Data Protection Legislation encompasses the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018 which were adopted by the UK Government in 2018. The GDPR is a Europe-wide law that replaces an earlier 1995 EU Directive.
The GDPR sets out the requirements for how organisations will need to handle personal data from 25 May 2018.
It is part of a wider package of new data protection legislation and aims to protect EU citizens from privacy and data breaches in our increasingly data driven world.
The GDPR sets out the key principles in relation to the processing of personal data for patients:
- Data must be processed lawfully, fairly and in a transparent manner
- It must be collected for specified, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed – adequate and relevant
- Information must be accurate and where necessary kept up to date
- It can only be retained for as long as is necessary for the reasons it was processed.
- Data must be processed in a manner that ensures appropriate security of the personal data.
The GDPR provides stronger rights for patients regarding the information that the Practice holds about them. These include:
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
- The right to object to their patient information being processed (in certain circumstances)
The Information Commissioners Office website provides more detail about this new EU Directive.
Click here to read The Avenue Surgery's Privacy Information Leaflet.
The Avenue Surgery Fair Processing Notice August 2021 v8
COVID-19 Supplementary Privacy Notice April 2020