WHAT IS GDPR?
GDPR is the law that determines how your personal data is processed, kept safe and the legal rights that you have in relation to your own data. The regulation applies from 25 May 2018. GDPR supersedes the Data Protection Act 1998 which the practice already complies with but strengthens many of it’s principles.
WHAT GDPR WILL MEAN FOR PATIENTS/STAFF
- must be processed lawfully, fairly and transparently.
- collected for specific, explicit and legitimate purposes.
- must be limited to what is necessary for the purposes for which it is processed.
- must be accurate and kept up to date.
- must be held securely.
- It can only be retained for as long as is necessary for the reasons it was collected.
- Being informed about how their data is used.
- To have access to their own data.
- To ask to have incorrect information changed.
- To restrict how their data is used.
- Move their patients/staff data from one organisation to another.
- To object to their personal information being processed (in certain circumstances).
THE MAIN CHANGES ARE:
- The Practice must comply with Subject Access Requests - a written signed request from an individual to see what information is held about them - like where we require your consent to process data. This must be freely given, specific, informed and unambiguous.
- New special protection for personal data.
- The Information Commissioner’s Office must be notified within 72 hours of a data breach.
- Higher fines for data breaches.
- The Hazeldene Medical Centre reserves the right to verify the identification of the individual seeking access to Medical Records.
Subject Access Request Process:
- Patients (Subjects) may request access to their own Medical Records
- Hazeldene Medical Centre will email or print log in details for patients to access their Medical Records, securely, online.
Third Party Subject Access Request Process:
- Solicitors may seek access to patient's medical records
- Hazeldene Medical Centre will provide the patient in question with the log in details so that they may access their own medical records, as outlined above.
- The patient in question may then share their own medical records with the 3rd party: https://support.patientaccess.com/medical-record-viewer/share-your-medical-record
- 3rd parties seeking access to medical records for the purposes of drafting a report or an insurance claim is subject to the Access to Medical Reports Act (2009): https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/access-to-medical-reports
- See this link for the associated process for medical reports: Non NHS Process
- On the rare occasion that the patient in question, is not able to access their medical records online, due to barriers that maybe: Technical, Language or Medical then the Patient may fill in an 3rd party Enhance Consent form, to share their Online Access Log in details with the 3rd party: Enhanced 3rd party SAR consent form
- GDPR is explicit that requests made electronically may be responded to electronically
- Hazeldene Medical Centre complies with GDPR by providing Remote Access to a Secure System to access Medical Records: GDPR Regulations
- Hazeldene Medical Centre may consider requests for information outside of the above regulation to be "manifestly excessive" and there subject to administrative charges: Non NHS Process