GDPR
General Data Protection Regulation (GDPR)
The Information Commissioner’s Office (ICO) advises that the UK GDPR requires this organisation to put in place appropriate technical and organisational measures to implement the data principles effectively; this is data protection by design and default.
Data protection by design is about considering data protection and privacy issues upfront in everything that the organisation does. Data protection by default requires this organisation to only process the data that is necessary to achieve a specific purpose.
This organisation will demonstrate data protection by design and default by:
-
Conducting a Data Protection Impact Assessment (DPIA)
-
Ensuring there are privacy notices on the website and in the waiting rooms that are written in simple, easy-to-understand language
-
Adhering to Articles 25(1) and 25(2) of the UK GDPR
-
Processing data only for the purpose(s) intended
-
Ensuring consent is obtained from the data subject prior to data being processed
-
Providing patients with access to their data on request (subject access requests)
-
Ensuring patients consent to access to their data by third parties
-
Processing data in a manner that prevents data subjects being identified unless additional information is provided (using a reference number as opposed to names – pseudonymisation)
The Practice Privacy Notice can be viewed here.
Page created: 20 January 2021