1 Preparing for the GDPR Helping us to help you

2 Purpose of the WorkshopTo give an update on the ICO and NHS England’s work to support preparation for the GDPR To establish a dialogue for issues to be raised

3 Transparency

4 Consent

5 Pseudonymisation

6 Guidance is being published

7 GDPR Working Group Aims to support NHS, social care and partner organisations in preparing for the requirements of the EU General Data Protection regulation when it comes in to force in May 2018 Membership from arms length bodies and other stakeholders

8 GPDR Working Group - MembershipDepartment of Health Health Education England Department of Culture Media and Sport Information Governance Alliance Care Quality Commission Public Health England National Institute for Health and Clinical Excellence Health Research Authority NHS England North East London CSU NHS Digital PHG Foundation NHS Improvement Local Government Association NHS European Office UCL Partners Pennine Care NHS Foundation Trust

9 GDPR Working Group - objectivesto provide self-help and mutual support, supporting alignment across the system; to develop a clear understanding issues that health and social care organisations will need to address to comply with the GDPR; to commission guidance from the IGA in areas that would benefit from a shared sector-specific approach; to ensure that this guidance complements guidance developed by the ICO and is appropriately targeted; to provide DCMS with recommendations on derogations.

10 GDPR Working Group - commsCommunications / guidance to be aimed at the following groups: IG professionals The wider health and social care community Senior management Citizens

11 Headline issues - derogationsAge of consent for the offer of ‘information society services’ (Art. 8) Criminal convictions (Art. 10) Restrictions (Art. 23) Research and statistics (Art. 89) Professional secrecy (Art. 90)

12 Headline issues - derogationsAutomated decision-making (Art. 22) National ID numbers (Art. 87) Prior consultation with ICO (Art. 36) Right to be forgotten to require or prevent erasure (Art.17)

13 Headline issues – derogationsExisting legislation requiring ‘proportionality’ (Art. 9. 2(g)) ‘substantial public interest’ conditions (2000 Order under Sch 3. 9(2)) prevention and detection of unlawful acts; malpractice etc. Subject access exemptions (3 Orders, 2000) must: prevent abuse or unlawful access or transfer mitigate any risks to the rights and freedoms of data subjects ensure that restrictions are necessary and proportionate

14 Headline issues ‘Accountability’ PseudonynisationInterpretation and application Mandate for Data Protection Officers Fair processing Detailed and specific requirements – tension with ‘..easily accessible’ Requirements for consent Implications where ‘explicit consent’ used….

15 Headline issues Right to be forgottenIn particular where consent is used under Articles 6 and 9 Alternatives to ‘legitimate interests’ justification for public authorities Conditions for processing special categories ‘substantial public interest’ Health and social care Public health Research and statistics

16 QUESTIONS AND DISCUSSION