The BMA: GPs as data controllers under the GDPR

Dr Paul Cundy, GPC IT Policy Lead, has published a series of blogs (dropbox link) on the General Data Protection Regulation. He says "they are a narrative in nature and attempt to cover the questions (he) sees surfacing on the various email lists and other media. Their status should be of informed opinion. Facts are referred to as facts and opinions clearly identified and (he) hopes justified". The links below are accessible here for those people unable to access dropbox with kind permission from Dr Cundy.

Blog 0: GDPR - where to start, in the beginning etc

Blog 1: GDPR for GPs from the IT lead for GPC

Blog 2: Background and scene setting

Blog 3: Data Protection Officers

Blog 4: Privacy notices (revised 8th May 2018)

Blog 5: Texts and emails

Blog 6: Articles 6 and 9 deciphered

Blog 7: Subject Access Requests, SARs and TSARs (revised 1st May 2018)

Blog 7a: SARs and TSARs, part two, unfounded and excessive (new 8th May 2018)

Blog 7b: SARs and TSARs, part three, requests can be verbal (new 15th May 2018)

Blog 8: Things to do list, plan, timetable

Blog 9: Fines

Blog 10: Erasure and Portability - NOT!

Blog 11: I'm an LMC - what's in it for me ? (revised 2nd May 2018)

Blog 12: How long is a month ?

Blog 13: Data Privacy Impact Assessment(s) (revised 31st May 2018)

Blog 13a: DPIAs part 2, life gets easier! Part 2 (added 10th June 2018)

Blog 14: Data breaches

Blog 15: Documentation (revised 29th April 2018)

Blog 16: Those you employ

Blog 17: Consent

Blog 18: The Myth Buster (revised 25th May 2018)

Blog 19: Contracts with Processors

Blog 20: Things to do, letter for CCG (new 30th May 2018)

Blog 21: Helpful people (added 10th June 2018)

What GP Practices Must Do 

Guidelines on Consent under Regulation 2016/679 (wp259) [adopted but still to be finalised]

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in high risk" for the purposes of Regulation 2016/679

Guidelines on transparency under Regulation 2016/679

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016  on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Official Section 251 guidance Health Research Authority

Template SARS log (added 15th May)

DRAFT: Privacy Notice - Telephone calls (added 10th June 2018)

DRAFT: Privacy Notice - Carers (added 10th June 2018)

DRAFT: Privacy Notice - GPs as employers (added 10th June 2018)

DRAFT: Privacy Notice - Care Quality Commission

DRAFT: Privacy Notice - Direct Care - Emergencies

DRAFT: Privacy Notice - Direct Care - Routine care and referrals

DRAFT: Privacy Notice - Summary Care Record (added 10th June 2018)

DRAFT: Privacy Notice - LMCs

DRAFT: Privacy Notice - National screening programs

DRAFT: Privacy Notice - Payments

DRAFT: Privacy Notice - NHS Digital

DRAFT: Privacy Notice - Public Health

DRAFT: Privacy Notice - Research

DRAFT: Privacy Notice - Commissioning, Planning, Risk Stratification, Patient Identification

DRAFT: Privacy Notice - Safeguarding

Sample exemplary Practice Privacy Notice Dr Neil Bhatia

The UK Caldicott Guardian Council has produced this webpage with further information and guidance too.

Just a bit of light humour....

In the Consulting Room, a mild case of GDPR

This page last updated 20th May 2018

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website