top of page

Changes to Data Protection Laws and the NHS


The European Union has been debating for 4 years about proposed changes on the reform of data protection laws. During that period there have been a number of proposals that have led to conjecture and uncertainty linked to what these reforms would mean in practice.

Agreement has now been reached on the final proposals (subject to European Parliamentary approval in January 2016). The finer detail is to be agreed but the intent is that data protection legislation will change in 2018. At this stage whilst organisations can anticipate with more certainty what the broad changes will be and can plan for some of them the finer detail may still spring a few surprises or have unintended consequences.

Proposed changes will have a significant impact on any system or redesign activities where deliverables or benefits realisation are not anticipated until 2018 onwards.

Proposed Change


  • Organisations will be forced to report data breaches that are likely to harm individuals within 72 hours

  • This is likely to have a disproportionate impact on health and social care providers who by default process data that is either sensitive or could cause harm by its uncontrolled release.

  • Organisations will have tighter restrictions on how they use individuals data and will face fines for misusing personal data

  • This will impact on the secondary use of data, the “big data” agenda and any benefits realisations that organisations hope to obtain by implementing new systems

  • The relationship between providers and commissioners will probably be affected especially data sharing agreements under contract which enable the latter to undertake their activities

  • This will also impact on large scale reorganisations involving health and social care

  • Fines of up to 4% of revenue for breaking the law

  • The current maximum is £500k per incident and this potentially represents an 8 fold increase for organisations that have revenue in excess of £30m per annum

  • Explicit consent will have to be obtained to use individuals data

  • Implied consent as a concept will need to be phased out (culturally and organisationally) and organisations will need to be able to demonstrate that there are “no surprises” for individuals in terms of how their personal data is being used and processed

  • The practical reality is that health or social care providers will need to adopt practices that are common in the private sector e.g. if the organisation changes its name/merges notify service users in advance etc.

  • Appoint a data protection officer to oversee privacy issues

  • What this means in practice is unclear and has been subject to much discussion

  • This is likely to have a disproportionate impact on IG provision within organisations

  • Additionally the Caldicott Guardian role is likely to be affected e.g. options would be to phase the role out though to making it more directly accountable in the same way as the SIRO etc.

  • The “right to be forgotten” will be enshrined in legislation i.e. obsolete information about individuals to be removed from the web

  • Organisations will need to ensure that their web management processes and practices (especially content management) do not lead to an inadvertent breach

  • Teenagers under 16 wishing to sign up for social networks like Facebook and Twitter etc. will be able to do so only with their parents’ permission, unless individual countries opt out and lower the threshold to 13

  • This is likely to impact on identity management issues as organisations seek to allow service users direct electronic access to their data

  • There was also a proposal that this also apply to email accounts as well

  • This is also likely to be an area where organisations will need to consider how it deals generally with individuals under the age of 18 and how consent to process data is obtained

bottom of page