ROAN information sheet 16a: Responsible officer function and GDPR (NHS England responsible officers)
All organisations holding personal information need to meet the General Data Protection Regulations (GDPR) which came into force on 25 May 2018.
It may help to bear some important principles in mind in relation to the GDPR and the responsible officer functions:
- Broadly speaking, the GDPR is intended to bring parts of the commercial sector into line in terms of their use of their customers’ data for purposes far beyond what the customer thinks they have consented for.
- By comparison the data held by designated bodies about their doctors is for managing professional standards in a work context. There are undoubted responsibilities in terms of security and confidentiality of information held, but these are not new. In other areas GDPR is perhaps of less impact in the context of the responsible officer’s duties. For example there is minimal scope for the passing of data to commercial third parties.
There is scope for a responsible officer to inform some third parties of data, for example to the GMC when a doctor is being referred for Fitness to Practise procedures. However, this is relatively uncommon, and often does not require consent, being governed by statutory regulations (though it is good practice to keep the doctor informed).
NHS England has existing written policies for information held about doctors for appraisal, revalidation and process for responding to concerns. The statutory basis of the responsible officer function means that the GDPR does not alter the fundamental basis of these.
GDPR does not necessitate a fresh communication with all individuals on existing databases. NHS England will continue to make our existing privacy information available to all existing and new data subjects. These policies already define arrangements around the retention and deletion of information about doctors, balancing statutory requirements towards patient safety with the rights of the individual under GDPR.
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016
- Data Protection Act 2018, Chapter 12
- Information Commissioner’s Office guidance on GDPR
- Information flows to support medical governance and responsible officer statutory function
- NHS England Appraisal Documentation Access Statement
- NHS England Corporate records retention and disposal schedule and guidance
This information sheet is relevant primarily to NHS England responsible officers.
Released May 2018.