Health start-ups: Online healthcare businesses – the data protection issues

The way services are accessed has been transformed by the changes in technology over the past decade and these developments present exciting opportunities for transforming how healthcare can be delivered however, when seeking to develop new opportunities, it is essential to have a clear understanding on the law governing the use of data and ensure that these considerations are incorporated into any project from the outset.

The Information Commissioner (“ICO”), the UK Regulator for matters of data protection refers to this as “privacy by design”.  There can be few things more frustrating than realising a project has to be reworked because data protection considerations were not built into the development of the project.  Chris Alderson, a partner and information law specialist at Hempsons Solicitors addresses the information governance issues all online healthcare businesses should be aware of.

The current law governing the use of personal data in the UK is the Data Protection Act 1998 (“DPA”).  The law will change on 25 May 2018 when the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will come into effect.  Irrespective of the form of any of Brexit, the UK government has made it clear that UK law will align with European law on this issue.  Some matters that are currently recommendations of good practice, for example “privacy by design”, will become legal requirements.

Privacy and data security

Any healthcare business will be aware that ensuring confidentiality and the security of data is an essential requirement to operate in the field.  The 7th Data Protection Principle in the DPA states “appropriate technical and organisational measures shall be taken against unauthorised or unlawful process of personal data and against accidental loss or destruction of, or damage to persona data.”  There is supplementary guidance within Schedule 1 of the Act including:-

  • The level of security must be appropriate to the harm that could result from the breach of security and the nature of the data to be protected.

Given the nature of healthcare businesses and the potential harm that could result from misuse of health records data controllers will need to demonstrate a high level of security, and healthcare businesses will need to keep themselves up to date as to the industry standard guidance for security levels appropriate to healthcare data.

  • The data controller must gain reasonable assurance then employees with access to the data are reliable.

Businesses in the area will need to undertaken due diligence checks on its staff with access to healthcare data.

  • Where processing is undertaken by a subcontractor the data controller must choose a subcontractor who offers sufficient guarantees regarding security and must take reasonable steps to ensure compliance with this.
  • Where the data controller is contracting out data processing activities it is necessary for processing to be carried out under a contract made or evidenced in writing under with the data processor can only act on instruction from the data controller and the data processor is placed under equivalent security obligations to those that apply to the Data controller.

When a data controller is contracting some of its data processing activities to a data processor it is essential that there is appropriate due diligence of the data processor’s suitability to be undertaking the task in question, and  data controllers must ensure that there is appropriate evidence in this, and the position is reflected in a contract with the data processor.

A striking recent example the consequences of not doing this properly is provided by the monetary penalty imposed by the ICO on HCA International Limited (23 February 2017).

The data controller owns private hospitals.  One of the services it provides is IVF treatment.  From 2009 onwards one of the hospitals in its group routinely sent unencrypted audio recordings of private consultations between doctors and patients wishing to undergo IVF treatment.  These recordings were sent by email to a data processor in India to be transcribed.  The data processor used an unsecured server to store the recordings and send the transcripts back to the hospital.  The server did not have an authentication process to control access to the transcripts.  In 2015 a patient informed the hospital that transcripts of consultations were accessible via an internet search.  The controller took immediate steps to remedy the problem and reported itself to the ICO.

The ICO investigated and found a number of failings by the controller in ensuring the security of personal data.  In particular:-

  • the emailing of the recordings to the data processor was unencrypted;
  • the controller had no guarantee that the processor would use a secure server to store the recordings and send transcripts to the hospital;
  • the controller had no guarantee that the processor would erase the recordings after they had been transcribed;
  • the controller failed to monitor the data processor in relation to any security measures taken and did not have a DPA compliant contract with the processor in relation to the processing.

Bearing in mind the sensitivity of the data (the consultations related to fertility problems requiring discussion of the most intimate aspects of the patients’ lives), the ICO was satisfied that the failure to secure the data was likely to cause data subjects substantial distress.  The ICO also found that the controller should have been aware of the risk, bearing in mind that its policies of its UK hospitals required encryption of emails and a secure service to be used.  The ICO considered that the controller should have sent the recordings in an encrypted format, should have ensured that the processor would use an appropriately secure server to store the recordings and send the transcripts to the hospital, should have secured a guarantee that recordings should be erased after they were transcribed and should have monitored the data processor in relation to the security measures taken by him and should have had a DPA compliant contract in place.

Despite the controller being able to demonstrate significant mitigating factors, including a voluntary report to the ICO, full cooperation with the ICO’s investigation and substantial remedial action (and in addition to the significant impact on the controller’s reputation that had already occurred, the ICO imposed a penalty of £200,000.

While the maximum penalty for breaches of the DPA is currently £500,000, once the GDPR comes into force, the maximum penalty for a data protection breach will be €20,000,000 or 4% of global turnover, whichever is the higher.  It should also be noted that while reporting data protection breaches to the regulator is currently voluntary, under the GDPR reporting is mandatory unless the breach is of a nature where risk to the rights of individuals is unlikely.

The power to use personal data

The DPA requires certain conditions to be met before personal data can be used, and in the case of sensitive personal data (which includes health data) there are further conditions that need to be satisfied.

In the case of personal data the conditions include:

  • The consent of the data subject
  • Processing necessary for the performance of a contract with the data subject (or taking steps at the request of the data subject with a view to entering into a contract
  • Processing necessary for the legitimate interests of the data controller or those to whom the data are disclosed, except where this is unwarranted in light of the data subject’s interests.

For sensitive personal data the justifications include:

  • The explicit consent of the data subject
  • Processing necessary for medical purposes undertaken by persons under an obligation of confidence equivalent to that owed by health professionals.

For a business supplying healthcare services under a contract, the consent of the patient may seem an attractive option.  However, it must be borne in mind that consent once given can be revoked and if consent is used as the justification for processing, the business model must be able to cope with the immediate cessation of data processing in the event consent is withdrawn.  In practice, while consent will be an important part of ensuring that the usage of data is fair and transparent, it is unlikely to be as useful as a justification for the processing undertaken.

Under the GDPR, the justifications for processing data will be similar, but the requirements to be able to demonstrate consent will be much more stringent.

Aside from the need to satisfy the conditions for processing, data controllers are under an obligation to ensure that processing is fair and lawful and appropriate information is given to data subjects as to how their data is to be used.  This is commonly in the form of a subject information notice, sometimes called a privacy notice.  Such notices should demonstrate transparency as to how the data is used, to ensure that there are no surprises to the data subject as to how their data is to be used and shared.  Data controllers will be expected to explain, in straightforward language what data relating to the data subject will be collected, how it will be used, the purposes for which it will be used and how their data may be shared.

If a business providing healthcare services is proposing to use the data it collects for purposes other than the direct delivery of the agreed service to the patient.  Any secondary uses of the data should be clearly explained and the data subject should be given the opportunity to opt out of secondary uses.  For example, if the data controller intends to to undertake additional analysis of data unconnected with their care, then it will be necessary to either obtain the patient’s consent to this use of their data, or to ensure that any such analysis is undertaken on effectively anonymised data.

Again, under the GDPR the requirements as to the information to be given to data subjects will be more extensive.

If it is anticipated that the online healthcare service is to link in to a patient’s NHS services directly, it is important to be aware that the NHS has its own internal information governance rules and requirements for linkage with external service providers.  If this is a planned function of the service then it is important to ensure that the service is designed with the NHS requirements in mind.  Early liaison with NHS Digital, which has responsibility for providing the NHS with information governance guidance will ensure that the plans for a service are realistic and compliant, enabling any necessary link up with NHS services.

International transfers of data

When planning an online healthcare service, it is important to ensure that there is a clear understanding where data will be processed and stored.  In this context it is important to bear in mind where personal data may be accessed – if patient data is stored on a server within the UK but technical support is supplied via remote access by a technician based in the USA, the fact that the data can be accessed in the USA means that that element of processing involves an export of personal data to the USA.

The 8th Data Protection Principle prohibits the transfer of personal data outside the European Economic Area unless the recipient is in a country or territory that ensures an adequate level of protection to data subjects in relation to the processing of personal data.  There are certain exceptions to this prohibition.

  • The first is that the European Commission has made a decision that the receiving country has an adequate level of protections for personal data.  However, at present the list is limited to a very small number of countries (Andorra, Argentina, Canada, Faro Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay).
  • Another exception is the recipient participates in the scheme recognised by the European Commission as providing an appropriate level of protection.  In the USA the “Safe Harbor” scheme was formerly recognised as providing appropriate protection, but following a European Court of Justice decision in 2015, it was found that the Safe Harbor scheme was not providing adequate protection.  The Safe Harbor scheme has now been replaced by the Privacy Shield scheme.
  • If the recipient is outside the list of recognised countries and is not a member of the Privacy Shield scheme, then the main method of ensuring appropriate protection for personal data exported outside the EEA is the adoption of the EC model contract clauses governing the processing of such data.  These are template contract terms governing the use of data and the rights of data subjects in relation to that data.  These clauses must be incorporated in any contract the data controller serves with the recipient data overseas in order to provide appropriate protection.
  • It is possible for an organisation to have its own internal rules and arrangements recognised by the European Commission as providing appropriate protection, as recently occurred with Google Cloud.  However, for smaller operations, this may not be feasible.

Steps to a successful online healthcare service

  • At the outset, map your data flows.  Identify what information you will need to collect and process and where it is intended that data will flow to and for what purposes and under what safeguards.
  • A privacy impact assessment should be undertaken, assessing whether it is necessary for the data to be used in that way, what the risks to the data and how those risks will be controlled.
  • The outcome of this exercise should give you a clear idea and what further steps will need to be put into place to ensure project success.
  • You will need to check that each stage of project provides appropriate assurance that you are complying with your data protection obligations..
  • If you will be using external contractors for data processing, are they able to commit to the contract terms you have in place.  What assurance do you have that a contractor will meet or comply with the contract terms you have in place.  If it is not feasible for you to assess their safeguards, are they audited by a reputable independent auditor and will their audit reports be made available to you?
  • For new start businesses, it will be cost effective to build in compliance with the GDPR now.