Data Protection Bill

Written evidence submitted by the Optical Confederation (DPB10)

Briefing on the Data Protection Bill for Commons Committee Stage – concerns relating to clause 7

1. About us

The Optical Confederation (OC) represents the 13,000 optometrists, 6,000 dispensing opticians and 7,000 optical businesses in the UK who provide high quality and accessible eye care services to the public.

We are a coalition of five optical representative bodies; the Association of British Dispensing Opticians (ABDO); the Association of Contact Lens Manufactures (ACLM); the Association of Optometrists (AOP); the Federation of Manufacturing Opticians (FMO) and the Federation of (Ophthalmic and Dispensing) Opticians (FODO). As a Confederation, we work with others to improve eye health for the public good.

2. Summary of our concerns

· Clause 7 of the Bill uses the same definition of ‘public authority’ as UK freedom of information legislation

· This means that anyone providing primary NHS ophthalmic, dental or pharmacy services in the UK will be defined as a public authority under GDPR, and will have to appoint a statutory Data Protection Officer (DPO)

· This won’t improve the security of patient data. All providers are already tightly regulated, and providers who process healthcare data on a large scale already have to appoint a Data Protection Officer under GDPR, regardless of the Bill

· But the Bill will place an unnecessary regulatory and cost burden on NHS primary care providers that don’t process data on a large scale, including most high street care providers

3. Suggested Amendment

The Data Protection Bill should only impose proportionate requirements on optical providers, in line with the principles of good regulation. Our preferred solution is to amend Clause 7 of the Bill to exclude providers of NHS General Ophthalmic Services (GOS) and other primary care contractors from the definition of ‘public authorities’ for data protection purposes. This would exempt small NHS providers who do not process healthcare data "on a large scale" from the unnecessary and unaffordable requirement of appointing a statutory Data Protection Officer.

4. Further information

Clause 7 of the Data Protection Bill defines "public authorities" and "public bodies" in the same way as the Freedom of Information (FOI) Act 2000. This means that any person providing primary NHS services in the UK will be treated as a public authority under the GDPR and UK data protection law.

Optical practices are private businesses, delivering private health care services (including sight testing) as well as commercial sales. However, nearly all of them provide NHS-funded sight tests under General Ophthalmic Services (GOS) arrangements and therefore, under the Bill as currently drafted, they will be classed as "public authorities". It makes sense for optical practices to be defined as public authorities for the purposes of freedom of information. However the scope and requirements of the GDPR are very different to FOI.

The GDPR requires a body to appoint a statutory Data Protection Officer either if it is a public authority, or if it processes certain categories of data, including healthcare data, "on a large scale". In our view, most high street primary care providers would not meet the GDPR definition of processing healthcare data on a large scale, which was not intended to capture primary care providers as a matter of course.

The current definition in the Bill means that every optical provider, regardless of size, would be required to appoint a DPO – someone with "expert knowledge of data protection law and practices" and the ability to carry out a range of professional functions, including providing advice and training on legal obligations, and carrying out audits.

This requirement isn’t necessary or appropriate for optical providers, which must already meet strict requirements on data protection and patient confidentiality:

· Practices providing NHS sight tests under GOS must already have a named person responsible for issues relating to confidentiality, and those delivering services under the NHS Standard Contract already have to comply with NHS Digital’s data security requirements

· All optometrists and dispensing opticians are tightly regulated by the General Optical Council (GOC) and have to comply with its standards, including requirements to maintain confidentiality, respect patients’ privacy, and ensure staff are aware of their confidentiality obligations. Businesses registered with the GOC must also comply with these rules.

The DPO requirement will be a disproportionate and unnecessary burden on optical practices. This is because:

· A DPO cannot be the owner or manager of the optical practice. They can be an existing member of staff, but practices are unlikely to have (or be able to afford) staff with the required legal and auditing skills. Many optical practices only employ a handful of staff.

· So optical practices would usually need to hire in external expertise to fulfil the DPO role at extra cost, even though it is unlikely to provide any practical benefit for patients in terms of improving data security.

· This cost will be a significant and unnecessary burden for optical practices. Current internet advertising suggests that data protection officers currently have an average salary cost of £23/hour, but this will of course vary, and may not yet reflect the nature and duties of the new statutory DPO role.

March 2018