Sharing patient sensitive information in a GDPR compliant way

Health and care bodies must make sure they hold and use information in a way which is compliant with the new data processing conditions. There is now a big difference between consent to data processing and consent to treatment. The days when the principles of consent and implied consent for treatment were the same as for sharing patient information are over. Of course, that does not mean you don’t need to get consent to treatment, but the two issues are now legally distinct.

More efficient and effective sharing of patient information (including the exchange of information between public sector and independent sector health and care organisations) must be the ‘sine qua non’ for better, safer and more efficient delivery of care.

In some respects, patients might expect information to be shared between clinical staff. But, how is it to be made available and to whom? How will access be controlled? And what are the security arrangements?

In an era of public anxiety about data sharing and confidentiality, healthcare providers must have actively considered, and recorded, a clear lawful basis for sharing and back this up by clear policy documents – that are adopted, promulgated, enforced and audited.

Information sharing agreements are a vital tool to protect your organisation and patients.

The GDPR brings the new principle of ‘accountability’ to those of us processing data.

What does this mean? In short, this means data controllers shall be compliant and must pro-actively demonstrate compliance with all data protection principles starting from 25 May.

Data subjects must be told. Staff must be aware. Are they? Can you do that?

So, what about health and care providers? They too need to have reviewed all their data flows and map what is processed, how and why?

To find out what foundation trusts should be doing now about their membership databases: read our joint briefing note produced with NHS Providers. And if you are an independent sector provider – Mills & Reeve has produced in conjunction with the Association of Independent Healthcare Organisations, a key principles document: Data Protection and the GDPR which you can view here.