Safeguarding personal data
Failing to adhere to the data protection rules can be extremely costly. Independent practitioners’ responsibilities in dealing with personal data are highlighted here by solicitor Henry Forrester.
We live in an era increasingly concerned with regulation and management of an individual’s personal data.
This means businesses who handle personal data need to understand the requirements around handling that information.
And that is particularly the case for health carers, who are often handling sensitive patient records as well as – like most businesses – managing their own employees’ personal data.
In this article, I will discuss:
- the current data protection regime in the UK
- issues that can arise for independent practitioners during the course of managing personal data
- some solutions
Post-Brexit, the EU General Data Protection Regulations (GDPR) 2018 were incorporated into UK law, and GDPR is now part of our domestic law.
A key concept within UK GDPR is personal data, that is: information that relates to an identified or identifiable individual and is capable of identifying a living individual.
Identifying an individual
A vast amount of data is capable of constituting ‘personal’ data. There are the types of personal data we might immediately associate with personal data, such as names, addresses and date of birth.
There is also data which does not seem to be personal data but can become so when provided with other data which might allow it to identify an individual.
This includes, for example, rare medical conditions and data which conveys a rough geographical location – such as GP practice or hospital – which might then allow someone to identify that particular individual.
It is always worth thinking about context when examining whether data constitutes personal data.
Practitioners will often be dealing with special category data. The key categories for special category data for practitioners relate to genetic data, health data or data relating to sex life and sexual orientation.
Special category data is considered particularly important pieces of personal data and a data breach involving special category data is considered particularly severe, with ramifications of penalties and fines imposed by the Information Commissioner’s Office (ICO).
Key considerations for UK GDPR
The six key points to take out of UK GDPR are:
1. UK GDPR is heavily informed by principles and it is important to remember these principles when dealing with personal data. Personal data should be processed lawfully, fairly and in a transparent manner, according to those principles.
Often, if it is unclear as to whether something is right, it is helpful to reference these principles. We will examine some of the specifics in more detail below.
2. Data must be collected for a specified, explicit and legitimate purpose and processed only in a way that is compatible with that purpose.
There are six categories of purpose but the most relevant ones for practitioners are either:
a) ‘Consent’ – which should be freely given, specific, informed and unambiguous;
b) ‘Protecting the vital interests of the data subject’.
3. Personal data collected must be relevant and limited to what is necessary for the purpose for which it is being processed. It is important to consider the relevance and necessity of that personal data when collecting it.
For independent practitioners, it is important to think about relevance and necessity.
Lots of personal data is being collected in these settings, often for relevant and necessary administrative, diagnostic or health care delivery functions, but it is important to consider the reasons as to why you are collecting that data and the purpose it will serve.
4. Personal data must be accurate and kept up to date. For practitioners, this is a key consideration. Where you are holding lots of personal data on file for patients, you will need to ensure you regularly check and update that personal data and design processes which compel you to keep that information up to date.
5. Data integrity and confidentiality: Data must be processed in a secure manner, using appropriate organisational and technical methods.
It is important for doctors to ensure they have appropriate secure technical and organisation measures in place to store and process personal data, whether that is having a secure piece of software to store data or having an internal data processing policy in place.
6. Every practice needs to be registered with the Information Commissioner’s Office (ICO).
The ICO is responsible for regulating the application of the data protection regime in the UK.
It has the power to
- obtain information via service of an Information Notice
- serve enforcement notices, which require corrective action to be taken
- carry out inspections and/or enforcement notices with powers to impose fines of up to £17.4m or 4% of worldwide turnover
Common issues and solutions
Contracting or sub-contracting of services
Contracting or sub-contracting services is common in the healthcare sector and data protection is a significant consideration when contracting for services involving a transfer of personal data.
There are several steps you can take to mitigate risk in this instance:
- Create a privacy notice to ensure patients are made aware of how their data is being handled. This will inform patients of the basis on which their data is being held and processed and informing those patients that their data will be processed by third-party suppliers for a specific purpose.
- Create a data protection policy which the contractor will have to comply with, as part of the contract, and ensures data handling arrangements are aligned between the practice and the contractor.
Dealing with personal data in the contract
Ensure any contract which involves a transfer of patient data deals with data protection issues that may arise in the life of the subcontract.
Examples of standard terms include: establishing a controller and processor for the data, processing in accordance with the specified purpose, giving notice of a data breach, deletion of personal data upon expiry of the contract and indemnity for data breaches by either party.
Having these clauses in a contract will help you manage situations where a third-party is handling personal data you have collected and give all parties clarity over their role in managing the personal data involved.
The risk is, without these types of clauses, you could potentially become liable for any data breaches made by the contractor and therefore potentially subject to ICO review and enforcement action.
Data protection clauses in a contract should give you a clear lever to resolve any data protection issues arising during the course of the contract and a route to a financial remedy if anything goes wrong.
Data security measures
Having appropriate data security measures in place is another important crucial aspect to consider with data protection, which relates to the UK GDPR requirement to preserve ‘confidentiality’.
Ensuring you put in place and maintain adequate security to protect the personal data you hold is vitally important.
There are various elements to this. It ensures the data is secure and able to withstand cyber attack and also ensures that the data protection policies and processes in place within the practice re-enforce that data security.
First published in Independent Practitioner Today in March 2023.