What are the top concerns of healthcare employers when it comes to employee data, and how have these concerns evolved in recent years?
The number of employees working in the sector and the regulatory frameworks surrounding healthcare provision mean that providers create, share, and retain vast amounts of data relating to their employees. Much of that processing occurs in a structured and well-planned manner, but there are various touchpoints where significant issues regarding employee data can arise. As individuals’ awareness of their rights has increased over the past five years, employers have seen a notable uptick in the exercise of data subject rights – most notably the right to subject access – as well as litigation relating to personal data breaches. A further concern is the extent to which personal data can be analysed, both manually and via machines, to improve services offered, identify inefficiencies, and assess employee performance.
It is now common practice in any employee dispute for one or more employees to lodge a data subject access request to find out what is being said about them and to whom. Employee data is combined in many records with patient data, meaning that providers must be cognisant of both the UK GDPR and wider information protection principles when formulating a response. In the absence of well-trained information governance staff following defined protocols, the cost of processing such requests can quickly become unreasonable. Responding to a request without a clear process diverts funds and other resources away from front-line healthcare provision, while poor execution of the required review and redaction process brings with it litigation, regulatory, reputational, and other risks.
Data governance within healthcare is often, rightly, focused on patient data. But the level of protection in place for patient data means that it is not usually the main source of liability for a provider. That crown goes to employee data! The loss or misapplication of employee data can cause serious harm to individual employees and to company relationships and cultures, which has a knock-on reputational effect that can hit profits. Unnecessary disclosure of one employee’s data to another employee who has put in a subject access request can trigger an avalanche of grievance, disciplinary and other processes which impede operations and can be costly. Employees have a variety of options if they want to litigate following inappropriate use of their data, plus the ability to raise the issue with the Information Commissioner’s Office – a regulator which has recently chosen to increase its use of public reprimands and so appears more likely to pursue examples of bad governance.
Have you seen an increase in the demand for legal advice on investigations for discipline and grievance in healthcare organisations? If so, what are the key drivers behind this trend?
Yes. Internal investigations can be reasonably self-contained processes, with appropriate managers conducting the process supported by the HR team. Over time, both knowledge of employee rights and levels of distrust vis-à-vis employers have increased, meaning that those subject to or initiating such processes seek out opportunities to derail or challenge them. To ensure fairness, independent decision-making, and minimise potential for both the processes and outcomes to be challenged, it is increasingly common for investigations to be outsourced to experienced individuals. While engaging specialists can reduce some risks, it does bring with it complications from a data perspective – most of which need to be recognised and addresses at the outset.
What are some common mistakes that healthcare employers make when dealing with investigations for discipline and grievance, and how can these be avoided? What are the financial/reputational costs and some best practices for handling evidence in these situations?
When following these processes and when appointing an investigator, employers need to make sure the basis upon which they are collecting information is clear, with whom personal data will and can be shared, and for how long it will be retained. One serious but common error is a failure to prepare terms of reference for the investigation, as without written parameters we often see so-called ‘mission creep’. Data governance requires that details of any intended processing of personal data should be made clear to all participants before the data is collected so that individuals have a real understanding of what is proposed and so that they can challenge any misuse of data. Preparing proper terms of reference is needed to enable decisions on data governance to be made and activities such as updating privacy notices to begin. A failure to provide the information increased litigation and regulatory risk, as well as increasing the potential for the relevant employee process to be challenged.
If an external investigator is to be retained, employers must be clear as to whether the investigator is acting as a data controller or a processor. For the latter, a formal data processing agreement must be entered into, so that responsibilities for issues such as handling data rights requests and breaches are clear. Ancillary issues also need to be agreed with the investigator, such as whether and to what extent confidentiality can be offered. Failure to agree on these points in advance can mean that in addition to claims by individuals, an employer may find that they become embroiled in conflict with the investigator.
Employees involved in discipline and grievance processes increasingly use failures to comply with data governance requirements to cast doubt on the validity of those processes and their outcomes. Using information rights to seek access to reports and evidence is common, with a risk that disclosed information will be spread widely including to the media, so unless there is good reason to act otherwise, robust use of exemptions to disclosure is best. Where mistakes are publicised, the impact on a healthcare provider can be difficult to manage. Errors relating to employee data can cause dissatisfaction and concern amongst patients.
Can you provide a brief overview of the current legislation and case law related to data use in disciplinary and grievance procedures in the healthcare industry? Are there any upcoming changes that healthcare employers should be aware of?
The use of employee data is mainly governed by the UK General Data Protection Act and the Data Protection Act 2018. To the extent that employee data contains or is presented alongside patient data, which should be minimised, employers need to be aware of accepted data-sharing principles within the sector, the Caldicott Principles and medical confidentiality. If monitoring of an employee is involved, a business may need to consider the provisions of other legislation, including the Investigatory Powers Act 2016 and related regulations. Legal advice is often needed to ensure compliance with the myriad rules, to avoid reputation damage and potential claims.
All processing needs to be lawful and fair, and employers must be transparent regarding what they intend to do with the data that they have collected. It’s important to consider at the outset of an investigation with whom the ultimate report might need to be shared. Not only will this sort of planning mean that transparency requirements are covered off, but it also means that investigators will be aware of potential audiences and can tailor the wording that they use with those audiences in mind. The confidentiality of employment investigations is not absolute. Internal reports, including standards investigations, may be disclosable to the other side in advance of proposed litigation – such as in Dixon v North Bristol NHS Trust .
As regards the disclosure of disciplinary and grievance materials in response to a subject access request, there have been some cases recently which challenge exemptions available under the Data Protection Act 2018. While the specific cases related to an immigration exemption, the judgments set out conditions that must be met for exemptions to be available, and it remains to be seen what impact those cases will have on the availability of other exemptions.
How can employers ensure that their employees are adequately trained on data protection policies and procedures, and what are some effective strategies for promoting a culture of data protection?
There are many options for both staff training and for developing a wider culture in which personal data is recognised and protected. While they need to be properly planned and scheduled, many of the options can be achieved with minimal outlay. Employees who handle personal data must undergo appropriate data protection training at least every two years – though annual training is preferable. The level of detail needed for the training depends on an employee’s role, so a layered training programme is usually best. The Board of Directors and other senior management should be reasonably well-versed in data protection, given it pervades almost all areas within a business, whereas many support staff need only a limited level of detail.
Concurrently, a positive data protection culture can be developed through methods as simple as poster campaigns, internal notices, and competitions. Given the impact that a data breach or errors in data governance can have in the healthcare sector efforts to promote data protection must be well planned, with support for good data protection practices being demonstrated by all leaders. The best awareness campaigns have included stories that employees can relate to, and – being mindful that people respond well to a good-natured competition – competitions such as those to spot and report test phishing emails, or to identify intruders into office spaces. Occasional, ‘ad hoc’ messaging may be needed as well – this often occurs immediately following a complaint or a data incident – to remind staff of their obligations. Developing a culture is not a ‘one and done’ task so, rather than opting for a large but infrequent investment in raising awareness, organisations often find that a series of inexpensive efforts spread out over time will reap the best results.
Looking ahead, what do you see as the biggest challenges and opportunities related to employee data protection in the healthcare industry? How can healthcare employers stay ahead of these trends?
As technology develops, providers will have to engage with a wide range of legislation covering employee monitoring and the automation of processes involving personnel. It’s an exciting time, as the technologies available are changing incredibly swiftly and can perform complex analyses that simply have not been possible before. Technology will increase efficiencies and, if properly used, will allow employers to optimise their training programmes, services, and processes. However, current legislation can be ill-adapted to handle new ways of working – meaning that implementing new ways of working also means increasing uncertainty and risk. Employers will be best able to benefit from these new technologies where they take the time to really understand them and ‘get under the hood’ of what is on offer. Not only will that mean they don’t waste funds on unsuitable products, but it also means they can properly check for data protection issues, complete required actions such as Data Protection Impact Assessments, and work out solutions before issues arise.
This article was originally published in HealthInvestor UK on 5 May 2023.