In the third in our GDPR for healthcare blog series, Karen Heaton of Data Protection for Business discusses how to ensure that you are processing data lawfully and the necessity to track the data subjects’ consent.
How many emails did you receive in the run up to 25th May this year about ‘opt-ins’ to receive marketing? I, for one, enjoyed a clear out of my junk mail. Now, only products and services I am actually interested in arrive in my Inbox. Not only that, but now organisations have to take my unsubscribe request seriously. This was clearly not the case in the past.
But were all these emails necessary? Well, that depends on the lawful basis you have for processing an individual’s data and also how you received an individual’s data.
So, to answer this question, you need first to understand a) your data and b) your lawful basis for using that data.
Understanding your data
This is the crux of data protection compliance. Without properly mapping out your data, you will struggle to be compliant with all aspects of data protection. Why? Because if you cannot answer the basic questions of….
- What type of data you have – personal data, or Special Category data – Sensitive / Child
- Where did you source the data
- Who has access to that data
- Which processing activities do you undertake on that data – sending marketing messages, sharing with third parties, analysing data for demographics or other profiling types of activities
- Lawful basis for processing
- Which country is it stored in
….then you may be asking for consent unnecessarily, or not asking for consent when you should be. As well as a raft of other non-compliant activities, by the way (and it’s a long list!).
In short, you are risking a breach of the core Principles of data protection which, as we learned in last week’s blog, attract: higher level fines; risk of prosecution; audits by the ICO and restriction of business activities. For medical practices, in particular, and client facing businesses in general, there is the potential for non-trivial reputational damage from any of these actions.
Lawful basis for processing data
Once you have itemised the personal data within your organisation, then ask yourself which of the following lawful reasons apply to each of the processing activities undertaken on the data. If none of numbers 1-5 apply, then you must seek consent. Medical data and other Special Category data requires explicit consent.
1. Performance of a contract entered into with the data subject
2. Legal Obligation which the Controller must comply with
3. Legitimate Interest of the Controller
4. Vital Interests of the data subject
5. Performance of a task carried out in the Public Interest
6. Consent – the organisation must be able to obtain, maintain and validate lawful consent received from the individual
A small business selling products has a database of around 3,000 contacts and wants to send those contacts a monthly newsletter with their new product information and special offers. Do they need to send all contacts an ‘opt-in’ to marketing email?
If the company can validate that all their contacts are or were customers or had previously asked for information on their products, and the company had an unsubscribe option in place, then probably not (as data was received from customer for either performance of contract, consent or legitimate interest). However, they must ensure that all new customers ‘opt-in’ to marketing emails and that the unsubscribe option is clear and easy to use.
If the company is not sure where some of its contacts came from, then those will require consent to receive marketing emails. In particular, if contact data were purchased from a third party, the third party has the duty to ensure that consent to sell or transfer their contact details was received from the data subject. If this cannot be confirmed, then consent to marketing is required.
Where consent is required to process data, your systems must be set up to track and manage that consent, preferably with a description of how consent was given (e.g. during customer registration process or during a consultation). That way, an audit trail of consent is maintained which will assist in demonstrating your organisation’s compliance with data protection, if questioned.
In the ICO quarterly statistics from Q1 2018, out of 23 industry sectors, the Health sector had the highest numbers of data breaches for any sector – 677 out of a total 3146 reported incidents – 22% of the total.
Medical data is a Special Category of data and a therefore a higher standard for processing and seeking consent is in place. Individuals are much more aware and inquisitive about how their medical information is used.
=>You must understand your all responsibilities as a Data Controller. For Controllers processing Special Category data, your operational risk is increased. Regular internal reviews of procedures and compliance audits is highly recommended.
See you next week!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited
Previous blogs in this series:
GDPR for Healthcare – an introduction
Data Protection Operational Risks and Penalties
Earlier in the year our blog outlined some changes to expect in the EU General Data Protection Regulation (GDPR) which came into force on 26th May 2018.
What else happened? Well, on the same day, the UK introduced the UK Data Protection Act 2018 (DPA) which replaced the previous Data Protection Act 1998, and you will be assured to know that the core of the EU GDPR remains within our new 2018 Act (together with other UK specific provisions).
But have you done everything to ensure that you are compliant with the new data protection regulations? Here at Designated Medical, we aim to support you in all areas of your administration, so we’re delighted to introduce a new series of guest blogs from Karen Heaton, founder of Data Protection 4 Business, to guide you through the recent changes and what these mean in pragmatic terms, for your organisation or private medical practice.
GDPR and data protection for healthcare – Karen Heaton, Data Protection 4 Business
Sitting comfortably? Good. Then let’s begin.
- Increased penalties
2 – 4% of global annual turnover, cessation of processing or, in severe cases, instigation of criminal proceedings. But you knew that already, right? We will take a look at the key risks which may give rise to high penalties.
Additional conditions for obtaining and maintaining consent are now law. We all received sackfuls of emails from companies requesting our permission to remain on their marketing distribution list in the first half of 2018. But was this necessary? Well, that depends on your organisation and what data processing you undertake. We will look at examples of where consent is obviously required and where possibly not.
- Data Breach notifications
In certain instances, the relevant authority must be informed (in the UK, this is the Information Commissioners Office (ICO)). And within 72 hours of becoming aware. But what exactly constitutes a data breach that must be reported? Whose responsibility is it to report it? We will look at examples of breaches and discuss how to assess them.
- Right to access (SAR)
Data subject can request a free copy of personal data relating to them that your practice or organisation holds. For private medical practices, how does this compare with the Access to Medical Records Act 1988? For other organisations, what can or can’t I disclose? We will look at examples for both of these.
There is now a requirement to be able to demonstrate how your organisation or practice is compliant with GDPR and the DPA. This sounds simple, but what does it really mean? If ever audited or investigated, what would you show them? We will look at essential examples of what you should have in place to meet this requirement.
- Data Protection Officers (DPO)
Are you legally required to have a DPO? Probably not, unless you regularly and systematically monitor data subjects on a large scale. Or you are a local authority. But you do still need someone in your practice or organisation who is responsible for ensuring your business is compliant with GDPR and DPA. We will look at the various activities and tasks your nominated person needs to take care of.
- No-deal Brexit?
We are tracking the implications of No Deal on the Brexit negotiations and will round off 2018 with our best guidance on how you may need to prepare for this, still unlikely, scenario.
Today’s fact: The ICO reported that there was a 31% increase in the number of Cyber security incidents reported in Jan – Mar 2018 compared to previous year. => Make sure your internet security is up to date!
See you next week!
Karen Heaton, CIPP/E, CIPM
Certified Information Privacy Professional
Data Protection 4 Business Limited
Further blogs in the series:
Data Protection Operational Risks and Penalties
This year has seen some significant IT security breaches in both the public and private sectors. From the WannaCry ransomware attack on the NHS to smaller, but no less distressing, attacks on private medical practices, these stories have received heavy media coverage. As a result, it’s likely that public awareness of these kinds of cyber attacks has increased and that patients will quite rightly expect clinics to have effective IT security systems in place to protect their data. This week, we’ll be taking a look at why hackers target medical information, and what practitioners should be doing to make sure their practices are safe.
Why is personal medical data so valuable?
Hackers target healthcare organisations for a number of reasons. For a start, large healthcare organisations – such as the NHS – are considered an easy target due to the sheer number of email accounts associated with it. In addition to this, the type of personal information held by these companies and organisations can be used to demand a hefty ransom. Earlier this year hackers stole over 25,000 photographs, and other personal information such as passport scans and National Insurance numbers, from the database of a Lithuanian cosmetic surgery clinic. The ransom demanded was up to €2,000 (in bitcoin). This information can also command a high price on the black market. “On the black market, medical record information can cost up to 50 times more than credit card information,” says David Schluter, Managing Director at Fluid IT . “Unlike credit card information, it can’t be changed easily and can be key in staging ID fraud,” he continues. “It can be used in a broad range of fraud; fake insurance claims, financial fraud, and cyber criminals can even use it to purchase drugs online and then sell these on the black market.”
How can practices improve IT security?
There are many things practices can do to improve IT and data security, and education is a huge part of this.
“Medical practice staff need to really understand the value of this kind of data,” says Schluter. “It’s important to take data security very seriously as the risks can be enormous, but there are many excellent resources available to help managers support and educate their staff.” There are frameworks and toolkits available through online sources such as the ICO, or Cyber Essentials, all of which can guide the development of company policies and training. These resources can also help prepare staff for the enforcement of new data protection regulations next May (the EU’s General Data Protection Regulation).
In addition to this, there are other ways to improve IT security:
- Communicate regularly with staff regarding potential threats. For example, discuss how to spot suspicious links from unknown sources, explain the impact an attack could have on the practice, and emphasise staff obligations in relation to company equipment.
- Cyber liability insurance will provide cover for various scenarios; mandatory data breach notifications, investigating an incident, notifying data subjects, legal costs and regulatory fines.
- Work together with law enforcement agencies. This will help to disrupt hackers’ plans, and sharing threats and vulnerabilities means that others can benefit from this information.
- Encrypting emails and documentation containing personal information. “Devices should also be encrypted,” offers Schulter. “This offers an additional layer of protection, and makes it much harder for criminals to steal information. However, an encryption expert should be consulted before a practice implements this to ensure it has been designed in a way that suits the business.”
Beyond cyber crime
Cyber criminals are becoming more effective and more organised, so it’s a good idea to think beyond the capabilities of your IT systems to combat the threat. An all-inclusive approach to IT security is required. Secure systems need to be backed up with policies and procedures, so staff know what their responsibilities are in terms of data protection and security.
The risk of security breaches does not only come from cyber criminals, as a prestigious US cosmetic clinic found out earlier this year. A member of staff stole as many as 15,000 medical records, including medical photographs. Whilst the team member’s actions are now the subject of a police investigation and it is not clear what became of the information, this case goes to prove that data safety is not just a matter of having the most up-to-date antivirus software in place.
Cyberattacks are unfortunately not preventable, and it is sadly a threat that all companies – not just those in the healthcare sector – face. They can affect thousands of people (this year’s major WannaCry attack impacted around a quarter of a million computers across the globe) and can disrupt vital services. It’s crucial for anybody working in the healthcare sector to recognise this danger, and working in line with their organisation’s IT policies can help to minimise the risk of being hacked.
The life of a medical receptionist can be very demanding. Being the first point of contact means often having to deal with patients who are stressed and emotional about their health. Patients are of course well within their rights to feel this way, but this does mean that receptionists have to sometimes deal with tough situations.
There is a perception that the medical receptionist is the only untrained staff member at a surgery, but this could not be more wrong. Clerical staff will often have years of experience behind them, and the training available for medical administration staff is comprehensive and accredited. The British Society of Medical Secretaries and Administrators (BSMSA) has courses on dealing with difficult situations and customer care, and there are of course the nationally-recognised AMSPAR qualifications.
Medical receptionists provide more than just an appointment booking service, and the role is now set to evolve even more.
The medical receptionist as a care navigator
NHS England has recently set aside funding for the development of practice staff. This funding is to be used by practices in the training of their reception and clerical staff, and will support a new aspect to the receptionist role – that of “care navigator”.
The £45 million fund is being allocated over a period of 5 years until 2021. This is to be used to support training reception staff in the area of “active signposting”. This new scheme, whereby patients will be screened by the practice receptionist, will help to direct patients to the most appropriate source of care. This could be through the use of web or app-based portals, self-management, or by signposting to the most relevant healthcare professional.
The care navigator approach is expected to ease demand for GP consultations by 5 percent. It will also help receptionists develop their skills so they can be confident in their assessment of a patient’s needs.
Some surgeries are already finding that implementing this “triage” stage into the appointment booking process is helping to direct people to the most appropriate facility and, as a result, is easing pressure on GP appointment waiting times. In a West Yorkshire group covering around 65,000 people, one scheme found that 930 hours of GPs’ time were saved by this initiative. However, this new approach will not be without its challenges. A recent Cancer Research survey found that 40% of people dislike having to describe their symptoms to a GP receptionist in order to get an appointment. But this is often simply part of practice policy. “Receptionists are told to follow the instructions of the GP, and are not being nosey,” says Joanne Packwood, a Designated Medical Secretary. “They are asked to triage patients so they can figure out where to fit them in, usually in what is an already overbooked clinic.”
Some work needs to be done, therefore, to overcome this challenge.
Can it work in private health?
Private practices will not be under the same pressures experienced by NHS GPs. However, this does not mean that the idea can’t be successfully implemented in a private medical space. Some practices may even use similar systems already, but others may want to think about a similar training scheme before staff take on these additional responsibilities. “I think that training for this in the private sector would be helpful,” says Monique Van Der Berg, a Designated Medical Secretary. “Depending on the job role, it may be very useful – some staff members may not have had this responsibility before.”
If, as expected, this results in making a practice more efficient then it is a great time-saving exercise for all involved. The patient may need urgent care, in which case they can be directed to another appropriate facility, or they may need simple treatment that can be provided by a pharmacist.
Can anything else be done?
Despite all the training mentioned above, there will still be scenarios that are less than ideal. Conversations between medical receptionists and patients may be overhead in waiting rooms, and some staff may deal with situations in a less than sensitive manner. To deal with these challenges, managers need to evaluate performance to ensure that staff actively use their training, and perhaps even reconsider practice procedures in relation to screening patients. For example, telephone screenings could take place away from waiting room areas to avoid conversations being overhead.
Another issue for NHS practices is that the funding made available through the NHS England scheme does not cover all the skills needed to provide a good service. Customer service, safeguarding and information governance training is not covered under the scheme, so practices need to find funding for this elsewhere. In an area of healthcare that is already under pressure, this may be difficult for practice managers.
Whether in the private or public sector, the patient’s needs should be the first concern of any team member. “The medical receptionist or secretary should always be polite and calm, but assertive,” says Joanne Packwood. “They should also feedback what the patient is telling them so they feel understood and reassured.” In addition to this, team members need to have a good knowledge of the specialty they are working in. “If the patient knows that the secretary knows what they’re talking about and understands what the patient is going through, this will reassure them appropriately,” offers Monique Van Der Berg.
Above all, there is the need for the sensitivity and confidentiality that all patients rightly expect from any healthcare provider and facility. Patients need to be confident that their care is being dealt with efficiently and by a team member who is appropriately trained and dedicated to their role.
UPDATED OCTOBER/NOVEMBER 2018
We are currently publishing an up-to-date series of blogs related to GDPR, data protection and private medical practices, written by Karen Heaton of Data Protection 4 Business. Click here to start the series: GDPR for Healthcare – Introduction
UPDATED: JUNE 2018 – This blog was originally published in November 2017 in order to help private medical practices prepare for the implementation of the new General Data Protection Regulation (GDPR).
Whilst the deadline for compliance with the GDPR officially passed on 25th May, it is not too late to ensure that you have implemented the correct procedures in order to protect your patients and employees’ data.
Please read the blog for more information and useful links.
Next May sees the implementation of a new piece of EU regulation – the General Data Protection Regulation (GDPR).
Any business, including private medical practices, should be working in accordance with the Data Protection Act 1998 where any personal data is used or collected. There are similarities between the GDPR and the DPA, but this new regulation has some additional requirements that will need to be addressed. So, what are these requirements and what does your practice need to do to ensure you’re ready for May 2018?
New requirements for data controllers and processors
This new data regulation is applicable to data controllers and data processors. In the context of a private medical practice, a data controller could be the principal consultant and the data processor could be the practice manager, medical secretary, IT consultant, or anyone who acts on the processor’s behalf.
Data processed within a medical environment will include names, addresses, email addresses and medical information. For self-pay patients, bank details will also need to be processed in line with the regulations. Medical photography will also be considered personal data, as will any social media interactions you may have with patients (although any communications made in this way will also be subject to additional guidance set out by the GMC).
Although the main principles of the new regulations are still the same as those set out in the previous directive, some of the key changes are:
- Penalties – Breaches of the GDPR can result in a fine of up to €20 million or 4% of annual turnover, whichever is the larger amount. This amount is in relation to the most serious violations. A company can also be fined up to 2% for less serious breaches.
- Consent – Terms and conditions relating to consent need to be accessible and clear, using plain language. Companies can no longer use lengthy and ineligible terms and conditions, and must make it easy for subjects and clients to withdraw their consent.
- Breach notifications – The relevant regulatory authority will need to be notified of any breaches within 72 hours of the data processors and controllers becoming aware of the breach. This is a mandatory step where a breach is likely to put at risk the “rights and freedoms of individuals”.
- Right to access – Data subjects (patients, in the case of private medical practices) have the right to request and obtain from the data controller information relating to whether or not their data has been processed and for what purpose. The controller is obliged to provide a free electronic copy of any personal data being held.
- Data portability – This relates to a subject or patient’s right to request and receive their data, and the right to transfer that data to another company.
- Data protection officers – The new regulation requires a DPO to be appointed only in situations where the company’s activities include the “regular and systematic monitoring of data subjects on a large scale”, or if the company is a public authority.
More information on all changes and requirements, including the full criteria for DPO appointments, can be found HERE.
What about Brexit – do I still need to prepare for the GDPR?
The GDPR applies to all companies located within the EU that process and hold personal data. Companies located outside of the EU will also need to comply with the regulation if they provide services to people residing in the EU. In the international arena of private healthcare, there is a strong likelihood that services will be offered to EU residents. As a result, it would be sensible for practices to ensure they are working within the regulatory framework of the GDPR, so they are compliant even after the UK leaves the EU.
How do I assess my practice for compliance?
For business managers or principal consultants who are unsure how compliant their practices are, the ICO has a useful self-assessment toolkit.
What happens if my practice does not comply?
The GDPR came into effect last year, but will be enforced in May 2018. Non-compliance could result in a fine of up to 4%, so it is crucial to take a look at your data management policies and procedures to ensure that you comply with the regulations.
Data protection at Designated Medical
Designated Group, including Designated Medical, is committed to protecting client’s privacy and conducts all work in line with the Data Protection Act 1998. We work closely with clients to ensure that data protection laws are adhered to, and all data is stored securely and is encrypted when necessary.
For more information on our services please call 020 7952 1008, or visit our website at designatedmedical.com.