We are all
sick of hearing about GDPR, but are you ready?
There is only a week to go until it becomes law across the EU.
Don’t think that just because you aren’t a huge organisation with billons of
bytes of data that it doesn’t apply to you. It does, and you need to be
ready.
The healthcare sector is well versed in dealing with sensitive information. The
data that is moved around is already pretty secure, so the GDPR rules in the
most part are probably already being adhered to… but don’t presume, you have
a legal responsibility to make sure that you and your partners are following
the new rules.
In theory, the transition to the new GDPR rules for the healthcare sector
should be fairly straight forward, if not entirely pain free.
What is GDPR?
General Data Protection Regulation (GDPR).
In a nut shell, GDPR supersedes the existing Data Protection laws. The new
framework gives individuals much more control of what data is held about them.
It also restricts the storage of this data for reasons not directly associated
with day to day running of your business, or supplying the service, or
services, that the individual has requested.
You must have a valid reason for holding the data, it must be used lawfully,
and you must have explicit consent from the individual to hold and use the
data. The potential fines for non-compliance are potentially eye-watering; 4%
of total turnover or up to €20m EUR. Gulp!
Data needs to be secure.
Any data you are moving around needs to be done so securely.
The hospitals systems and recognised healthcare software tools that you
currently use should be compliant with the new rules, but you need to check
with your supplier that they are also compliant.
With regards to your own internal systems, you need to make sure you are
adequately protected.
All of your computers need to have up to date antivirus & malware software,
you should password protect any documents that contain personal information. In
addition you should use an encrypted email service (such as: Egress or
Protonmail) when sharing any information with patients, health insurers,
colleagues etc…
If someone steals your data and you haven’t adequately secured it, you could be
in a lot of trouble.
If you do have a breach, you have 72 hours to notify The Information
Commissioner’s Office… But prevention is better than cure!
Right to delete data:
An individual has the right to have all data held about them deleted. There are
legal requirements to retain patient information of course, but as soon as that
period of time has elapsed, you must delete the data unless you have specific
permission from the individual, or reason to retain it.
You should only keep data that identifies Individuals when it is
necessary.
If you keep data for research or clinical review purposes, but have no need for
that data to be associated with an individual, you should anonymise it. If you
are planning to retain anonymised data it would make sense to state this in
your privacy policy.
What is a privacy policy?
You must have a privacy policy that explains what data you will hold on
patients, how that data will be used, how long you will keep it, who you will
share it with and if you intend to use it for marketing purposes.
Make sure this is available and is given to patients, so they understand the
details of how their personal information will be used. If you have a website,
it makes sense to publish it on the site and give easy access to your policy to
anyone who might want to see it.
However, it’s not just your patients you need to think about; your staff,
partners, contacts etc. will all have records, and they are also covered by
GDPR.
There are some useful healthcare specific guides and templates available to
help you write your policy document; see “useful links” below.
But aren’t we leaving the EU?
The government has stated that it will keep the new rules after Brexit, so
don’t think it’s going to fizzle out and disappear as we leave the EU in March
2019.
8 Step Plan:
1: Register with the ICO
As a consultant you are required to register with the Information
Commissioner’s Office.
2- Review what data you current hold:
What data do you have? – is it data you need, or are required to hold? If not,
you need to delete it.
3: Write a privacy policy:
This needs to explain what data you will hold, how that data will be used, how
long you will keep it, who you will share it with and if you intent to use it
for marketing purposes.
4: Check 3rd party contracts
Your suppliers should also be GDPR compliant, and it is your responsibility to
check with them that they are.
5: Get consent:
Put a clear process in place to obtain explicit consent from any individuals
that you currently hold data on.
6: Lock it up:
Make sure your systems are secure; any data moving around needs to be
protected.
7: Plan for the worst, hope for the best:
Have a clearly laid out policy on what to do if you have a breach. If you know
about it, you must report it.
8: Don’t panic:
Will everyone get it right? Probably not, but if you have genuinely put
processes in place to the best of your ability, but have still been
compromised, you’re likely to get a slap on the wrist and told to put your
house in order. If you have a breach and have not even attempted to be
compliant, then you could be in a heap of trouble!
There will be a period of adjustment as the rules come into force. As the
requirements for an individual business becomes clearer, you should update and
refine your policy accordingly.
Useful links:
Information commissioner’s office
ICO Preparing for GDPR
BMA GDPR guide
GMC Guide to GDPR
The MDU – Getting ready for GDPR
Disclaimer
We aren’t legal experts and our understanding of GDPR isn’t comprehensive. This article is simply an overview of what we have picked up over the last few weeks when looking at GDPR. We hope it is useful, but if you have any concerns about your use of data, or your compliance with the new rules you should consult a specialist in GDPR law and/or an expert in GDPR data requirements.