GDPR and healthcare - how to ensure a clean bill of health
We’re all aware of the imminent arrival of the EU General Data Protection Regulation which comes into force in under one month on 25th May 2018. It will arrive on the UK’s statute books as the updated UK Data Protection Act 2018, which replaces the existing DPA of 1998, from an era where only a tiny percentage of our lives was reliant upon the internet and online transactions. This new approach to data protection provides a long overdue update to current requirements, and is focused upon several core subjects:
- Providing data protection by design and by default
- Understanding the legal basis for undertaking personal data processing
- Delivering an expanded set of rights to data subjects
- The role of the Data Controller and Data Processor
- A significant penalty regime for non-compliance and breaching personal data
From a healthcare perspective, we’ve looked at each of these in turn.
Firstly, Article 25 of GDPR mandates that we must ensure data protection by design and by default. We’re required to design processes and IT systems with data privacy consideration as a primary input, rather than trying to retrofit them at a later stage. This broad subject includes a wide selection of technical and organisational requirements, including:
- Understanding the risks to personal data being processed
- Identifying the sources of personal data and “special categories” of personal data (as described within Article 9 of GDPR) – note the latter includes medical/healthcare data
- Implementing technical controls such as encryption or pseudonymisation
- Promoting data minimisation, and retaining personal data only for as long as is necessary
- Delivering capabilities to protection from virus, malware and ransomware
- Properly architected and security tested systems and applications
- Providing effective data protection training to all personnel, contractors and suppliers
Article 35 requires us to undertake formal “Data Protection Impact Assessments” where there is a high risk to the rights or freedoms of natural persons and, when done well, will provide a formal record of data protection and privacy controls. The “UtopiaR” cloud-based solution from InfoSaaS is globally used to undertake such detailed assessments.
Next up, we need to understand the reason we are processing personal data and ensure that at least one of the six criteria prescribed in Article 6 of GDPR can be met. Dependent upon the activities our respective organisations undertake within the healthcare sector, we may have a different legal basis to comply with.
For accident and emergency environments or when processing the personal data of those with mental health conditions, 6.1(d) allows processing of personal data “to protect the vital interests of the data subject”. For those undertaking voluntary medical research activities, the gaining of data subject consent as described in 6.1(a) may be a more appropriate approach. Remember that consent needs to have been freely provided by the data subject, records of consent need to be maintained, and that the consent can also be withdrawn at any time.
Other legal bases include the fulfilment of a contract with the data subject, compliance with legal obligations, data processing as a task carried out in the public interest or in exercising official authority and finally processing which s undertaken as a legitimate interest of the data controller. It’s recommended that healthcare organisations familiarise themselves with these alternatives and ensure that an appropriate legal basis is adopted which supports their personal data processing requirements.
Data subjects have a greater set of rights which they can choose to exercise in relation to the processing of their personal data. Healthcare organisations need to prepare themselves for how they will react when such requests start to arrive – how will you validate the identity of the requester, confirm the specific details of what they have requested, allocate internal resources to respond to the request – within 30 days – and respond back to the data subject? Robust processes and staff awareness training are essential in this area.
- Making healthcare IoT infrastructure safer
- What can the NHS learn from the theory of marginal gains?
- Making the Best Use of Patient Data for Effective Diagnosis
Article 15 gives data subjects the right to request details of their personal data being processed by an organisation, with the reasons why. Whilst this right was already available under the DPA 1998 for a fee of £10 and organisations have 42 days to respond, under DPA 2018 this is available free of charge and organisations now have only 30 days to respond.
Following receipt of this data, Article 16 provides a right for any incomplete or inaccurate personal data to be corrected promptly. In specific circumstances, for example where consent is the legal basis for processing, data subjects can use Article 17 to request that their personal data is deleted, provided there is no alternative legal basis for its ongoing retention. Other rights allow for data subjects to request that their personal data is extracted and transferred to an alternative data processor, that the processing of their personal data is restricted in certain situations, and for them to object to specific data processing activities – for example direct marketing activities.
Whilst the Supervisory Authority (the Information Commissioner’s Office in the UK) has significant penalties at its disposal – data subjects also have the right to seek compensation for damages for infringements of GDPR (as per Article 82) and failing to provide timely and accurate responses to data subject rights requests is likely to be an initiating step.
Within the healthcare sector, it’s important to identify which organisation is the “Data Controller” (as per Article 24) and who is the “Data Processor” (as per Article 28). Data controllers are responsible for determining the nature of the personal data processing that is to take place, and for ensuring that appropriate technical and organisational safeguards are in place to ensure that the personal data will be managed safely and securely. They may determine that they need to use the services of demonstrably compliant third-party data processors for some of the processing tasks, and it remains the data controller’s responsibility to validate their capabilities and competencies.
In healthcare, we regularly see the engagement of specialist organisations to undertake specific processing tasks that are not readily available from the NHS. Once they have been validated as being authorised to process medical data, such data processors must only act in accordance with the written processing instructions issued by the data controller and ensure that their own technical and organisational controls communicated during validation remain in place and effective at all times.
Perhaps the most widely known fact about GDPR is the significant increase in financial penalties which are associated with personal data breaches and non-compliance with the Regulation’s requirements. With the most serious misdemeanours attracting fines of up to €20mn/£17mn, or 4% of global annual turnover (whichever is the greater), less serious issues can be fined up to €10mn or 2% of turnover. When taken in conjunction with the rights of data subjects to seek damages themselves, and anticipation of an active legal systems to help represent citizens, breaches of personal data are likely to be very costly. The healthcare system does not carry this level of contingency, and any liabilities which need to be paid will have a negative impact on the funding of healthcare activities within other parts of the organisation.
GDPR is a complex framework of requirements, and if your organisation has yet to make serious progress with your preparations, it very unlikely that you will be ready for 25th May 2018. Having said that, the more that you can do to reduce risks, protect patient personal data and comply with the requirements of the Regulation, the less likely you are to suffer a data breach as you complete your preparations. Let’s not forget, however, that GDPR is good news for data subjects (which includes all of us), who will finally have their personal data properly protected and have recourse in the event of something going wrong. And nobody’s going to argue with that.