Data protection – your obligations as a practice owner
If you handle and process personal information about individuals, you have a legal obligation under the Data Protection Act 1998 (“the Act”) to protect that information.
The Data Protection Act requires that those who record, use and process personal information must be open about how that information is used and must also follow the eight principles of “good information handling”, which govern how data can be used. These apply to all private practices.
The definition of “processing” is very wide and will essentially catch almost everything that is done with personal information which exists, whether in paper or electronic format. It can mean obtaining, recording or holding the data.
The “information” regarded as personal data is that relating to any living individual who can be identified from that information. This will be significant for a private practice or consultant as they will hold personal information on both their patients and employees. The individuals concerned are known as “data subjects”.
A private practice owner or consultant will be the “data controller” within the meaning of the Act, and will be responsible for implementing the requirements arising under it. These include the requirements to process data fairly and lawfully, informing data subjects how their information will be used and ensuring that their information is not used in any manner not compatible with this. The data controller is also responsible for allowing data subjects access to the information held about them. In addition, the Act imposes other responsibilities to ensure that the data collected is adequate, accurate and up to date and is kept securely.
When selling a private practice, concern can arise in trying to weigh up the competing demands of compliance with the Act and compliance with other regulations. A common query amongst practice owners who employ staff, is how they can comply with their obligations under the Transfer of Undertakings (Protection of Employees) Regulations 2006 (“TUPE”) whilst also complying with the provisions of the Act – and in particular keeping information secure and confidential. However, the Act allows employers to disclose the information as required by law – and the TUPE Regulations make it clear that disclosure is required. However, when handling such personal information, both the buyer and seller must take care to comply with the Act. For example, steps should be taken to ensure the information supplied is accurate, up to date and secure. And a buyer may use the information only for the purposes of TUPE.
The Act also requires data controllers to register with the Information Commissioner’s Office (“ICO”) which is the authority responsible for regulating data protection. Failure to register is a criminal offence (unless you are exempt from doing so). When conducting their due diligence of the practice, a Buyer should obtain confirmation from its seller of their registration with the ICO.
A breach of a data controller’s responsibilities under the Act can lead to the imposition of a financial penalty of up to £500,000. A significant breach of confidence will also be a breach of the obligation to keep personal data secure, and may lead to a penalty substantially higher than civil damages that might be payable to the victim. The need to keep personal data secure is of prime importance – almost all of the financial penalties imposed to date relate to failures in the arena of data security – and so practices should ensure not only the physical security of paper records but also ensure they have adequate electronic protection, especially in relation to items that would make tempting targets for criminals, such as laptops and other mobile devices.
Compliance with the Act is a priority for every practice owner – so be aware of your obligations, as a breach of them, together with the ICO’s enforcement action for breach, will severely impact the practice’s ability to carry out its day to day business.
The law relating to the protection of personal data will change in May 2018, when the European general Data Protection Directive comes into effect. This will increase the obligation placed on data controllers including mandatory reporting of some information security breaches and greatly increased penalties for breaches of the data protection principles.
With so much at stake if you get it wrong, it is essential to keep abreast of the various changes afoot and of the way in which they could impact upon your business – so If in doubt, take advice!