First Practice Management
- Posted Wednesday April 17, 2019
Two recent reports from the Information Commissioner’s Office (ICO) demonstrate the need for GP practice managers to stay compliant with GDPR and the Data Protection Act 2018.
A former GP practice manager has been fined for sending personal data to her own email account without authorisation. The former PM, who was working at a practice in Derby, admitted unlawfully accessing personal data and was fined £120, plus £364 costs.
Sharing Data with Third Parties
A second recent case involved Bounty, a pregnancy and parenting club that collected personal information as part of its membership registration process. However, the company also operated as a data broking service and shared some data with third parties.
Bounty was found to have breached the Data Protection Act 1998 and was fined £400,000 for sharing personal information without being fully clear with its members that it might do so. The personal information shared was not only that of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and sex of a child.
A Personal and Professional Risk
The potential risk to GP practices of a data breach, or simply not being clear about how we share personal data, can’t be understated. The risk is both financial and to individuals’ reputations, such as the practice manager who unlawfully accessed personal data.
Falling foul of these laws could lead to patients’ trust in their GP practice being undermined and result in some patients choosing to re-register elsewhere. It’s very important to be mindful and make sure your documentation is up to date – FPM members may find it useful to visit out GDPR Toolkit to look at the range of documents on offer.
The Cost of Breaching GDPR
It’s notable that both of the above examples were actioned under the DPA 1998, with its lower applicable fines. Due to the timing of the investigations, the maximum financial penalty for those involved in the cases was £500,000.
However, GDPR and the DPA 2018 have since given the ICO strengthened powers. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty on a data controller of up to £17million.
This means that any person or organisation who behaves similarly and breaches the new Data Protection Act could find it to a far costlier error, so the need to be compliant and minimise the risk of potential breaches is critical.
Do you and your staff know how to stay compliant with Data Protection laws – and why it’s so important? Thornfields’ half-day GDPR training course can help you understand GDPR, its strategic drivers and its operational implications.