GDPR and the Friends and Family Test

10th May 2018

Pretty much everyone has had to get to grips with another new acronym recently. I am of course talking about GPDR, or the General Data Protection Regulation. This new regulation governs how organisations can collect and process personal data from their members, customers, patients – indeed anyone!

With GDPR coming into force on May 25th, there’s been a lot of discussion for what this means for those NHS organisations carrying out the Friends and Family Test (FFT) – in particular for those who use methods such as SMS to collect this useful source of patient feedback. Given that there are six conditions that allow for the collection and processing of personal data under GDPR, we reached out to NHS England earlier this year to get their view on how this would impact Trusts.

Last week NHS England published their guidance on how to manage the FFT in light of GDPR.

The good news is that NHS England are advising Trusts that “processing personal data for this purpose [FFT] is part of exercising the organisation’s official authority“. This is one of the six legal grounds for obtaining and processing personal data under the new GDPR rules. Given their argument that NHS Trusts are fulfilling their legal obligations under the NHS Act of 2006 (through the discharge of the NHS Standard Contract), they do not need to rely on consent for carrying out the FFT by SMS. For those Trust’s collecting all data onsite (say via paper or through tablets) NHS England have stated “GDPR should have no effect on the running of the FFT if your organisation does not use an individual’s personal data in order to collect FFT feedback.”

So while GDPR will not prevent Trust’s from carrying out the FFT there are still a number of actions recommended by NHS England to ensure full compliance. These specifically relate to providing clear information to patients about how data collection and processing is carried out. For full details of the NHS England guidance please click here.

If you have further questions, we’re happy to discuss. Indeed, over the last few months we’ve been keeping our NHS clients abreast of all the latest news and thoughts on GDPR. This has included user groups, webinars and a series of GDPR-specific newsletters.