BDA heralds potential breakthrough on GDPR

Following months of lobbying the British Dental Association has welcomed news that Lib Dem MP Christine Jardine has tabled its suggested amendments [1] to the Data Protection Bill to save primary care providers from needless financial burdens.

The simple change would specifically exempt small NHS providers from the costly burden of appointing a dedicated Data Protection Officer (DPO). The BDA has been working closely with partners at the Optical Confederation, the National Pharmacy Association and the Pharmaceutical Services Negotiating Committee, urging both government and opposition MPs to exempt dentists, pharmacists and opticians from this expensive and unnecessary new requirement.

Primary care leaders have argued that the current draft Bill goes well beyond the requirements of the General Data Protection Regulation (GDPR), which does not require health providers to appoint a DPO unless they process healthcare data “on a large scale”.

Most high street NHS primary care providers do not process data on a large scale, but are set to be covered by this onerous new duty by virtue of being defined by UK legislation as “public bodies”. The BDA has estimated that outsourcing this service may well cost even the smallest practices in excess of £5,000, with some members reporting quotes from potential contractors of over £10,000 a year. Amendments will be considered at the Bill’s Report Stage, which is likely to take place in the second week of May [2].

News comes as primary care leaders have written again to the Department for Culture Media and Sport, urging Secretary of State Matt Hancock to change tack.

BDA Chair, Mick Armstrong, said: “We have been making the argument for a simple amendment that would protect small NHS providers who were never meant to be captured by these regulations.

“We want to thank Christine Jardine MP for her support. This common sense move wouldn’t cost taxpayers a penny, is non-controversial and nonpartisan, and remains entirely consistent with the stated intentions of the GDPR.

“This small change can make a big difference, saving hard-pressed high street health providers from needless pain. Together with our partners across primary care we urge parliamentarians on both sides of the house to offer their support.”

[1] https://publications.parliament.uk/pa/bills/cbill/2017-2019/0190/amend/data_rm_rep_0424.8-14.html

Clause 7, page 5, line 24, after “subsections” insert “(1A),”.                                                  

Clause 7, page 5, line 24, at end insert—

“(1A)

A primary care service provider is not a “public authority” or “public body” for the purposes of the GDPR merely by virtue of the fact that it is defined as a public authority by either—

(a) any of paragraphs 43A to 45A or paragraph 51 of Schedule 1 to the Freedom of Information Act 2000, or

(b) any of paragraphs 33 to 35 of Schedule 1 to the Freedom of Information (Scotland) Act 2002 (asp 13).”

[2] https://services.parliament.uk/Bills/2017-19/dataprotection.html