The GDPR: Key considerations for the health and social care sector
Between June and September 2017, the Information Commissioner's Officer (ICO) recorded a 22% increase in incidents of data breach within the health sector, with the majority of cases due to data being faxed, posted or emailed to the wrong recipient, and paperwork being lost or stolen.
Handling and storing confidential and sensitive personal data is nothing new to organisations within the health and social care sector, but the advent of the General Data Protection Regulation (GDPR) will require a careful review of the current systems in place for processing, sharing and retaining staff and patient / client data, to ensure that they are demonstrably compliant with the new legislation.
The GDPR will apply to organisations within the EU from 25 May 2018, with the legislation being adopted into national law through the Data Protection Act 2018 at the same time. The GDPR places a greater emphasis upon the rights of data subjects and the promotion of transparency and accountability when processing personal data. The potential penalties have also increased significantly, and organisations in breach of key principles and provisions of the GDPR could incur fines of up to 4% of their global turnover or €20 million euros, whichever is the higher.
If they have not already done so, organisations will need to carefully review their practice and policies in the following (non-exhaustive) areas, in order to demonstrate that they have the necessary technical and organisational measures in place.
The GDPR requires data controllers to have transparent and easily accessible privacy notices, to ensure that relevant individuals ('data subjects') are made aware of the source of their personal data, the identity of the data controller, and the purpose of such data being processed.
Such notices must also confirm the legal basis ('processing condition') being relied upon under the GDPR for example:
- Whether the data are required by law, the performance of a contract, or the data controller's 'legitimate interests';
- Whether the data subject is obliged to provide the data (and the consequences of failing to do so);
- If the processing is based on the data controller's legitimate interests, an explanation of those interests; or
- If the processing is based on consent, the right to withdraw consent at any time.
Organisations must ensure that their privacy notices are produced in clear and plain language so as to be easily accessible to data subjects, particularly where the information concerns children or where individuals might need assistance in understanding the content of the privacy notice. In those circumstances, you may consider providing information in a different form, for example through infographics, diagrams or flowcharts. It may also be appropriate to provide a summary of the key information required under the GDPR, with additional detail available via links to further documents or policies.
Legal basis for processing
This will require careful consideration, taking into account the types of data organisations process and under whose authority and responsibility the data is being processed – particularly where special categories of personal data are to be processed (including data pertaining to health). The most appropriate legal basis for processing special categories of data will depend upon the reasons for processing in each case, but with regard to special categories of data, the following are likely to be most relevant to organisations in the health and social care sector:
- Article 9(2)(b): "...for the carrying out of obligations under employment, social security or social protection law..."
- 9(2)(c): "...to protect the vital interests of a data subject who is physically or legally incapable of giving consent"
- 9(2)(h): "...for the purposes of preventative or occupational medicine...the provision of health or social care..."
The Data Protection Bill (going through Parliament at the moment) expands upon these and provides some helpful further information.
Alternatively, where these legal bases for processing cannot be satisfied, the information can be processed where the data subject has provided their "explicit consent" under Article 9(2)(a). However, organisations should be aware of the enhanced requirements as regards consent within the GDPR. Consent must be freely given, specific, informed and unambiguous, and confirmed by clear and affirmative action to signify the data subject's agreement to the processing.
Data controllers must be able to demonstrate that consent has been obtained, including how and when it was obtained, and what information was provided to individuals in order to obtain their consent. Organisations should also bear in mind that the data subject also has an express right to withdraw their consent to such data being processed, at any time. It should be as easy to withdraw consent as it is to provide it.
Data controllers should carefully review their data retention policies generally and particularly in view of data subjects' rights of erasure where for example: information is no longer necessary for the purpose for which it was originally collected; the individual data subject withdraws consent to the processing and there is no other justification for holding that information; the data subject objects to the processing of the information and there are no overriding legitimate interests for the controller to justify the on-going processing of that information;
Data subjects' rights of access to data have also been amended, now requiring data controllers to comply with subject access requests "without undue delay" and "at the latest within one month" (subject to some exceptions where the request is particularly onerous). Controllers must also provide the data subject with a copy of the personal data being processed free of charge, although further copies may be subject to an administrative fee.
Contracting with third parties
The GDPR introduces direct, express obligations upon those who are undertaking tasks on behalf of the main data controller ('data processors'). Such obligations include:
- remaining accountable for any data processing function sub-contracted out to another organisation;
- maintaining a record of processing activities;
- cooperating with the Information Commissioner's Office ('ICO');
- ensuring that appropriate technical security measures are in place; and
- notifying the data controller of any data breach.
Organisations within the health and social care sector may share data between them for various reasons, often in order to provide individual data subjects with services. Where care and / or accommodation is arranged and funded by local authorities and NHS Clinical Commissioning Groups, for example, personal data is likely to be shared with private care providers and / or landlords, to enable them to provide individual patients or tenants with an appropriate level of care, and to work with other statutory agencies and third parties in order to ensure a coordinated approach.
It is important in this context, that the roles and respective obligations of the organisations acting as data controller and data processor are explained, in some detail, in a contract between the parties. The contract should ensure that data processors:
- act only in accordance with the instructions they receive from the data controller;
- have relevant security and confidentiality measures in place to protect the personal data;
- assist the controller in complying with their obligations under the legislation.
Liability should also be defined and apportioned appropriately within the contract. Data processors can also be subject to fines under the GDPR, which had not been the case under the previous legislation. However, data controllers, are obliged to exercise a duty of care when entering into data arrangements with data processors, and ensure that the processor has provided them with sufficient guarantees as to their ability to comply with the new legislation. The complexity of such agreements will depend to some extent upon the nature and volume of the data being processed.
Data Protection Officers ('DPOs')
Where organisations are likely to be engaged in the processing of special categories of personal data (or 'sensitive' data) on a large scale, a designated Data Protection Officer must also be appointed. A DPO must be an internal and external contact point within the organisation for all data protection issues, assisting the organisation in remaining compliant, providing advice to the organisation, and liaising where necessary with data subjects and the ICO. Many organisations do not have the resources to appoint a dedicated DPO, but you must ensure that where an individual will be carrying out the role of DPO alongside other duties, there must not be a conflict of interests between their DPO role and responsibilities and those of any other role they perform: they must be able to provide conflict free and independent advice to the organisation on decisions being made about the way that individuals' personal data is used.
In addition, DPOs will need to be involved in undertaking Privacy Impact Assessments ('PIAs'), which must be run on any 'high risk' processing activity, before this is carried out. The purpose of PIAs is to ensure that any risks associated with the proposed activity are mitigated and dealt with at the outset, ensuring that individuals are protected including any appropriate safeguards and security measures are put in place to minimise the risk to data.
Organisations should prepare for compliance with the GDPR in a way that is tailored to their specific systems and operational requirements. This includes ensuring that personnel at all levels are aware of any amendments to data protection practices and policies and that they are trained and equipped to effectively implement them.