It is becoming increasingly risky to be an amateur in the handling of personal data. New changes that come into force with the introduction of the GDPR on 25 May 2018 will impact on those operating in the health and social care sectors. The UK’s decision to leave the EU will not affect the commencement of the GDPR.
One of the key points of this new legislative framework is that professionals within the health sector must comply with a higher standard of protection for the processing of health data with the aim being to protect patients’ privacy and fundamental rights.
The GDPR is more extensive in scope and application than duties imposed under the Data Protection Act 1998 (DPA). The GDPR applies to "controllers" and "processors". The definitions are broadly the same as under the DPA. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
Changes to be introduced extend the data rights of individuals making it necessary for organisations to introduce clear policies and procedures to protect personal data and put into practice appropriate technical and organisational measures.
Key changes introduced by the GDPR:
- GDPR applies to the processing of personal data by controllers or processors in the EU regardless of whether or not the processing takes places inside the EU or not. It also applies to the processing of personal data of data subjects in the EU by a controller or processors not established in the EU where goods and services are offered to EU citizens. Businesses outside the EU still have to comply.
- Definition of personal data is broader.
- GDPR applies to electronically held personal data and manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Further, personal data which has been pseudonymised can also fall within the scope for the GDPR depending on how easy it is to identify the pseudonym
- The conditions regarding processing data has changed. There is a requirement to advise on what basis you are storing data.
- For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the "conditions for processing" under the DPA. One of the conditions is the consent of the data subject. There are others.
- The rules for obtaining valid consent have been changed. The request for consent must be given in an intelligible, non-legalese and easily accessible form and the purpose for the data processing must accompany the consent. The consent must be clear and in plain language, intelligible and easily accessible. Withdrawal of consent must be made easy. If consent is in respect of a child aged under 16, then it must be given by someone with parental responsibility.
- Certain companies must appoint a data protection officer (DPO) where its core processing activities require regular and systematic monitoring of individuals on a large scale or where its core activities consist of the processing of sensitive data on a large scale. This could therefore extend to a wide range of organisations within the health industry eg, providers, pharmaceuticals, biotech companies and technology companies.
- Mandatory data protection impact assessments have been introduced where proposed data processing is likely to result in a high risk to the rights and freedoms of individuals.
Sanctions for data breaches
- There are new requirements for data breach notifications and a duty imposed on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
- This must be done within 72 hours of having first been made aware of the breach.
- A personal data breach is more than simply losing personal data. It means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- The duty of notification to the relevant supervisory authority arises where the breach is likely to result in a risk to the rights and freedoms of individuals.
- In the event of a failure to notify a breach the fines can be substantial, particularly for corporate organisations. There is a tiered approach to fines. The maximum fine imposed for the most serious infringements e.g. having insufficient consent for the processing of data, is up to 4 per cent of annual turnover or £20 million, whichever is greater.
- It should also be noted that the GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors.
Parents as data subjects
Patients as data subjects have the right to:
- Know the specific purpose for which information is collected/used
- Access or change/update their information free of charge
- Obtain the correction of any inaccurate info about their health
- Object to the processing of their health data in certain cases
- Have data removed about their health from the file in certain cases
Special categories of data
The GDPR treats health data as a "special category" of personal data which is considered to be sensitive by its nature. Processing of data is prohibited unless:
- The patient’s explicit consent is obtained; freely given, specific, informed, unambiguous. Onus is on the controller to demonstrate consent was given. Consent forms should be carefully worded using clear and plain language.
- It is for preventative or occupational medicine, medical diagnosis, provision of health and social care or treatment, it is for management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law.
- It is necessary and in the public interest. To protect citizens, it may be necessary to communicate sensitive health data to certain authorities. For example, tracing contacts of an infected person to prevent the spreading of a contagious disease.
- It is for scientific, historical research or statistical purposes.
Health providers should ensure that personal data is used for legitimate health related purposes only. There are concerns that large organisations may use the personal data for other purposes such as profiling and marketing. Providers should define a clear and legitimate purpose to guard against the misuse of an individuals’ data.
Every independent health care professional or health care service provider must take appropriate measures to ensure that a patient’s personal data is secure. Given the tight timeframe to notify breaches, an effective internal breach reporting procedure needs to be in place to ensure a decision can be made about whether there is a need to notify the relevant supervisory authority or the public. Ways to secure data include: ensuring private logins/passwords are used, installing firewall updates and anti-virus software. There must be a system in place for reporting data breaches. The obligation to notify affected individuals applies only where the breach could result in a high risk to that individual.
All those working within the health sector must review existing policies, procedures and practices to ensure compliance.