For many practices, the transition has been a relatively smooth process as we come to terms with the subtle working differences. The ICGP document: Processing Personal Patient Data: A Guide for General Practitioners has been endorsed by the office of the Data Commissioner and is a robust reference for practices. The document has recently been updated to version 2.3. For any practices struggling with the concept, it's an excellent time to address the main issues and steps needed to be GDPR compliant.
As we store and share patient information both electronically and on paper, we have a responsibility to ensure this is done so securely. This makes us, the GPs, the data controllers. We have to be able to show that we have data protection agreements with anyone who can access the patients' information. This includes not just the surgery staff, but also GP software companies, Healthlink, the practice computer maintenance person, visiting medical students, trainees and practice interns.
We must appoint someone within the practice to be the data officer, the person responsible for ensuring all GDPR documentation is stored in a folder that can be assessed by the Data Commissioner in the event of a breach. Any breach to your data must be reported to the Data Commissioners office within 72 hours of discovery. In practice, the violations will occur most likely with ransomware attacks, but could include anyone accessing patients' notes illicitly. It is our responsibility to ensure the patient records are stored as securely as possible. If your practice is unfortunate enough to be investigated and the proper security safeguards are not in place, you could be fined and potentially sued by affected patients. Ensure this checklist is complete:
For more information see http://www.icgp.ie/data