GDPR: six months on

The General Data Protection Regulation, along with the Data Protection Act 2018, replaced the Data Protection Act 1998 on 25 May 2018. Here we address some of the common misconceptions about the legislation six months after it came into effect. 

1. Information about a person is not personal data if it is incorrect

Personal data covers both facts and opinions, even if the information is inaccurate, as it relates to the individual. It can be in any format and can be anything from name, address and job title to IP address and CCTV footage.

Personal data is information that relates to a living individual and can directly or indirectly identify them. Therefore, if you have personal data relating to deceased individuals, such as the mortality rates of children, this will not be covered by data protection legislation (although you may still have to comply with other laws such as duty of confidentiality).

2. You have to delete everything to stay compliant

You don’t have to delete everything containing personal data to stay compliant. In fact, the regulation places more of an emphasis on documenting activities in order to demonstrate compliance. What it does state is that information shouldn’t be collected more than necessary and should not be kept for longer than is necessary.

3. GDPR won’t apply when Britain leaves the European Union

GDPR will still apply after the UK exits the EU as the Data Protection Act 2018, which also came into effect in May 2018, complements GDPR. The DPA 2018 applied GDPR to UK law as well as allowing the UK to set its own rules in areas where GDPR allows member states to make their own law.

4. I can’t collect or share anything without consent

Consent is just one lawful basis for processing personal data - there are five others: contractual agreement, legal obligation, vital interest, public interest and legitimate business interest (can only be used by non-public organisations). For example, under vital interest, if someone is having a severe allergic reaction and cannot give consent, you can share information about them in order to save their life.

It is worth remembering that implied consent in healthcare under the common law of duty of confidentiality is not the same as GDPR consent. There may be cases when sharing data in healthcare where implied consent is used to satisfy the common law duty of confidentiality but under GDPR another legal ground for processing is used, such as public interest. The National Data Guardian has recently been investigating this by assessing what patients’ reasonable expectations are in terms of how their personal data is shared in healthcare. More information on this work can be found here: our January 2018 Citizens’ Jury and Report of our October 2017 workshop (PDF). It is also worth noting that the Caldicott Report sets out six principles that aim to ensure patient data is protected and shared appropriately.

5. GDPR only affects organisations, not individuals

GDPR affects everyone, and individuals now have more control of their personal data. Privacy notices tell individuals about their rights, including accessing and editing the data held about them, and people more control of contact preferences to be able to choose the communications they receive.

You can update your details and mailing preferences any time through your online account.

6. Putting in a right to erase will delete my entire online presence

The right to erasure, also known as the right to be forgotten, is one of the rights of individuals. This did exist under the Data Protection Act 1998, but under GDPR it has been more explicitly defined. Like all rights, the right to erasure only applies in certain circumstances. Personal data can only be erased if the data is no longer necessary to the reason it was collected, the reason the data was collected or processed is no longer valid (eg consent has been withdrawn) or if the data was processed unlawfully.

If the request is accepted, some information may need to be kept as a record the request took place.

7. Everyone’s personal data is the same

Special category data, which includes information about a person’s health, their political or religious views, their race and their sexual orientation, needs to be processed in a more specific way. Because it is more sensitive, it needs more protection. Like other personal data, special category data needs to be collected and processed under a lawful basis, but it also need to fulfil another condition listed in the regulation. Current legislation also includes genetic and biometric data as special category data, which previously wasn’t included.

Another new feature of GDPR is that children’s data requires more care. If processing data of CYP under the age of 13 within an online environment (information society service), parental consent is needed, and the young person should understand what happens to their personal data and their rights. Children have the same rights as adults over their personal data - they can request access, a copy of their data, for their data to be edited and deleted. 

Further information

If you’d like to find out more about the GDPR changes which will be taking place, please see the ICO website. If you have any specific questions about the RCPCH’s data protection policy please contact information.governance@rcpch.ac.uk