The Information Commissioner Office (ICO) has turned its attention to the health and social care sector since the implementation of GDPR in May 2017.
The ICO has conducted audits of a number of health and social care organisations and has taken steps to reprimand organisations that have failed to comply with the legislation, including by failing to pay the data protection fee and failing to appoint a data protection officer. It has also issued more detailed guidance to help organisations achieve compliance, which is just as important now as it was in 2017.
The aim of this guidance notice is to provide an update in terms of recent ICO action as well as a reminder of why GDPR is so important and the steps that care sector organisations should take to ensure continuing compliance.
Why health and social care?
There are few other sectors that process such a significant volume of special categories of data (“sensitive personal data” under the previous legislation) as the health and social care sector. The potential repercussions of loss or unauthorised use of that data are significant.
What has the ICO been doing since 2017?
- Data protection fee
The ICO has taken formal enforcement action against a number of care homes that have failed to pay the data protection fee.
All organisations that process personal data are required to pay a fee to the ICO and are then listed on the register of data controllers. The fee varies depending on size and turnover of the organisation. The ICO noticed that the care home sector was under-represented on the register and it is possible that the ICO will subsequently extend its review to other care sector organisations.
The fees and fines are as follows:
Tier 1 – micro organisations with a maximum turnover of £632,000 and no more than 10 members of staff – fee: £40, fine: £400
Tier 2 – SMEs with a maximum turnover of £36 million or no more than 250 members of staff – fee: £60, fine: £600
Tier 3 – large organisations that don’t meet the criteria of tiers 1 or 2 – fee: £2,900, fine: £4,000
If your organisation processes personal data and hasn’t yet paid the ICO fee, it should do so as a matter of urgency. Fees can be paid via the ICO website at https://ico.org.uk/for-organisations/data-protection-fee/.
- Data protection officer
The ICO has focussed on whether health and social care sectors have appointed a data protection officer. If your organisation’s core activities consist of large scale processing of special categories of data (which is likely in the health and social care sector), a data protection officer must be appointed. More information about the requirements surrounding appointment of a data protection officer can be found on the ICO website.
- Action taken in the UK and Europe
UK Audits
The ICO has carried out a number of audits in the health and care sector, the findings of which may prove to be useful guidance for care sector organisations.
An audit of Bupa care homes found staff did not have a sufficient understand of “fair processing” and the steps they should take and issues they should consider when processing personal data. It also found that Bupa’s fair processing notices were not sufficient and recommended a review of the policies. Finally, some staff were unaware that subject access requests could be submitted verbally and the ICO recommended that Bupa’s SAR tracker (used to log the receipt and progress of requests) be reviewed to provide for a better audit trail.
All care sector organisations should ensure knowledge and understanding of GDPR is cascaded throughout the business through training and policies.
After conducting a number of audits in the health and social care sector, an ICO representative said “our audits showed a worrying trend of health organisations failing to properly manage the records they held”. The ICO has therefore created a suite of resources to help offer health and care sector organisations practical support and tools to improve their record management. We have set out a summary of the recommendations provided by the ICO in the section of this guidance note entitled “Is there any guidance available?”.
EU Intervention
The Portuguese data protection regulatory authority held that a Portuguese hospital, the Centro Hospitalar Barreiro Montijo (CHBM) had committed numerous breaches of GDPR in 2018, including:
- Staff had access to patients’ medical records when such access was unnecessary and unwarranted;
- All doctors had access to all patients records, irrespective of whether they needed access to those records;
- Test profiles on computers were implemented with unrestricted access rights and accounts were not deactivated sufficiently quickly when they were no longer needed.
All care sector organisations should ensure that the only members of staff who have access to personal data are those who need to know it, those with access to personal data are only able to access the personal data they need and that appropriate security measures are in place for both physical and online files that contain personal data.
CHBM argued that it had contracted with a third party to provide its systems, but the Portuguese regulatory authority was unimpressed. If your organisation uses systems provided by a third party, make sure you are comfortable with the way in which the third party has developed the system. The ICO will consider whether you carried out appropriate due diligence when choosing to work with that particular third party.
What areas should your organisation prioritise?
Given the length of time that has passed since GDPR was implemented, the ICO will expect organisations, particularly those that process special categories of data, to already be GDPR compliant. If you are concerned that your organisation has not properly considered the implications of GDPR and steps you may need to take, some questions to consider as a starting point are set out below:
- What personal data do you process?
- Is it stored securely? What security measures do you have in place to protect special categories of data?
- How long do you retain the personal data and are your destruction processes working?
- Are you confident that the personal data is accessible only by those who need to know it?
- Have you developed the policies and records of processing that are required by GDPR?
- Do you know how to deal with requests from data subjects and what the requirements are?
- Do you have a breach policy and procedure?
- Has GDPR knowledge and understanding been cascaded throughout your organisation?
- Have you considered whether your organisation requires a data protection officer and, if it does, has a data protection officer been appointed that meets the requirements of GDPR?
- Have you paid the data protection fee to the ICO?
Is there any guidance available?
The ICO has produced sector specific GDPR guidance over the past couple of years and its website is a great starting point for understanding the requirements that apply to the care sector. The ICO has provided a care sector specific toolkit with guidance on records management, training, outsourcing, records inventories, tracking and off-site storage, security and disposal of data and business continuity. It has also detailed some failings that it regularly finds when auditing organisations in the health and social care sector:
- Failure to check the name and address before posting information to patients;
- Failure to properly check enclosures that are being posted;
- Failure to track records that have been sent to third parties;
- Failure to keep physical records secure; and
- Failure to keep records secure when they are taken off site.
Some highlights of the advice provided by the ICO to deal with the above issues include:
- Decide who will be responsible for ensuring the location of records is known at all times;
- Ensure there is a formal records management training programme;
- Produce a comprehensive inventory or asset register showing where records are held, what they contain, in what format and what value they have for the organisation;
- Log the movement of records;
- Monitor return dates and complete compliance checks to make sure records are returned on time;
- Don’t wait until a problem happens to learn what to do – ensure all staff know how to deal with a missing record;
- Analyse incidents when records go missing and put in place steps to avoid the same situation in the future;
- Develop an index system for keeping track of what records you have and where they are; and
- Ensure you have a security systems in place for both online and physical records as well as procedures around the removal of records from your premises.
The Data Security and Protection Toolkit (Toolkit)
The Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 security standards. All organisations that have access to NHS patient data and systems are required to use the Toolkit. More information can be found online at https://www.dsptoolkit.nhs.uk/.
