General Data Protection Regulation (GDPR)
The GDPR came into effect on 25th May 2018 and has been incorporated into the Data Protection Act (2018) which received Royal Assent on May 23rd, 2018. The new bill replaces the Data Protection Act (1998). Much of the original legislation is essentially unchanged, but there have been changes in practice and guidance over the years (for example 'privacy by design' and privacy impact assessments) which have been incorporated into the new legislation along with some new requirements, for example around transparency, consent and a 'right to be forgotten'.
General guidance on some implementation aspects has been provided by the EU Article 29 Working Party and the Information Commissioner's Office. Specific guidance for the health and social care sector has been developed by a national working party and the Information Governance Alliance: some of this has been released (see under Information Governance Alliance below). The remainder is expected to be released shortly.
In December 2018, the UK Government issued interim guidance on Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019.
The European Patient's Forum
A guide for patients and patients’ organisations.
Information Commissioner's Office (ICO)
Explains the provisions of the GDPR to help organisations comply with its requirements, intended for those who have day-to-day responsibility for data protection. Comprehensive and updated regularly.
Other guidance of particular relevance to health and social care
- Lawful basis for processing
- Consent as a lawful basis for processing
- Legal obligation
- Vital interests
- Special category data
- Data protection impact assessments
- Right to be informed
- Right to erasure
- Right to rectification
- Right to restrict processing
Information Governance Alliance (IGA)
- Changes to Data Protection legislation: why this matters to you
- Frequently asked questions
- GDPR: What's new
- GDPR: Implementation checklist
- GDPR: Guidance on accountability and organisational priorities
- GDPR: Guidance on the Data Protection Officer
- GDPR: Guidance on consent
- GDPR: Guidance on lawful processing
- GDPR: General Practitioner advice note
Future guidance (awaiting approval or planned)
- Privacy by design and default
- Personal data breaches and notification
- Profiling and risk stratification
- GDPR overview
- Primary care suite: optometry, pharmaceutical and dental
- Transparency and subjects' rights
- Social care awareness guidance
Article 29 Working Party
The Article 29 Working party ceased to exist on 25th May 2018and has been replaced by the European Data Protection Board) which has endorsed the following guidance.
- Data Protection Officers
- The right to data "portability"
- Personal data breach notification
- Automated individual decision-making and profiling
- Data Protection Impact Assessments (DPIA)
Health Research Authority
Medical Research Council
British Medical Association
- General data protection regulation (GDPR)
- GPs as data controllers under the GDPR
- Access to health records. Updated to reflect the GDPR
Medical Defence Union
This page last updated: 18th December, 2018