The General Data Protection Regulation (GDPR) was introduced with the intention of enhancing the individual’s right to privacy and giving them more control over their own data.
Since its introduction, the GDPR has caused its fair share of confusion as organisations grapple with the new compliance requirements or outright restrictions on their activities. Meanwhile in the medical sector, the concerns have been about the potential of the GDPR to cause impediments to normal medical practice. With this in mind, we formed the RCPI Professional Policy Group for GDPR, made up of clinicians representing various specialties from the Institutes and Faculties within RCPI and legal advisors.
Over a series of sessions, issues that doctors face within their own practice, as well as in dealing with other healthcare professionals, were brought to the table, discussed, hypothesised and evaluated in the legal context.
It is important to note that the GDPR clearly allows healthcare professionals to use personal health data for medical diagnosis, provision of healthcare, management of healthcare, ensuring quality of healthcare, protecting someone’s life where they cannot give consent and for Public Health purposes, provided that certain conditions are met.
Much of the confusion with regard to the GDPR arises from the perception that the conditions for transparency, lawfulness and fairness must be addressed by each clinician with each patient. Generally, these requirements are best met in a systematic and procedural approach by the healthcare organisation (i.e. the Data Controller).
In our General Data Protection Regulation and Medical Practice Guideline we have summarised the Data Controller Obligations that you should expect to see in your organisation to ensure your patient’s right to privacy is protected.
In this document we have summarised the Data Controller Obligations that you should expect to see in your organisation to ensure your patient’s right to privacy is protected.
Another significant source of concern has been in relation to the Health Research Regulation, which has clear and onerous requirements regarding the use of personal data that is not irrevocably anonymised.
The Health Research Regulations are, however, applicable only to research and not to normal practice, clinical audit or service evaluation.
Of course, there can be a very fine line between audit and research that needs close consideration for each project.
In our General Data Protection Regulation and Medical Practice Guideline we have provided a decision tree to help guide this evaluation.
We hope you find our guideline useful. The document will be iterative in nature to reflect the reality that interpretation of Data Protection Legislation is still ongoing. The Professional Policy Group will continue to meet periodically and we would welcome your input and your feedback on these matters so that they can be addressed and included in future revisions of the document.
Dr Diarmuid O'SheaRegistrar and Chair of the RCPI Professional Policy Group on GDPR