018. We have stressed that this is not a one-off exercise but a process which needs to be kept under constant review and that you need to have systems in place which monitor and maintain the standards you apply in managing your patient and staff data.

This week we looked at what we have covered, key timescales, and support you will have going forward.

Review of Action Points from the Previous Session

  • To do 38 – Review your current fair processing material
  • To do 39 – Ensure that all purposes identified in your information asset register are replicated on your privacy notice
  • To do 40 – Ensure fair processing material is available in both electronic and paper form
  • To do 41 – Ensure you have both high-level information for patients and detailed information available for those who require it

Work covered this week

1) How will your compliance with GDPR be assessed?

As yet we do not know what exact form this will take but there are three scenarios where it may be put to the test.

  1. At your next CQC inspection, you will be asked to show evidence to support your compliance with GDPR.
  2. If you are the subject of a complaint related to how you manage personal data, the ICO (Information Commissioner’s Office) will want to look into your compliance with the GDPR.
  3. Your practice needs to complete the DSPT (Data and Security Protection Toolkit) by the 31st March 2019. This is the successor to the IG Toolkit.

Your next CQC inspection may not be imminent and you might never be the subject of a complaint as a result of a data breach. However, the DSPT deadline on this coming 31st March is a certainty for which you MUST ALLOW TIME AND RESOURCE TO PREPARE. See below.

2) Compliance with GDPR

As the GDPR came into effect on the 25th May 2018, the Information Commissioner’s Office (ICO) would expect organisations to already be putting policies and procedures in place to meet the requirements, however, they have stated they did not expect every organisation to be compliant as of the 25th May. If an incident did occur, however, they would take into account what your organisation has done and is pro-actively doing to ensure the protection of personal data. Evidence of the work undertaken within these blogs would, therefore, serve as a strong indicator to the ICO that you as an organisation takes data privacy seriously, and would take this into consideration when deciding any regulatory action.

3) Compliance with the new Data Security and Protection Toolkit

Whilst compliance with GDPR is not a set date or pass/fail monitoring system, the new Data Security and Protection Security Toolkit (DSPT) is a replacement for the old NHS Information Governance Toolkit. All organisations which process NHS data must complete this for 31 March 2019. The good news is that this follows many of the principles of GDPR, so the majority of what is covered in these blogs is what is required by the DPST. The two main areas which aren’t are IT security and compliance with the National Data Guardian reports, the former of which you will be able to gain evidence for from your IT supplier. In effect, the DPST will be the first tangible hurdle which will formally assess practices’ compliance with GDPR.

In order to assist you with this, we have put together a work plan for the Toolkit and matched the requirements against the relevant blog post. You should, therefore, be in a strong position once the work identified in this blog has been completed. This work plan can be found in the output documentation of this blog.

4) Allow a minimum of 3-months preparatory work to become GDPR compliant

The requirement may vary from practice to practice, but our two small practices (4000-5000 patients each) have required the following per practice:

These figures are not definitive and will vary depending on your practice set up. We have provided a more detailed spreadsheet listing specific tasks and personnel which can also be used to track and monitor allocated work to completion (below). The headline figure is that you should allow a bare minimum of 3 months to complete this work and so if you have not yet started, you must make plans to be underway by the New Year.

The other important requirement here will be to have a DPO in place who at the end of the year should be in a situation where he can assess and “sign off” the work you have done towards GDPR compliance and the DSPT. The DPO who is currently holding an interim post will not have the resource to cover all NWL practices and our advice is that you should also plan to appoint a DPO at CCG or Federation level by the New Year.

5) Support going forward

This will be our final blog in conjunction with our external IG experts, however, there is still support available to you going forward.

  • FAQ document which can be found in the resource area of this blog. This should be your first port of call in the event you have a question.
  • NWL Information Governance Blog, this will continue to be monitored and updated
  • email if you have any questions which are not answered in the blog or FAQ. The response will then be added to the FAQ.
  • The Data Protection Officer for all General Practices across NWL will continue in post and can be contacted at the email address above. You will be notified of any changes to this arrangement. It is important to recognise that this role will not provide the capacity to sign off all DSPTs at the end of March 2019, before which there will be a need for practices to appoint DPOs either at practice, federation or CCG level.

Finally, we have created a shortened summary version of the blog, and an action plan against each to-do requirement with the anticipated resource this will take.


Output Documentation

Learning Points

  • You should have systems in place which monitor and maintain the standards you apply in managing your patient and staff data
  • You will be required to show evidence of your GDPR compliance at your next QCQ inspection
  • The DSPT (Data Data and Security Protection Toolkit) must be completed by 31/03/2019 and work towards this and GDPR compliance will require a minimum of 3 months preparatory work.
  • You should appoint a DPO (Data Protection Officer) at Practice, CCG or Federation level by the New Year to support your work towards signing off the DSTP

Practice Checklist

  • To do 42 – Review GDPR action plan and schedule activities into work plans
  • To do 43 – Review DPST action plan and ensure activities are scheduled in to meet compliance by 31 March 2019

Comments are closed.