Access thebmj.com - The BMJ logo

Nicola While: The new EU law for data protection and its impact on healthcare

The provision of healthcare in the UK is often significantly affected by EU legislation despite member states guarding the right to define national health policy and to organise and deliver their health services and medical care.

It is often legislation that does not specifically mention health, but covers all sectors that has the greatest impact. A well known example of this is the European Working Time Directive.

A fresh example is about to be added, following the publication of the European Commission’s proposal to update the 1995 Data Protection Directive, which forms the basis for the 1998 UK Data Protection Act.

The proposal sets out rules on personal data protection and processing, and will result in UK data protection law being amended. Furthermore, the commission is proposing to replace the current directive, which allows for some flexibility in national interpretation, with a regulation that means member states must implement the text exactly as written with no room for manoeuvre.

This looks likely to have the most impact on GP surgeries, clinical commissioning groups, medical academics, and the wider NHS. The thrust of the proposal is to give people easier access to their data, and the ability to transfer the data between providers.

The data subject will have the right to obtain a copy of their data in a portable electronic format. There is concern that this could affect health records, which might not be structured adequately for further transmission, and which might be altered by patients. GPs and NHS organisations will not be able to charge fees for such data requests. In addition, GPs will be obliged to transfer personal data to third parties, such as insurance companies, at the request of patients and without the right to object.

Failure to respond within a tight time frame to requests or to maintain detailed documentation on all data processing activities could lead to heavy fines.

All authorities that process data must appoint designated data protection officers. In addition, only organisations that carry out public authority work will be exempted from making detailed impact assessments on the processing of data. This could mean that healthcare professionals with a mix of public and private work could have to carry out impact assessments for their private work. The use of data for research purposes and related issues of consent are also covered by the proposal.

The proposals will now be debated by national governments and MEPs. The UK healthcare sector seems keen to ensure that the legislation continues to protect patient confidentiality whilst facilitating health services and medical research, and does not pass a significant administrative burden to GP practices and other healthcare providers.

Nicola While is the BMA’s EU policy manager and is based in Brussels.