Five things to know about GDPR

Much of the GDPR is similar to the previous Data Protection Act (1998). But there are some updates to the way we work and our guidance for doctors.

1. The GMC can use personal information without needing to ask for consent, when carrying out our statutory functions.

The Information Commissioner’s Office highlights this key part of the regulations: ‘Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given… this means giving people genuine ongoing choice and control over how you use their data’.

We’re required by law to carry out a number of important statutory functions, including maintaining the medical register and investigating serious concerns about doctors. To deliver these functions, we can use personal information that’s given to us without asking for consent from the individual. For example, we can use personal information shared with us when a patient raises a concern about a doctor. 

In the past, we’ve asked for consent, while explaining that in some circumstances, we may be able to proceed without it. The GDPR now defines consent as potentially misleading when individuals don’t have a real choice. Since the new law came into effect, we no longer ask for consent in these circumstances. Instead, we make sure we tell people how we’ll use their information, and give them a chance to tell us if they have concerns or specific requests.

There will still be circumstances where individuals have a genuine choice about how we use their personal information and in those circumstances, we’ll seek consent. For example, during health assessments.

2. We’ve updated our Confidentiality guidance

We’ve added new paragraphs and updated the legal annex in our Confidentiality guidance so it reflects the new data protection law – you can read a summary here. We’d welcome your support with highlighting these updates to doctors in your network. 

A key point to note is that doctors shouldn’t ask for consent if they have already decided to disclose information in the public interest. It would be misleading to ask for consent if the patient has no real choice in the matter. However, doctors should if safe and practicable, tell a patient what they plan to disclose and consider any objections they may have - see paragraphs 63-70.

3. We can’t give legal advice to doctors who are data controllers. But other organisations can help

Doctors who are data controllers need to understand and meet their legal obligations under the GDPR. The following organisations have helpful advice on this.

  • the Information Commissioner’s Office (ICO) in each of the four countries provides guidance for data controllers, including resources specifically for the health sector.
  • the Information Governance Alliance (England) has detailed guidance on GDPR for health and social care organisations.
  • the BMA has produced a guide for GPs on their responsibilities under the new regulations. 

4. You don’t need to change the way you share patients’ personal information with us

In your role as a responsible officer, we might ask you for information that you (rather than the designated body or healthcare organisation) personally hold or control. In these circumstances, you should follow our guidance Confidentiality: good practice in handling patient information. Our advice on this will remain the same and includes:

  • satisfy yourself that the disclosure is required by law
  • only disclose information relevant to the request
  • tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so (Confidentiality, paragraph 88).

5. We take our responsibilities as a data controller very seriously

We handle personal information with the utmost care and we’re committed to keeping information secure. Our staff are only given access to personal details and information on a need-to-know basis.

We’re happy to discuss any questions you may have about the new regulation and your responsibilities – please contact your employer liaison adviser.