Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

More About GDPR And The NHS Privacy And Security Toolkit

by Adam Brogden
in Blog

07-Jun-2019 15:37

The NHS Security and Protection Toolkit has over 70 different questions relating to data protection and data security. Many of these relate to GDPR principles although they don’t specifically refer to GDPR. Your GDPR packs will help you meet all these requirements and we will of course help you understand how these apply to you. For more info, take a look at the following article from the King Fund. (The Kings Fund, 28 May 2018, found at:


The General Data Protection Regulation (GDPR) is designed to modernise data protection law against emerging challenges. These challenges include the growth of advanced machine learning techniques, for instance, which have led to an intensified interest in what these tools can do with big datasets, like those held by the NHS. The new regulation has a big impact on any large-scale collectors of data (Parliament Street 2018) GDPR should not change anything fundamental about what the NHS can do with patient data, but some elements are important to highlight.

First, ‘explicit consent’ is harder to achieve under GDPR than under CLDC (Information Governance Alliance 2018). Using explicit consent as a legal basis for sharing data requires organisations to be specific about the purpose for which it is being obtained and to document the consent. This may be possible for data collected for specific research projects, but it is unlikely to be possible for many secondary uses. Guidance from the ICO and IGA suggests that NHS organisations should rely on other alternatives to consent for GDPR purposes (Information Governance Alliance 2018).

The GDPR strengthens rights that individuals have over data about them (Information Commissioner’s Office 2017a). Both the right to object and the opt-out (which are different from each other) must be honoured by health organisations.

Under GDPR, the way in which ‘pseudonymised’ data is processed could require increased safeguards and controls for the use of this data for planning and research, and make using patient data for these reasons more challenging. Some argue that the purpose of GDPR is not to remove the pseudonymised status of data that currently permits many secondary uses (Mourby et al 2018), but the current lack of ICO guidance makes this difficult to assess.


Good luck all.