Global Digital Exemplars – Data protection
As a GDE or Fast Follower you will undoubtedly be looking to digitise data which has previously been not held in electronic form. You may also be migrating electronic records to new systems or joining up or sharing data sets for the first time. All of these activities ring alarm bells for the Information Governance specialists whose immediate concern will be – can this be done within the law?
If you have anything to do with data or systems, it probably won’t have escaped you that there is a new data protection law coming into force in May next year – the General Data Protection Regulation or ‘GDPR’ as it is commonly referred to. This is heralded by many who work outside the NHS as a game changer, bringing much more stringent regulation to our everyday use of personal data.
However, those who work in the field of information governance will be aware that all too often data protection law will be cited as the reason why something can’t be done. In reality the problem is not usually the data protection laws, but because the proposed use of data is contrary to the NHS’s internal information governance rules. Those rules go beyond current data protection legislation and even with the arrival of the GDPR, those who are used to complying with NHS information governance rules, will find its implementation far less radical than those operating in a non NHS environment. But what are the key things to remember as you embark on your digital transformation project? It is important to bear in mind that the laws governing data protection are much less concerned with the medium by which personal data is held (for example in paper or electronic form) and are much more focussed on how that data is used and protected, and how data subjects’ rights are respected. The GDPR does not dictate the form in which personal data should be held, but sets the standards and rights that apply to that information.
The advent of the GDPR provides a key opportunity for healthcare providers to review how they store and protect records. Fears of hacking of digital records can and must be addressed by ensuring the right security measures are in place and maintained, but this does not mean that paper records are in any way ‘safer’ than digital records – one of the aspects of maintaining data security under the GDPR includes ensuring the integrity and availability of data services, and being able to show that these standards are being met. Digital records provide an opportunity to streamline the steps needed to ensure GDPR compliance, and with changes such as the abolition of subject access fees, finding the most cost effective way to store and share records will be a priority.
Digital records also provide a much greater opportunity for information sharing than previously possible – with access to information within and across organisations being much easier than before. Balancing the increased opportunities to share and access information against the need to maintain NHS information governance principles will require care and practical advice – many of the benefits of digital records will be lost if organisations become too fearful of regulatory action to share data where it needs to be shared, while equally a failure to limit sharing in accordance with patient’s expectations could be equally damaging.
We regularly advise NHS clients on the interface between data protection and NHS information governance obligations, and provide practical help and solutions to overcome perceived obstacles to valuable projects. Digital records also provide opportunities for research that are simply not practicable in paper records and we can advise on how such projects can work without infringing data protection law or NHS information governance rules.