Contents
1 The importance of protecting personal data
2 Scope of the document
3 What is personal data?
4 Individuals’ rights under the General Data Protection Act (2018)
5 BLRS data management responsibilities
6 BLRS data management expectations
7 BLRS Registry and data protection
8 Sources of further information
1 The importance of protecting personal data
The British Limb Reconstruction Society is committed to facilitating high standards of practice in limb reconstruction and patient care. In order to achieve this we need to build and maintain good relationships with colleagues, patients and patient groups, national representative organisations and industry partners.
To help maintain these good relationships the BLRS and BLRS Executive Committee must adhere to high standards in respect of the managing, storing and disposing of personal data entrusted to us.
The advent of GDPR has prompted us to give careful consideration to the way in which the BLRS administers personal data and to set out a concise policy to guide members and committee members.
2 Scope of the document
This document summarises the key points of the BLRS Data Protection Policy.
The expectation is that the BLRS Executive Committee will conform to this policy to ensure good practice in the management of personal data.
If further clarification is required please contact the following in the first instance:
BLRS Secretary – blrs.secretary@gmail.com
3 What is personal data?
Personal data is information relating to an identified or identifiable person. An ‘identifiable person’ is someone who can be identified directly, or indirectly by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
4 Individuals’ rights under the General Data Protection Act 2018
In any event it is good practice to protect personal data entrusted to the BLRS.
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 to unify data protection regulation within the European Union (EU), and is designed to hand back control to EU citizens and residents over their personal data.
GDPR has been incorporated into UK law by means of the Data Protection Act 2018.
Following the departure of the United Kingdom from the European Union at the end of 2020, GDPR has been retained in UK law and will continue to be read alongside the Data Protection Act 2018.
From 25 May 2018 onwards anyone who entrusts the BLRS with their personal data has the right to:
1. Be informed about how their data will be used, stored, retained and/or disposed.
2. Request all the personal data we hold on them within 30 days of asking for it and in a form that the person can use easily.
3. Request inaccurate data we hold on them be corrected within 30 days of notifying us.
4. Request the deletion of any unnecessary personal data we hold on them.
5. Restrict the processing of their personal data, and
6. Object to the Information Commissioner’s Office if they are unhappy with the way we are managing their personal data – and organisations need to ensure that individuals can register such complaints easily. The BLRS is registered as a data controller with the ICO, certificate number ICO: 00015691599.
5 BLRS data management responsibilities
Given the importance of protecting personal data under UK law, the BLRS has clear and specific responsibilities regarding personal data. We must:
1. Collect personal data for specific and legitimate purposes only.
2. Process personal data only on the grounds by which we can process it lawfully, fairly, and in a transparent and compliant manner.
3. Store personal data in a form that prevents the individual from being identified for longer than the purpose for which their data was being processed.
4. Ensure personal data is accurate and up-to-date, and
5. Any sensitive personal data (data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data) must be treated with extra security – only kept electronically in encrypted and/or pseudonymised form.
6 BLRS data management expectations
We expect all members working on BLRS matters to:
1. Understand and follow the BLRS Data Protection Policy and procedures, and ensure that colleagues do the same.
2. Challenge colleagues’ behaviours and activities constructively where they do not comply with the BLRS Data Protection Policy.
3. Explain to individuals clearly at the point we gather personal data the reason why we are collecting it, how long it will be used, how long we will keep it, and the lawful basis under which we are collecting it.
4. Obtain clear and explicit consent from an individual (where it is required) when we collect their personal data.
5. Minimise any detrimental risk to the owner of the personal data by storing and protecting personal data safely, transparently in line with the BLRS Data Protection Policy, and in a way that it can be accessed quickly if required.
6. Actively monitor any personal data we hold to ensure it remains accurate and up-to-date; and correct or dispose of any inaccurate or out-of-date data within 30 days of it being identified either by the individual or through monitoring.
7. Respond quickly to any request for access to personal data held, to ensure that we can provide it to the individual within 30 days of receiving any such request.
8. Identify and repair any significant breaches of personal data and report such breaches to the BLRS Executive Committee as soon as possible.
7 BLRS Registry and data protection
The BLRS is no longer running registries for clinical outcomes of lengthening nails and tibial pilon fracture fixation in conjunction with Amplitude.
8 Sources of further information
More information related to GDPR and the Data Protection Act 2018 can be found as follows:
Information Commissioner’s Office (2)
The GMC (3)
Which? Consumer Rights (4)
Simon Britten & Om Lahoti
BLRS Executive Committee
February 2021
(2)https://ico.org.uk/
(3)https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/managing-and-protecting-personal-information
(4)https://www.which.co.uk/consumer-rights/regulation/general-data-protection-regulation-gdpr