GDPR – How it affects health and social care businesses

Keeping confidential information about staff and patients secure is a responsibility businesses operating in the health and social care sectors have taken seriously for a long time.

But the requirements are about to increase. From May 2018, organisations will need to comply with the General Data Protection Regulation (GDPR), an EU regulation.

This has similarities with the existing UK Data Protection Act, but does extend requirements in some areas. The obligation to provide information to data subjects has been enhanced. The need for data controllers to undertake due diligence on their data processers, including the mandatory terms to be included in the contracts with processors, is much more prescriptive. There is a need to ensure that data privacy is built in to all activities requiring the use of personal data. Mandatory reporting of information breaches is now a requirement for all data controllers, with a maximum 72 hour time limit.

The maximum fines for data breaches will be increased significantly – the current limit is extended from £500,000 to €20,000,000 or 4% of global turnover. It is likely that subject access fees will be abolished so health and social care organisations must ensure that they are able to deal with the possibility of an increased number of requests, while at the same time coping with the shortfall in income from this process.

The new law means boards and senior management will need to make changes in processes and procedures, appoint people to new roles, and weigh up the impact on some of the organisation’s activities, such as contracting.

Key questions for your organisation

1. How will our lives change with GDPR?

• You may need to appoint a Data Protection Officer (DPO) if your core activities involve large scale processing of special categories of data e.g. medical information, or if you are a public authority (e.g. an NHS organisation or local authority). Their role is to inform, advise and monitor compliance and this must report to the highest level of management. You will have to be in a position to demonstrate compliance with Accountability Principles. This means you will need to keep detailed records that may need to be presented to the regulator on request; building in evidence of your data protection compliance throughout your processes and implementing appropriate technical/organisational measures to ensure and demonstrate compliance – i.e. policies and procedures. Organisations subject to the NHS IG Toolkit will be well on the way to compliance with these requirements.
• Data protection by design is now a legal requirement rather than a matter of good practice so information governance advice must be obtained when developing plans for the use of data, rather than be a matter for final sign-off once a project has been fully developed. This is of crucial importance if you are developing healthtech products, including apps, which rely upon using data derived from health records for research and development, as there are strict rules about how such data can be used.

2. Do people have to consent to everything we do with their data?

• Not necessarily. Consent is only one of the potential justifications for the use of personal data. Others, including legitimate interests, or performance of a public task, and health and social care purposes are still recognised. For a health or social care provider, it is unlikely that consent will be the appropriate justification for the processing of personal data.
• However, individuals rights will increase under the GDPR and even if you are not relying on consent as your lawful basis for processing you still need to ensure you are transparent about how data is used and shared. There is a much greater emphasis on proactively informing individuals about how their data will be used.
• Data must only be used for the purposes for which the individual has been informed.
• There is an absolute right to object to the use of personal data for direct marketing.

3. Opt in or opt out: what’s the position?

• If you do rely on consent to justify your processing, opt in is now the only way forward. Consent must be freely given. Silence, pre-ticked boxes on forms or inactivity is not acceptable. An individual must give a statement of clear affirmative action.

4. What could happen if we get it wrong?

• You could be inspected by the ICO.
• You could be fined. Maximum fines of €20m or 4% of turnover.
• You could suffer significant reputational damage. The ICO has already taken enforcement action for unfair data processing.

What should we do next?

• Check out key documents like consent forms to ensure compatibility with your stated privacy policy.
• Make sure any contracts with data processors are compliant by including the mandatory terms.
• Make sure your privacy policy is transparent and fit for purpose.
• Make sure you put in place robust governance and security processes internally to ensure compliance.

How Hempsons can help

• Provide training for your board and management teams – topics covered include common myths and understandings about GDPR, what is actually changing and risks to your organisation and how to mitigate them.
• Review and update your Privacy Policy and any other documents referring to use of personal data (e.g. terms of use, consent forms)
• Review and update your contracts with data processors to ensure all mandatory terms are included
• Review and update your contracts for transfer of data to third party countries
• Provide advice on your governance systems including requirements for a Data Protection Officer
• Provide advice and guidance on the specific rules and controls governing the use of healthcare data for research and development work, including how to structure your project to comply with these rules.