The majority of fines issued by the Information Commissioner's Office (ICO) are for data breaches. A data breach generally involves the accidental loss, destruction or unauthorised dissemination of personal data. For example, leaving medical notes about a patient on a train, a cyber security attack which leads to the loss of patient information, or mistakenly sending test results to the wrong patient.
Both the DPA and the GDPR require your practice to put appropriate technical and organisational measures in place to keep personal data secure. Technical measures include steps such as network security, whilst organisational measures are more about staff training, awareness and having written policies and procedures. The GDPR provides more detailed requirements around information security than the DPA. For example, measures such as encryption are specifically mentioned (although appropriate use of encryption is arguably already a requirement even if not explicitly mentioned in the DPA).
Both the DPA and the GDPR require you to inform individuals how you use their personal data. This information is usually provided in a document known as a 'privacy notice' or a 'transparency notice'.
In our experience, this information is often either not provided or is written in a way which is not accessible, eg by using complex and dense language. It is particularly important that vulnerable individuals, such as the elderly, are not deprived of this information. The GDPR requires more information to be included in privacy notices, some of which is quite complicated, for example, your legal grounds for using different types of personal data. Make sure that your privacy notices are clearly written and accessible.
The GDPR gives people additional and stronger rights in their personal data, for example, the right to have their personal data deleted under certain circumstances. Nevertheless, the right which causes the most difficulty in our experience (and will likely continue to do so under the GDPR) is the right to make a 'Subject Access Request' (SAR). When making a SAR, individuals are entitled to a copy of the personal data which you hold about them subject to various exemptions. SARs are often made by an individual looking for information to support a complaint or grievance, for example, a patient unhappy with the care they have been given or a disgruntled member of staff.
Due to their complicated and time consuming nature, you should have procedures in place for dealing with SARs. For example, all staff should be trained to recognise when a SAR is being made and you should organise information in a way which makes retrieval of personal data easier.
The GDPR decreases the timeframe for responding to a SAR from 40 calendar days to one month in most cases. There is also likely to be a new criminal offence relating to not disclosing information to which the individual is entitled to.
Sharing Personal Data
Both the DPA and the GDPR contain additional rules when sharing personal data. This includes both sharing with other health professionals and organisations as well as when using contractors.
You should have a protocol in place for sharing with other health professionals and organisations. This should, for example, set out the rules for sharing data securely, dealing with complaints from individuals, and transparency (ie a process for telling people about how their data is shared).
If you use a contractor to handle personal data on your behalf (for example, to provide a hosted HR database or to securely wipe computer hard drives which contain patient personal data), then there must be a written contract in place which contains the mandatory wording set out in the DPA. This mandatory wording will be different under the GDPR, so we suggest you speak to your contractors to make sure that their terms and conditions are being updated for GDPR compliance. In addition, you must take steps to ensure that the contactor understands about, and complies with, the data protection principles in practice. The sorts of questions you may wish to ask include:
How Can We Help?
Our experienced team of data protection solicitors can assist with training, documentation (including data protection policies) and audits, as well as all aspects of information law and data protection compliance. You can also view August's article.