This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

The BMA: GPs as data controllers under the GDPR

Dr Paul Cundy, GPC IT Policy Lead, has published a series of blogs (dropbox link) on the General Data Protection Regulation. He says "they are a narrative in nature and attempt to cover the questions (he) sees surfacing on the various email lists and other media. Their status should be of informed opinion. Facts are referred to as facts and opinions clearly identified and (he) hopes justified". The links below are accessible here for those people unable to access dropbox with kind permission from Dr Cundy.

Blog 0: GDPR - where to start, in the beginning etc

Blog 1: GDPR for GPs from the IT lead for GPC

Blog 2: Background and scene setting

Blog 3: Data Protection Officers

Blog 4: Privacy notices (revised 8th May 2018)

Blog 5: Texts and emails

Blog 6: Articles 6 and 9 deciphered

Blog 7: Subject Access Requests, SARs and TSARs (revised 1st May 2018)

Blog 7a: SARs and TSARs, part two, unfounded and excessive (new 8th May 2018)

Blog 7b: SARs and TSARs, part three, requests can be verbal (new 15th May 2018)

Blog 8: Things to do list, plan, timetable

Blog 9: Fines

Blog 10: Erasure and Portability - NOT!

Blog 11: I'm an LMC - what's in it for me ? (revised 2nd May 2018)

Blog 12: How long is a month ?

Blog 13: Data Privacy Impact Assessment(s) (revised 30th April 2018)

Blog 14: Data breaches

Blog 15: Documentation

Blog 16: Those you employ

Blog 17: Consent

Blog 18: The Myth Buster

The EU GDPR: The Key points for GPs by the Information Governance Alliance

Guidelines on Consent under Regulation 2016/679 (wp259) [adopted but still to be finalised]

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in high risk" for the purposes of Regulation 2016/679

Guidelines on transparency under Regulation 2016/679

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016  on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Official Section 251 guidance Health Research Authority

DRAFT: Privacy Notice - Care Quality Commission

DRAFT: Privacy Notice - Direct Care - Emergencies

DRAFT: Privacy Notice - Direct Care - Routine care and referrals

DRAFT: Privacy Notice - LMCs

DRAFT: Privacy Notice - National screening programs

DRAFT: Privacy Notice - Payments

DRAFT: Privacy Notice - NHS Digital

DRAFT: Privacy Notice - Public Health

DRAFT: Privacy Notice - Research

DRAFT: Privacy Notice - Commissioning, Planning, Risk Stratification, Patient Identification

DRAFT: Privacy Notice - Safeguarding

Sample exemplary Practice Privacy Notice Dr Neil Bhatia

The UK Caldicott Guardian Council has produced this webpage with further information and guidance too.

Just a bit of light humour....

In the Consulting Room, a mild case of GDPR

This page last updated 20th May 2018

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website