As the custodian of millions of electronic patient records and other patient data, data protection and confidentiality in the NHS is of prime importance. With data protection laws about to change with the introduction of GDPR, time is running out to make sure that your practice is compliant. The information Governance Alliance has created a checklist of implementation steps that includes:
- Establishing accountability
- Keeping records of data processing activities
- Having policies and controls in place to ensure activities comply
- Appointing a dedicated Data Protection Officer
- Documenting the legal basis for each data process activity
- Ensuring that consent requirements are met
- Putting in place transparency to meet requirements
- Managing children’s rights where applicable
- Supporting individual’s rights, such as erasure of records and corrections
- Implementing processes to provide individuals with free access to their data on request
- Highlighting processes for monitoring and reporting on personal data breaches
GDPR is coming – what is it?
The GDPR – or General Data Protection Regulation – will replace the current regulation governing data practices in the UK, the Data Protection Act 1998. It applies automatically to all EU member states, and although the UK is set to leave the EU next year, it will continue to be in force during any transition period, and organisations dealing with EU citizens will still need to comply, even after this period. The UK Government has also unveiled a Data Protection Bill, which for the most part, features the same regulations as GDPR.
Intended to make data protection laws fit for our digital age and to unify them across the EU, GDPR gives individuals greater control over how their data is used, while increasing penalties for organisations that breach the new rules or lose control of data. The most notable changes under GDPR will be:
- Individuals will have easier access to the data held on them by organisations, free of charge and within one month
- Organisations with more than 250 employees must document why they are collecting and processing people’s data, how long it’s being held and how it will be protected
- Organisations processing a lot of sensitive personal data will have to employ a data protection officer
- Consent must be obtained for using personal data via a positive opt-in
- Substantial fines for misuse of data and security breaches
GDPR applies to both ‘controllers’ and ‘processors’ of data. It is particularly important for the healthcare sector, because much of the data gathered – such as patient records – will fall under the category of ‘sensitive personal data’. This category of data is subject to special rules under the new regime (article 9.2), and can only be processed if:
- ‘explicit consent’ has been given
- Processing is necessary for medical purposes and the provision of healthcare
- “Processing is necessary for reasons of public interest in the area of public health.”
Confidentiality in health and social care is of course always of paramount importance, so NHS compliance with GDPR should not be a major concern provided the necessary steps are followed.
What you need to do and by when?
The GDPR will come into force on 25th May, so you need to make sure that your data protection policies and activities are in order by then.
Because information governance in the NHS is so important, the health service is taking a robust approach to GDPR compliance. NHS Digital has published guidance that outlines the overall strategy of NHS data protection compliance. This has been split into four stages – discovery, transition, education and assurance.
The following checklist may help small practices to prepare themselves for the introduction of GDPR, and wider NHS data protection issues:
- Appoint a data protection officer (DPO) – all practices and trusts must appoint a DPO
- Assess current patient record systems for compliance with the current DPA 1998 data protection laws, and take action on any gaps
- Perform a comprehensive analysis of the impact of GDPR on current services
- Introduce a comprehensive electronic information asset register
- Document the legal basis for processing different types of patient data
- Make changes to current working practices to ensure compliance, such as subject access requests by patients
- Familiarise yourself with the impact of non-compliance – fines etc
- Educate and inform medical and non-medical staff at all levels of the requirements and risks of GDPR. Make sure that everyone is aware of their own responsibilities and the practice’s as a whole
- Conduct a regular audit programme of information assets
- Have in place robust breach reporting processes, and identify and test incident response plans
- Ensure that you are able to provide patients with charge-free access to their personal data upon request in a timely fashion (within one month)
Robust software solutions for the new GDPR regime
As well as having solid compliance processes in place, using software solutions that are secure is essential to prevent data breaches. Nowhere is this more important than in patient records. All Dragon Medical solutions have a range of data protection and security features built in – not bolted on – including encryption of voice files, streaming of audio in real-time to secure cloud servers for our hosted solutions and in meeting industry and NHS standards and frameworks for data protection, privacy and compliance.