You've probably had a flurry of emails over the past few months from companies asking for your consent to keep hearing from them.
This is because of the new General Data Protection Regulation (GDPR) which became law in the UK on 25 May 2018.
GDPR is about a lot more than just controlling the stuff that's clogging up your inbox.
While information governance regulations may not jump off the page this is a very important change in the law and it’s worth understanding some important aspects.
This new law underpins how everyone, including the health service, should handle people’s personal information. It sets out people’s rights and the rules that data processors (like us) have to abide by.
GDPR means that people have a right to be informed. That means they are are entitled to know how their data is collected and used. This applies to private companies as well as government.
Information has to be provided in a clear and simple way so people can understand what we’re doing with their data.
Screening privacy notice
We have just published a new and updated version of our privacy notice, which we also refer to as our guidance on patient confidentiality in the NHS population screening programmes.
It’s really important that screening providers understand the implications of GDPR so please do take a look at the information in the guidance and familiarise yourselves with it. The privacy notice sets out:
- what data we hold
- why we hold it
- how we keep it safe
- the legal basis on which we hold it
Under GDPR data people have a bigger range of rights. Some new ones you may have heard of in the news, such as the ‘right to be forgotten’. This means that people can ask for their personal data to be erased.
The guidance explains what the subject’s rights are in relation to the data we hold.
For example, can they ask that we forget them even if their data is contributing to the safety of the programme as a whole? With this example you can see why this may cause harm to others and this is why some rights are not absolute.
We have developed a simple, single explanation of the processing of data by Public Health England (PHE) and the NHS for screening services.
We didn’t want to develop separate privacy notices for each screening programme because even though they collect different data, the principles are the same.
In addition, we didn’t want to create a long document full of small print that people would not read. So the document is a summary of the complex range of data processing that the programmes do.
Because people may want more detail we explain how they can get in touch with us to find out more about what we do with their data and how to exercise their rights.
We’ll be reviewing the information in a few months so please do let us know via the PHE screening helpdesk if you think anything’s unclear or there's anything we haven’t answered.
We obviously can’t go into huge amounts of detail about GDPR in every screening leaflet we publish.
But it’s important that we make clear that data is collected and processed safely and that we signpost people to the privacy notice for more information. So we’ve added some agreed standard wording to each leaflet.
Each leaflet now says:
Find out how PHE and the NHS use and protect your screening information at www.gov.uk/phe/screening-data
For the young person and adult screening programmes, we also include a clear statement about opting out of future invitations:
To opt out of screening, see www.gov.uk/phe/screening-opt-out
While our online leaflets now include this text, it may take a little longer for this to filter through to the printed leaflets as it depends when printing takes place.