Maintaining trust in how we store and process patient data is crucial to the relationships between Vision, healthcare service providers, and patients. Do you have questions about GDPR and medical records? We've cut through the legal jargon to answer your frequently asked questions.
1. What is GDPR?
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It's an EU Directive that applies to all Member States, and it intends to:
- strengthen accountability
- enhance individuals’ rights
- give people greater control over their data
Currently, the UK relies on the Data Protection Act. The new legislation will supersede it and cover new and unforeseen ways of using data. Organisations that process and control personal data will have new responsibilities.
Although the UK intends to leave the EU, it has also signalled its intention to mirror the EU Directive. The Data Protection Bill was adopted in 2016 and had its first parliamentary reading in August.
2. What is changing?
- Organisations must show they are compliant with its principles
- There is a more expansive definition of personal data
- The right to access personal data and know how it is used
- The right to have personal data erased and forgotten when there is no compelling reason to use it
- The right to have personal data moved from one controller to another in a safe and secure manner
Consent changes include:
- When consent is the basis for processing data, there must be explicit consent for each purpose of processing
- Data controllers must keep records of consent and the context of its provision
- It must be as easy to withdraw consent as it is to give it
- Blanket consent is no longer sufficient. It must be specific and informed
Please refer to the Information Commissioner's Office for detailed information about this legislation.
3. How are Vision preparing for GDPR?
We process millions of patient records for shared care services and GP practices. We understand our responsibility to handle your sensitive information with respect. We have ISO 27001 certification and are compliant with the Data Protection Act. Robust safeguards are in place to maintain your confidence and trust in Vision.
Our goal is to be compliant with the new legislation before 25th May 2018. We have appointed a Data Protection Officer. They will track our compliance and make sure everyone at Vision understands their obligations.
There are particular challenges that healthcare technology companies face while implementing GDPR with medical records. These relate to the consent models required to process patient data lawfully. We are seeking clarity on the interpretation of this.
Regardless of how this evolves, we will strive to prove our compliance and justify your trust to process your patient data.