Is your private practice ready for GDPR?
The current law governing the use of personal data in the UK is the Data Protection Act 1998 (“DPA”). The law will change on 25 May 2018 when the European General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) will come into effect. Irrespective of Brexit, the UK government has made it clear that UK law will align with European law on this issue and a new Data Protection Bill is currently before Parliament. Some matters that are currently recommendations of good practice, for example “privacy by design”, will become legal requirements.
Privacy and Data Security
Any medical practice will be aware that ensuring confidentiality and the security of data is an essential requirement to operate in health care. The 7th Data Protection Principle in the DPA states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to persona data.” There is supplementary guidance within Schedule 1 of the Act including:
The level of security must be appropriate to the harm that could result from the breach of security and the nature of the data to be protected.
Given the nature of private practices and the potential harm that could result from misuse of health records, data controllers will need to demonstrate a high level of security, and private practices will need to keep themselves up to date as to the industry standard guidance for security levels appropriate to healthcare data.
The GDPR is much more specific as to the factors data controllers should consider where appropriate:
- Pseudonymisation and encryption
- The ability to ensure the ongoing confidentiality, integrity and resilience of systems and services
- The ability to restore availability and access to data in the event of an incident
- Regular review and testing of security arrangements.
The need for such systems is demonstrated by the recent experience of the WannaCry attack affecting many NHS organisations.
The maximum penalty for breaches of the DPA is currently £500,000. Once the GDPR comes into force, the maximum penalty for a data protection breach will be €20,000,000 or 4% of global turnover, whichever is the higher. It should also be noted that while reporting data protection breaches to the regulator is currently voluntary, under the GDPR, reporting is mandatory within 72 hours unless the breach is of a nature where risk to the rights of individuals is unlikely. It is thus essential that private practices have systems in place to ensure the rapid identification and assessments of potential data breaches.
The power to use personal data
The DPA requires certain conditions to be met before personal data can be used, and in the case of sensitive personal data (which includes health data) there are further conditions that need to be satisfied.
In the case of personal data the conditions include:
- The consent of the data subject
- Processing necessary for the performance of a contract with the data subject (or taking steps at the request of the data subject with a view to entering into a contract)
- Processing necessary for the legitimate interests of the data controller or those to whom the data are disclosed, except where this is unwarranted in light of the data subject’s interests.
For sensitive personal data the justifications include:
- The explicit consent of the data subject
- Processing necessary for medical purposes undertaken by persons under an obligation of confidence equivalent to that owed by health professionals.
These justifications are largely replicated in the GDPR. However, what was previously called ‘sensitive personal data’ (for example health data) will now be known as ‘special category personal data’, and it is explicitly recognised that the ‘medical purposes’ justification extends to health or social care.
For a private practice, the consent of the patient may initially seem an attractive option to rely on as your justification for processing their data, especially as consent is required for treatment. However, it must be borne in mind that consent once given can be revoked, and if consent is used as the justification for processing, the business model must be able to cope with the immediate cessation of data processing in the event consent is withdrawn. The requirements for demonstrating consent as the basis for processing under the GDPR are also much more stringent, and arguably can never be met in the healthcare setting as certain data processing must be accepted in order to receive treatment. In practice, while consent will be an important part of ensuring that the usage of data is fair and transparent, it is unlikely to be useful as a justification for the processing undertaken.
Aside from the need to satisfy the conditions for processing, data controllers are under an obligation to ensure that processing is fair and lawful and appropriate information is given to data subjects as to how their data is to be used. This is commonly in the form of a subject information notice, sometimes called a privacy notice. Such notices should demonstrate transparency as to how the data is used, to ensure that there are no surprises to the data subject as to how their data is to be used and shared. Data controllers will be expected to explain, in straightforward language what data relating to the data subject will be collected, how it will be used, the purposes for which it will be used and how their data may be shared, and for how long records will be retained. It is necessary to prepare subject information notices appropriate for children, if their data is collected and used.
If a practice is proposing to use the data it collects for purposes other than the direct delivery of the agreed service to the patient, any secondary uses of the data should be clearly explained and the data subject should be given the opportunity to opt out of secondary uses. For example, if the data controller intends to undertake additional analysis of data unconnected with their care, then it will be necessary to either obtain the patient’s consent to this use of their data, or to ensure that any such analysis is undertaken on effectively anonymised data.
Again, under the GDPR, the requirements as to the information to be given to data subjects will be more extensive, and there is an emphasis on providing information to data subjects proactively, rather than simply having the data available on request. It will thus be important to ensure that the practice’s privacy notices are reviewed and updated to reflect the more extensive requirements of transparency required under the new law.
There will be a significant change to subject access rights under the GDPR. The presumption is that the first copy set of records should be provided free of charge, thus removing the previous £50 subject access fee for health records. While the GDPR provides scope for national governments to depart from this rule in appropriate cases, at the time of writing, the Data Protection Bill makes no provision for the retention of subject access fees. This may have a significant impact on private practitioners – any disclosure of records needs to be checked to ensure that no third party personal data or other exempt material is disclosed. It might be thought that the risk of this happening in relation to private healthcare records would be low, but the risk cannot be excluded. In 2016, a GP practice was fined £40,000 after disclosing sensitive third party information, including address details when a subject access request made by a father in relation to his infant child was not screened to remove information about the mother of the child, his ex-partner. Therefore, there always needs to be screening of the records by someone with appropriate knowledge and expertise.
Data Protection Officers
The GDPR obliges data controllers to appoint a Data Protection Officer if they are a public authority or a ‘large scale’ processor of special category personal data. The role of a Data Protection Officer is defined in the GDPR as being the source of expert knowledge, training, advice and guidance on data protection, and to monitor the controller’s compliance with the GDPR and be the point of contact with the ICO. The Data Protection Officer should have ready access to the board or other top level of management, but should not be part of that top level. The role has statutory protection – a Data Protection Officer cannot be dismissed for doing their job, and so it is important to ensure that the person appointed to the role is up to the task.
The current guidance as to what large scale processing entails is not very helpful – it indicates that an individual physician would not be a large scale processor, but a hospital will be. Thus a controller with, say, 2,000 patients on their list will not be required to have a Data Protection Officer, but a controller with, say, 100,000 patients on their list would be. Unfortunately, there is no further guidance as to where the dividing line will be. A single independent practitioner will not need to appoint a Data Protection Officer, but larger multiple location or corporate private medical providers may very need a Data Protection officer.
If practices are not required to appoint a Data Protection Officer, but nevertheless wish to have a data protection lead, it is very important that such a lead is not given the title Data Protection Officer, as this has a specific statutory meaning and will result in all the relevant laws applicable to such a post applying.
There is now only limited time before the GDPR takes full effect on 25th May 2018. We recommend all private practices undertake the following steps:
- At the outset, map your data flows. Identify what information you need to collect and process and where it is intended that data will flow to and for what purposes and under what safeguards.
- A privacy impact assessment should be undertaken, assessing whether it is necessary for the data to be used in that way, what the risks to the data are and how those risks will be controlled. The outcome of this exercise should give you a clear idea of what further steps will need to be put into place to ensure project success.
- Consider whether your systems are adequate to identify potential data breaches before they occur, and flag up information adverse incidents in time to comply with the deadlines for reporting.
- Identify whether you need to have a Data Protection Officer, and if so, who will be fulfilling that role.
- The GDPR is much more prescriptive as to what terms must be included in contracts with data processors. If you use data processors, review whether your existing contracts will meet the GDPR requirements. If they are no longer suitable, you will need to agree new GDPR compliant terms with your processors and be satisfied that they will be implemented.
The Information Commissioner has made it clear that she expects data controllers and processors to be compliant with the new law from the day it comes into force. However she does have discretion in how she uses her enforcement powers. Data controllers that identify and report data breaches promptly and can demonstrate appropriate work has been done in preparation for the new law are much less likely to receive a fine than controllers that have done little or no preparation for the GDPR.