The obtaining, storage and transmission of private data is a very sensitive topic, especially for the health sector which handles the most confidential kind of personal data (that relating to the personal health of an individual). This is a subject which is seemingly never far from the public eye. Indeed, the Financial Ombudsman Service in its most recent Ombudsman News has published case studies focusing on breaches of sensitive data, and in particular where consumers were worried that their personal information had been misused.
In this article we consider the problems caused for the health sector where breaches in the handling of sensitive data have occurred and examine whether any lessons can be learnt as a result.
The legal position
The basic principles of data protection and the treatment of sensitive data are enshrined in the Data Protection Act 1998 (DPA 1998). However, the obligations which a third party “data processor” owes to a patient are not determined by ownership of the records themselves, but rather by who determines the purposes for processing that data (ie, “the data controller”). This is a huge area, and by necessity this article focuses only on those issues arising from the storage of DPA protected records, and not on issues arising from the storage of non-DPA protected records.
Medical records are deemed to be "sensitive personal data" within section 2(e) DPA 1998 (the definition can be found here). Also, under the DPA 1998, if you handle and store information about an identifiable, living person, you are legally obliged to protect that information. In particular, you must:
- Only collect information you need for a specific purpose
- Keep that information secure
- Ensure it is relevant and up to date
- Only hold as much information as you need and only for as long as you need it
- Allow the subject of the information access to it on request
Furthermore, where sensitive data is concerned, schedule 3 of the DPA 1998 sets out that where it is processed, then at least one of the following conditions must be met:
- The subject has given specific consent to the processing.
- It's necessary for the performance of an employment law obligation imposed on the data controller.
- It's necessary to protect the vital interests of the data subject or another person.
- The data is for the legitimate activities of political, philosophical, religious, trade union or other not for profit organisations.
- The information has been made public by the data subject.
- It's necessary for legal proceedings.
- It's necessary for the administration of justice, the exercise of functions conferred under an enactment or exercise of functions of the Crown, minister of the Crown or government department.
- It's necessary for medical purposes undertaken by a health professional or a person who owes an equivalent duty to that owed by a health professional.
- The information relates to racial or ethnic origin necessary for reviews of equal opportunity or treatment.
- It is by consent of the Secretary of State.
The Information Commissioner’s Office (ICO) is the body responsible for the enforcement of any breach of the DPA 1998. Also, under the remit of the Health and Social Care Information Centre (HSCIC), any incidents of breach must be reported, using the Information Governance (IG) Toolkit Incident Reporting Tool, to the HSCIC. This information is reported to other regulators, including the Department of Health and the ICO. From February 2015, the ICO’s powers were extended, and it was given powers to audit the NHS for compliance with the DPA, as well as public healthcare organisations. The audits review how patients’ personal information is handled, including the security of data, record management and staff training.
Penalties for breaches of the DPA 1998 are punitive. The ICO has the power to levy a fine of up to £500,000. Also, criminal proceedings can be pursued against firms or individuals for the unlawful obtaining or accessing of personal data.
What happens when it goes wrong - breaches and actions taken by the ICO
Where a breach of the DPA occurs (for example, sensitive data is faxed to the wrong person), then it is expected that a IG Serious Incident Requiring Investigation should be followed. The Guidance, which is provided by the HSCIC, applies to all organisations who process health, public health and adult social care personal data. The latest edition was published on 29 May 2015, and it sets out:
- The purpose behind the Guidance (with DPA requirements)
- The Duty of Care and statutory obligations
- Possible consequences of an incident
- A checklist for the process which needs to be followed – initial reporting, management, investigation and reporting of any incident.
A link to the Guidance can be found here.
The purpose of reporting is to ensure that sensitive information is dealt with appropriately, and that where any breach occurs, the relevant authorities are made aware at the earliest possible opportunity. However, even with this guidance in place, the ICO's website reveals that the health sector has by far the highest incidence of reported breaches, with the health sector accounting for 40 per cent of all breaches notified between January-March 2015 (data published by the ICO on 26 June 2015). Whilst the high level of reporting could suggest a high level of awareness of the law and guidance, it also reflects the high number of ongoing breaches of the Act. Recent examples of breaches and the enforcement action taken include:
- A fine of £325,000 being imposed on Brighton and Sussex University Hospitals NHS Trust following patient records held on hard drives being sold on an Internet auction site.
- A warning issued to Optical Express (Westfield) Limited, ordering them to stop sending nuisance texts or face further action. Consumers received unsolicited text messages offering details of a competition to win free laser eye surgery, however consumer complaints indicated that they had not given the company permission to use their details for marketing purposes.
- An undertaking given by Northumbria Healthcare NHS Foundation Trust to improve the way it handles patient information, following the Trust mistakenly faxing patient information to a member of the public. The Trust had taken action to ensure that only pre-programmed fax numbers were used, however this measure had not been adopted uniformly.
- North Tees and Hartlepool NHS Foundation Trust was ordered to review its data protection policy after a file containing sensitive patient data was found at a bus stop.
- A pharmacy in Ireland settled a claim for damages for €10,000 after a woman claimed they had acted in breach of the DPA as they allowed her husband to watch CCTV footage of her buying a pregnancy test kit.
The above examples highlight the breadth of personal data involved and the context in which the DPA can be breached. Likewise, they reveal the challenges posed when trying to keep track of all personal data handled on a daily basis within the health sector.
There are also more sinister breaches: in April 2015, the ICO launched an investigation into allegations made that firms were sharing and even selling sensitive personal data. This included the sharing of health information and pension details. When commenting upon this, Steve Eckersley, ICO Head of Enforcement, stated:
“People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive. To think such information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine. We’ll be looking into the claims made by these companies to consider whether there has been any breach of data protection law”.
The investigation has yet to report, however the above indicate that the ICO takes any breaches involving health information extremely seriously and is not afraid to take steps to protect individuals.
The implications of any breach are serious and the ICO has demonstrated its willingness to pursue any infractions, levying enforcement penalties whenever required. The risks associated with breaches is also to be considered: it does not only include damage to the individual subject matter, but also results in the loss of trust and reputational damage to the health professional concerned which cannot be underestimated.
What has been surprising is how easily some of the breaches could have been avoided, for example, through regular training, simple checks of correct email and fax numbers and simply not transporting papers. Where health professionals are responsible for sending information, careful attention should be paid to the obligations imposed by the DPA 1998.
Moreover, there is a copious amount of guidance available for health practitioners. In addition to the ICO guidance, the British Medical Association (BMA) also provides guidance in the handling of sensitive data (whose dedicated webpage to confidentiality issues, including publications on the handling of sensitive data, can be accessed here). It is essential that this advice is consulted whenever necessary.
Fortunately, some progress is being made. In the public health sector, recent developments for GPs include the introduction of the next phase of the electronic communication of patient records who transfer surgeries. The existing system was extremely limited in capability however the new system has been improved. This will assist with the safe transit of sensitive data.
The NHS is also currently rolling out a change to the way it stores and shares patient health records. The Care.Data project, led by the NHS and the Health and Social Care Information Centre, seeks to bring together health and social information securely. By collecting and connecting information on a national basis, this will help the health profession understand patterns and trends in diseases and public health, as well as monitor safety of drugs and treatment and develop treatments. Work on this is well underway with patient data security of utmost importance.
Ultimately, while developments are being made, the trends found by the ICO indicate that there is still a lot of work to be done in this area and it is imperative that all those involved in the health sector ensure they take the utmost care when handling patient sensitive data.
The three key points to take away are:
- Compliance with the DPA 1998 is not optional – the ICO takes any breaches of sensitive data extremely seriously.
- Ensure your staff are aware of DPA 1998, and of any requirements which this imposes on them. For example, ensure training is up to date and that staff are given frequent refreshers to avoid any breaches occurring in future.
- Use the Guidance and Toolkits which are available.
With regards to DPA 1998 issues, our team has experience of dealing with various breaches involving sensitive data (including theft of data from an office) and of dealing with issues around the sharing of data as a means of combatting fraud, allowing for the more effective development of shared patient records.