GDPR and its impact on storing patient records

Making clinical records regarding your patients is part of your clinical duty, as is and retaining them for certain minimum periods of time stated in the relevant regulations . From a medico-legal perspective, patient records are just as vital. In the event of a complaint, claim or regulatory action, your clinical records are your first line of defense. Without them it is extremely difficult to prove how the patient presented when you saw him or her, what your advice or warnings to the patient were, or even what precise treatment you provided. Even if you happen to remember the patient and your consultations clearly, courts and tribunals are extremely reluctant to rely on a clinician’s recollection if there is no documentary evidence to back it up.

Ensuring that patient records (and other patient data) are kept safe is also a legal requirement, which will imminently be affected by the General Data Protection Regulation ('GDPR') which will have effect across the European Union on 25 May 2018.

GDPR will form part of UK domestic law from May 2018, (and its provisions are likely to continue in force following Brexit). GDPR is a European law, so it needs to be incorporated into UK law by a statute. At the time of writing the precise wording of that statute has not been finalised, and certain amendments to the Data Protection Bill were awaiting consideration by the House of Lords.

“While some uncertainty remains about precisely how GDPR will apply in the UK, you should, of course, do your utmost to inform yourself about GDPR and use such guidance as is available to become 'compliant' before 25 May 2018. The ICO has published information for healthcare professionals at, including further guidance and resources for use in healthcare practice, and this would be an excellent place to start.

However, just as with any new law, there will inevitably be a period of uncertainty while the full practical implications of the new requirements become clear, and reliable guidance emerges in response (for example from the ICO or the GMC). It might take even longer for disputes arising out of the new law to be decided by the Courts and become precedents to provide clarification. Accordingly, you should not treat 25 May 2018 as the end of your work to become GDPR-compliant, but the beginning. Adapting your processes and procedures to respond to updated guidance as it emerges is likely to be necessary for months and possibly even years to come.

It is vital to know this because the GDPR obligations will apply to individual self-employed surgeons in exactly the same way as they will to large hospitals. Being a self-employed consultant with less expertise and fewer resources to deal with data protection compliance requirements than a large organisation might will not be a defence in the event of a data protection breach. At the same time, there will be significantly higher penalties for data breaches – a maximum fine of “4% of global annual turnover” or €20 million (whichever greater) for the most serious of infringements.

Over this period of legal change and uncertainty, self-employed surgeons will need all the assistance and support they can get to run their practices in a safe and compliant manner, without data

protection issues taking up a disproportionate amount of surgeons' precious time. The assistance available to Incision members includes a 24/7 medico-legal helpline provided by DWF LLP. This article is an extract of a more detailed and extensive guidance note available only to Incision members.