The chances are that, by now, you will have heard of GDPR. If you are already familiar with the Data Protection Act 1998 (the law being replaced by GDPR), you will also have heard of the terms “Personal Data”, “Processing”, “Data Subject”, “Data Controller” and “Data Processor”. Many of these key terms have broadly the same meaning under GDPR as under the Data Protection Act, but there are some intricacies that are worth knowing, particularly given the types of Personal Data that are processed within the Health and Care sector.
In this guidance, we’ll consider some of the key terms in GDPR and explain what they mean.
When does GDPR Kick in?
GDPR applies to any organisation that processes personal data relating to a data subject.
Does the GDPR Apply to you?
If you process personal data within the EU, GDPR will apply. It applies to all organisations including, for example, public authorities, not for profit organisations, limited companies, trusts, charities and sole traders. GDPR does not apply to individuals using information in their personal capacity. For example, if you store a notebook of phone numbers of your friends and family in your filing cabinet at home, this will not be captured by GDPR.
What is Personal Data?
Personal data is any information that relates to a living individual. It does not include personal information about somebody who has died.
The definition of personal data is wider under GDPR than under the Data Protection Act and includes specific identifiers, such as a person’s name and email address, as well as factors about a person, such as their physical appearance, physiological or mental state, their financial status or social identity. It could, therefore, include opinions you give about a person in their care records or care plan, and will certainly include a person’s medical and health records. The definition also includes photographs and CCTV footage, as well as location data.
Personal data includes business contact information of an individual, i.e. an individual’s business email address such a [email protected]. It does not include generic business email addresses such as [email protected] or any other general business information. Although GDPR does not distinguish between “personal” personal data (e.g. [email protected]) and “business” personal data (e.g. [email protected]), the Information Commissioner’s Office (the body that oversees compliance with GDPR) is likely to be more concerned about unauthorised loss or disclosure of “personal” personal data.
“Special categories of data” are a type of personal data, and have broadly the same meaning as “sensitive personal data” under the Data Protection Act. They include types of data that are thought to be of a more sensitive nature, such as information about a person’s medical history or health, their race or ethnic origin, their religious or political views and their sexual orientation. The definition also includes genetic data and biometric data.
Under GDPR, organisations are not entitled to process Special Categories of Data unless one of the 10 exceptions applies. One of the exceptions expressly refers to processing that is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnoses, the provision of health or social care or treatment or the management of health or social care systems and services. Special Categories of Data can, therefore, be processed without consent for those purposes. This will be considered in more detail in the guidance note that explains the requirements around processing personal data.
What do you Need to do with Personal Data for GDPR to Apply?
In practice, anything. At the point you collect personal data, you are processing it. You don’t need to be doing anything actively with the data – just holding or storing it (even if you never look at it) means that you are processing it.
Other activities that constitute processing may include (but aren’t limited to) adapting or modifying the personal data, deleting, copying, organising, retrieving and transferring it.
Does GDPR Apply to all Personal Data, Irrespective of where it is Stored?
GDPR only applies to personal data stored in a filing system. The majority of personal data held on computers or online will be held in a filing system because even if the document has been stored incorrectly, it’s likely it could still be retrieved using a search function.
If paper files are stored in a logical order (chronologically or alphabetically, for example), they will also be captured by GDPR. If you throw paper documents into a disorganised confidential waste bin, for example, GDPR will no longer apply to the personal data within those documents.
Who is the Data Subject?
The data subject is the living individual whose personal data is being processed by an organisation.
What about the Data Controller and the Data Processor?
The data controller is the organisation that determines the purposes and means for which the personal data is processed.
For example, at the point a care home is passed the personal data of a service user, the care home will decide how to use that data – for example, it will use medical records to understand which medicines need to be administered and to understand behavioural issues, and it will use phone numbers for next of kin to contact them in the event of an emergency.
If an organisation wants or needs a third party to do something with the personal data, at the point the personal data is passed to the third party, the third party becomes a data processor. The data processor only uses the personal data in accordance with instructions given by the data controller. For example, if an organisation outsources its HR or payroll function, the HR or payroll provider will be data processor of the personal data passed to it to administer HR or payroll services.
In most situations, care homes and agencies and similar organisations will be data controllers of the personal data they process.