GDPR: What you need to know

How will the new GDPR data law affect the way your personal health data is shared and used, and what do patients need to know? Lucy Trevallion investigates.

GDPR illustration

UK data laws define who can use your personal information and how, but were created in 1995 – before smartphones or Google search existed. On 25 May 2018, they’ll change overnight when the General Data Protection Regulation (GDPR) kicks in.

The GDPR is European Union (EU) legislation that aims to bring data protection in line with the new, previously unforeseen ways that data is now used. Although the UK is leaving the EU, the same provisions are expected to become UK law after Brexit.

Organisations cannot use your health data unless they have “explicit consent”, or there are important health or research purposes that meet strict safeguards.

Professor Martin Severs is Medical Director of NHS Digital, which acts as the guardian for health and care data. NHS Digital has been preparing for the GDPR for many months.

“Your health record is personal data, and is increasingly kept electronically and bound by a duty of confidentiality,” explains Professor Severs.

“The NHS and social services manage your data. The government, health commissioners and researchers need that data to manage and improve the NHS.”

He adds: “The GDPR is a really positive thing if you’re a patient. It means all the organisations that have your data have to tell you in detail what they’re doing with it.”

What has changed?

The GDPR strengthens some of the rights that existed already and creates new rights for individuals:

  • You have the right to be told by organisations whether they are processing your personal data, for example by analysing it or using it to create reports or diagrams. If they are, you have the right to know the purpose of this, who has received the data, and where they got the data.
  • You can request the deletion or removal of your personal data where there is no compelling reason for its continued processing, but this can be refused if there are good reasons, for example, for research or for historical or statistical purposes.
  • You can ask that processing of your data is restricted, so companies can store your personal data, but not process it further.

Health data is treated as a special category in the GDPR as it is particularly sensitive by nature. Organisations cannot use your health data unless they have “explicit consent”, or there are important health or research purposes that meet strict safeguards.

Where health data is processed on a large scale, for example in the NHS or insurance companies, it’s likely that GDPR data protection officers will be appointed. The healthcare industry will also be subject to investigations from data regulators to check their data is secure. Any companies that don’t comply with the GDPR could be fined up to €20m or four per cent of their global annual turnover (whichever is greater).

Doctor and patient completing a form

What does GDPR mean for heart patients?

Neil McCrirrick, NHS Digital’s GDPR Programme Director, explains that patients don’t have to do anything, but it’s good to know what’s changed. “You should expect to see more information on how your data will be used and shared, as regulation states that we must make it ‘easily accessible’ to patients and in clear language,” he says.

“It should be easier to work out what your doctor, hospital or the Department of Health is doing with data that is personal to you, and you should get a better understanding of the benefits of your data being shared.”

It should be easier to work out what your doctor, hospital or the Department of Health is doing with data that is personal to you

Neil McCrirrick
GDPR Programme Director,
NHS Digital

The science charity Wellcome has been working with NHS Digital, the research community and policymakers to ensure the GDPR doesn’t negatively affect research, which relies on people’s data.

Natalie Banner, Wellcome Policy Adviser, says: “Because the GDPR came into being around the time of the Snowden revelations [when a former CIA employee leaked documents revealing global surveillance], and amid lots of concerns about surveillance, the draft that was proposed by the European Parliament required some very, very high standards of consent for any use of data.

"This would’ve made a lot of research incredibly difficult, because you can’t always anticipate at the time you seek consent quite how you might want to use the data to answer new research questions in future.

“There was a really great Europe-wide patient-led movement trying to make sure that research can be protected. The GDPR has ended up as a really good piece of legislation, and one that the research community supports, because it does a great job of enhancing people’s rights, but that’s well balanced with the right safeguards so that research can continue.”

Your BHF data

As part of the GDPR changes, the BHF needs to reconfirm that you are happy for us to contact you. We don’t want to lose touch, so if you haven’t done so already, please tell us how you’d like to hear from us. This won’t affect your Heart Matters membership, but if the BHF doesn’t hear from you, we may no longer be able to contact you about our life saving research or with information about ways to get involved.

More useful information