GDPR for Healthcare Professionals

This is the first instalment of our series of blogs on the effects of the GDPR on healthcare professionals, and how healthcare organisations can best prepare to ensure compliance.

The EU General Data Protection Regulation (GDPR) is a new law governing how personal data is used. It comes into place on 25 May 2018, replacing the Data Protection Act 1998 (DPA).

It is regarded as one of the most important changes in data protection and privacy regulation in 20 years, and will affect healthcare organisations of all sizes; from NHS trusts to sole practitioners.

Although, the principles of data protection remain similar to the DPA, the GDPR creates new rights for data subjects (see examples of data subjects below), allows for stronger enforcement and introduces a principle of ‘accountability’, meaning that organisations must be able to clearly demonstrate compliance.

The healthcare sector deals with an overwhelming amount of personal data, as organisations such as opticians, dental practices, domiciliary care services, nursing homes and GPs all hold data relating to patients (some of whom may be vulnerable), their families, carers and staff members.

Dealing with such a volume of data means that the number of breaches in the healthcare sector is very high – between January 2014 and December 2016, healthcare organisations accounted for 43% of all reported incidents.

Alarmingly, the amount of healthcare data breaches rose in by 11% in the first quarter of 2017, with the following being the three main types of breach:

  • Loss or theft of paperwork;
  • data being sent to the wrong person by email; and
  • data being posted or faxed to an incorrect person.

Breaches (such as the above) will be enforced more strongly under the GDPR, meaning that full compliance for healthcare organisations is of the utmost necessity.

The maximum fine for non-compliance has increased, rising from €500,000 to €20,000,000 (about £18 million). The GDPR will also introduce a duty on all organisations to report breaches to the Information Commissioner’s Office (ICO) within 72 hours, and in some cases to the individuals affected by the breach.

‘Sensitive Personal Data’ will be subject to greater protections than other forms of personal data. There are three types of such data as defined in the GDPR and which are particularly relevant to healthcare organisations. They are:

  • Data concerning health;
  • Genetic data; and
  • Biometric data.

The Sensitive Personal Date subject must give “explicit consent” to the processing of such data, which may prove difficult in the case of children or vulnerable patients.

GDPR states that organisations who deal with such sensitive personal data will need to appoint a Data Protection Officer (DPO).

The DPO will monitor compliance with the GDPR, inform and advise the organisation and its employees about their obligations to comply with GDPR and answer any data protection queries employees or patients may have.

We will be publishing a series of blogs on the GDPR aimed at healthcare professionals, focusing on specific areas of the GDPR that are likely to have the greatest impact. Please look out for and diarise for the following dates:

  • 15th October – Data Subject Rights;
  • 30th October – Data Protection Officers;
  • 15th November – Sensitive Personal Data;
  • 30th November – Fair Processing Information; and
  • 15th December – Action Plan for Compliance.

If you would like to discuss any of the points raised in this blog, or would like to speak to a specialist solicitor in our healthcare team, then contact us on 0161 926 9969.