GDPR: What does it mean for commissioners?

Published 14 mayo 2018

The date of 25 May 2018 looms large on the horizon for all those who process personal data, when the brave new world under the General Data Protection Regulation begins. Understandably, the new regime is something which particularly concerns organisations working in the health sector, given the volume of sensitive personal data relating to people's health (or, as it will be known under GDPR, special categories of personal data) which they process on a daily basis. We focus in this article on the impact of some of the key new principles from a CCG perspective.   

1. Accountability

The new accountability principle means that it is no longer just what you do, but also how you do. By way of analogy, it may be helpful to recall memories of (potentially) dreaded maths exams, where arriving at the correct solution was only part of the story and demonstrating how you worked out the answer would get you the rest of the marks. In similar fashion, it will be a breach of the GDPR if CCGs are unable to evidence how they have complied with their obligations, even if there has been no infringement of a patient's data protection rights. As a result, documentation is king and things like policies (particularly around security), records of data processing activities and written records of decision-making will be crucial. 

2. Contracts

As commissioners of services, CCGs will enter into numerous contracts on a regular basis with a range of different providers and contractors. Those contracts must be compliant with the GDPR, which may simply require updating the references to reflect the new legislation. If, however, those contracts involve third parties processing personal data on the CCG's behalf then the CCG is obliged to insert a number of mandatory provisions which govern matters such as security, the use of sub-processors, and arrangements for the data once the contract comes to an end.   

The NHS Standard Contract has been updated to reflect GDPR and the updated version (prepared following consultation) can be found at on the NHS England website. It is highly recommended that CCGs take stock of its existing contracts as soon as possible, and consider any remedial actions required to render them GDPR compliant. 

3. Information sharing

CCGs will not necessarily process as significant a volume of personal data as providers, but will still act as Data Controller in respect of lots of personal data (for instance relating to commissioned packages of care). We are also aware that CCGs will often be parties to information sharing arrangements, such as multi-agency safeguarding hubs. Our CCG clients have previously raised queries about the extent to which GDPR will inhibit these information sharing arrangements going forward. The short answer is that although the detailed justifications underlying that sharing will change slightly, the principle that information can be shared in appropriate circumstances still holds true. We do, however, recommend reviewing your existing agreements with a view to updating them, and seeking advice if there are any particular concerns.   

It is not possible in a short article such as this to forensically examine all aspects of the GDPR, and we haven't even got to the significantly enhanced monetary penalties available to the Information Commissioner in the event of a breach (an eye-watering maximum of 20 million Euros, or 4% of global turnover (whichever is higher)). We have instead picked out a few particular issues which are likely to trouble, or be troubling, CCGs. 

For further information, we recommend consulting the Information Commissioner's website, which contains detailed and up-to-date guidance. 

In the event that specialist legal advice is required, then we have an experienced team of experts in data protection within the health sector and would be delighted to see if we can assist.