Some NHS bodies are still behind on the implementation of the General Data Protection Regulation (GDPR), a professional healthcare panel has heard.
Speaking at a Westminster Health Forum event on 13 September, Hazel Grant, partner and head of privacy, security and information at law firm Fieldfisher, said NHS bodies are still ‘struggling with some of the GDPR compliance work’.
GDPR came into force in Europe on 25 May to ‘harmonise data privacy law across Europe, protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy’, according to the European Commission.
‘Not the right contracts in place’
Based on comments from her clients, Ms Grant said a lot of them don’t have the ‘right contracts in place’ with their NHS customers.
She told Healthcare Leader: ‘By 25 May 2018 – when an organisation uses a service provider – the organisation was meant to have updated its contracts with the provider to be GDPR compliant. Like many other customer organisations, NHS bodies haven’t yet completed this task.
‘Additionally, in other settings, it’s necessary for NHS bodies to provide information on their GDPR compliance to external organisations that might share patient data with the NHS body – for example in clinical trials that take place in NHS hospitals.
‘We’re finding that NHS bodies aren’t able or prepared to share that information on GDPR compliance, which is a concern to any external organisation about to share patient data.’
GDPR requirements include the obligation for a service provider to notify the Information Commissioner’s Office (ICO) and the organisation affected of any data breach, obtain approval for additional outsourcing, and make sure its staff receive proper training on GDPR.
‘Years to catch up’
Also speaking at the event, coordinator at campaigning group Medconfidential Phil Booth argued that it will take the NHS a ‘couple of years to catch up with GDPR’.
He told Healthcare Leader: ‘The NHS is behind on GDPR because a number of its practices and procedures fail to recognise the law, such as passing on hundreds of copies of hospital episode statistics each month.’
Echoing Mr Booth’s comments, Ms Grant agreed it will take ‘some time’ for NHS bodies to grasp the GDPR challenge, as many have to make ‘fundamental’ changes to ensure a good compliance regime – such as ‘making sure policies and procedures are updated and training all relevant staff’, she said.