GDPR: Six key issues health information governance officers are grappling with

Preparation for the General Data Protection Regulation date of 25 May is, for many health and care organisations, at an advanced stage. That said, at a recent in-house seminar for health and care providers, a number of important issues were discussed – and we share these with you.

  • Data Protection Officers. Public bodies must have in place DPOs who must be properly resourced, qualified and report directly to senior management. It is a senior role. We agreed that such individuals should lead and shape your compliance but that suitable hires are in short supply and come at a cost. Can the in-house lawyer do it? Possibly. But, probably not! A lawyer acting as a DPO could not advise or represent the organisation, if a legal problem or challenge arose. There would be a clear conflict of interest. 
  • Collecting data for health and care purposes. Make sure, if you collect data for health and care reasons, you do not use it for any other purpose not clearly identified beforehand. The days of writing to patients to ask them to support fund raising efforts for the Special Care Baby Unit are over – unless you are clear and ask beforehand if they agree to be contacted for such purposes. Positive and unambiguous consent is needed for such uses. 
  • Retention policy for patient information. A rethink about the retention of patient information is required. We can no longer send health records to "archive storage" and throw away the key (if we ever had a key!). Patient information should (in most cases) only be kept for as long as is necessary and, there must be a clear and identifiable destruction policy and process. Department of Health and Social Care guidance on retention becomes much more significant. Does it become a mandatory target for destruction? Should it? 
  • Data breaches. Identifying and managing data breaches becomes so much more important. Reporting to the ICO within 72 hours is mandatory. But you don’t have to report every little problem - only when there is a risk to the rights and freedoms of data subjects. Mind you, lost health information is likely to fit into that category… 
  • A more muscular ICO? The ICO is developing a higher profile and strong arm tactics. We noted recent criminal prosecutions for unlawful use of patient information and the SWAT-like raid on Cambridge Analytica! 
  • Patient information for research purposes. We all agree that using patient information for research purposes is an essential tool for advancing medical knowledge and clinical practice. Consideration should be given to making sure GDPR and Data Protection compliance is included in the ethics approval processes. Researchers and academics must understand their obligations or risk the consequences - personally. Research applications must include a Privacy Notice, a Data Protection Impact Assessment, any relevant Legitimate Interest Assessment paperwork and the form of any consent wording (if required). Recent cases highlight the inappropriate use of information can be a reason to deny ethical approval.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.