How Healthcare Services Can Prepare for GDPR

How Healthcare Services Can Prepare for GDPR

On the 25th May 2018, the European Union’s General Data Protection (GDPR) will come into force.

The healthcare industry has taken the handling of sensitive personal information seriously for a long time, but the legal requirements are about to increase and, according to recent research, NHS trusts are underprepared.  

Freedom of information requests sent to NHS trusts across the UK have revealed that more than £1 million has been spent preparing for GDPR next month.

Think tank Parliament Street found that a total of £1,076,549 has been spent across 46 trusts that responded, of the 84 approached. Figures included expenditure on consultancy, secure email systems, software, staffing and training.

Digital Health Intelligence (DHI) research shows that 55 percent of acute trusts and 47 percent of mental health trusts have an implementation plan for the legislation.

The report said, “This suggested that around half of trusts are properly equipped with a plan to tackle this complex legislation.”

Meanwhile, the Information Governance Alliance (IGA) has published information on how healthcare organisation can stay compliant with the new GDPR rules. 

What Is GDPR?

In the UK, the GDPR will replace the Data Protection Act 1998.

It aims to give people greater control over their own data and ensures that data protection laws are the same across the EU. Any organisation that deals with people’s private data must meet new standards of transparency and security.

There will be hefty fines and penalties for businesses that don’t comply with the rules and breach data protection regulations.

Who Does It Apply To?

The regulations apply to data controllers and data processors.

A data controller, for example, might be a dental practice that collects and holds patient and employee information. The data controller is responsible for stating how and why data is used.  A data processor is responsible for handling that data.

Both data controllers and processors are required to analyse the private data currently being held by the organisation and review consent procedures they used to obtain data from staff, patients or customers.

Personal data counts as names, bank records, photos, email addresses, personal information or medical records.

What Are The Key Changes?

The ICO Guide to GDPR is over 150 pages long, so we’ve highlighted some of the basics to help get you started.

Consent: Any business or individual using or storing a person’s personal data must ask the individual for consent and explain what their information is going to be used for. No pre-ticked boxes allowed.

Right to access: Individuals can request all data that a company holds on that person by submitting a Subject Access Request. The company must provide electronic copies of that data and explain what it is being used for and how it is being stored. This gives patients and employees have greater agency over their own data.

Breach notification: If an organisation discovers a data breach, they must report it to the relevant supervisory authority (for the UK this is the ICO) within 72 hours from first finding the problem.

Data portability: Individuals will be able to obtain and reuse their personal data for their own purposes across different services. Businesses will need to provide that information in the relevant format

Right to be forgotten: Individuals can request that businesses delete their personal information and not share it with third parties.

Data Protection Officers: You will need to appoint a data protection officer if you are a public authority or carry out large-scale monitoring and processing of individuals.

What Should You Do Next?

As a data controller, you need to review and adjust how you obtain and store data. Every business will have different data protection requirements. However, some processes may need adjusting to ensure that compliance is met.

Here are a few points to help guide you when reviewing your data protection obligations:

  1. Assess how data comes into your business, how it is stored, managed and any organisations that process your data
  2. Revisit consent and make sure it complies. Check the wording for when you ask for an individual’s consent to manage, store or process data.
  3. Check key documents to ensure that your privacy policy is compatible –it is recommended to seek legal advice on the precise wording
  4. Ensure clear processes are in place to quickly deal with Subject Access Requests
  5. Plan how to respond to data breaches
  6. Determine if you need to carry out a Data Protection Impact Assessment (DPIA). A DPIA must be carried out when data processing carries a high risk to individuals’ interests. Read more about DPIAs here.

If you would like more information about how RotaMaster technology can help you meet the requirements around data protection and storage then please give us a call on 01924 252360.

If you are unsure of the rules and your obligations then we recommend you visit the ICO website or IGA for more details on regulations or seek legal advice.