The UK GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of practice privacy notices.
The Information Commissioner’s Office suggests that a blended approach can be used to provide privacy information, for example, use of the practice website and posters in waiting areas.
The NHS has developed a template privacy notice.
The BMA has also developed a template poster and privacy notices (below) to help practices deliver their own privacy information. The wording should be edited to suit each practice’s individual circumstances.
Privacy poster
The poster must provide basic information which explains to patients how their medical records are shared.
An additional option is to use the practice’s phone system to play a recorded message which reminds patients to look on the website for information.
The poster should signpost where the more detailed PPNs can be found.
Practice privacy notices
The four template PPNs (practice privacy notices) are a suggested way for practices to start developing more detailed information for patients. Practices should amend and add wording as relevant. The PPNs cover:
- provision of direct care
- medical research and clinical audit
- legal requirements to share
- national screening programmes.
The key information for patients is displayed first. The ‘legal small print’ should be shown on a separate page or on the reverse side of an information sheet/leaflet.
The information contained in this document is for general guidance only and cannot be relied upon as legal advice. The BMA accepts no liability for the accuracy of the information contained herein. You should always obtain specific legal advice separately before taking any action based on the information provided herein or if you are unsure as to how to act in any situation.