Data Protection Act and EU General Data Protection Regulation
- As a practitioner your organisation may be the record holder, but you have responsibilities under the Data Protection Act and, from 25 May 2018, the EU General Data Protection Regulations (GDPR) and updated Data Protection Act 2018 (DPA 2018).13 The Optical Confederation has issued guidance on the GDPR and DPA 2018 (see useful information and links). You should be familiar with the Act and GDPR. For optometrists, key points mean:
- keeping accurate patient data
- using the data for specific purposes
- amending inaccurate data and responding to objections from patients if the use of the data causes harm or distress
- keeping the data no longer than necessary. Suggested lengths of time for retaining records:
Type of record
Recommended period of retention
adult patients Adult patients – 10 years after they were last seen, even if the patient has subsequently died. children and young people
10 years after they were last seen or until the patient’s 25th birthday if later.
If the child or young person has died, keep the records for 10 years after they were last seen.
- keeping the data confidential and secure. See section on Confidentiality.
- enabling patients, or an applicant acting on behalf of a patient, to access their data for the length of time that you keep the records.14 You must be sure that the applicant has a right to see the data, either because they have written authority from the patient or because they have Power of Attorney. Access to the record must be given within the time limit set out in the Act and the GDPR requires that if a patient asks for a copy of their record, this must be provided free of charge in most instances
- assisting the patient to understand their record by explaining its content and abbreviations
- satisfying yourself that there is no further need of the record before destroying it
- disposing of any records securely, and
- noting that, if you, or your organisation, acquire a patient record, the obligations under the Data Protection Act and GDPR transfer to you as the new owner.
- Most organisations that process personal information are required by law to register with the Information Commissioner. Some organisations are exempt from this.15
13 Data Protection Act 2018
14 Information Commissioner’s Office (2013) Guide to Data Protection. Principle 6: Subject access request [Accessed 27 Jul 2018]
15 Information Commissioner’s Office. Register (notify) under the Data Protection Act [Accessed 26 Oct 2017]