GDPR IN THE HEALTH AND SOCIAL CARE SECTOR
If you live or work in the EU (including the UK), GDPR will affect you and your employer, becoming law on 25th May 2018.
GDPR is new EU legislation that will replace the Data Protection Act on the 25th May 2018. GDPR stands for ‘General Data Protection Regulation’. There are two key reasons why GDPR is being introduced – to bring all EU member states under one common regulation, and to update regulations to reflect our new digital age.
Different countries in the EU have previously followed different rules and regulations when it comes to data sharing and privacy, which can get quite confusing when data is being shared between people and companies in different countries. GDPR will be enforced across all 28 EU member states, meaning everyone is following the same rules.
In the UK, companies have followed the 1998 Data Protection Act to ensure the safety of people’s data. But technology and data sharing has developed a lot since 1998. This means that the current regulation may not be entirely suitable for the needs of consumers and the types of technology we’re seeing today. GDPR will replace the Data Protection Act to better protect data from breaches and hacks.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an ‘identifier’.
The GDPR applies to both automated personal data and to manual filing systems where personal data is accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Examples of personal data include but are not limited to :
- Personal preferences
- Address or Location Data
- NHS/CHI Number
- Contact Details
‘Processing data’ is a phrase that appears regularly across the GDPR. Processing data includes but is not limited to reading, storing and entering types of data.
In addition, personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Essentially, GDPR will affect everyone in all 28 EU member states, from businesses big and small, to customers and consumers. This includes ALL care providers that process personally identifiable data.
1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to transform the way that they collect, process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is key to successful GDPR readiness.
2. Organisations will need to map current data collection and use, carry out a gap analysis of their current compliance against GDPR and then create and implement a remediation plan, prioritising high risk areas.
3. GDPR will require suppliers and customers to review supply chains and current contracts. Contracts may need to be renegotiated to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of compliance and higher risks of non-compliance.
4. Insurance arrangements will need to be reviewed and cyber and data protection exposure added to existing policies or purchased as stand-alone policies where possible. The terms of policies will require careful review as there is wide variation among wordings and many policies may not be suitable for the types of losses which may occur under GDPR.
Rights of Individuals
Under GDPR, individuals will have increased rights, including the following:
The right to be informed– you must let people know why you are processing the data, and provide a privacy notice to inform people and transparency over how you use personal data.
The right of access– you must give confirmation that their data is being processed and give access to their personal information.
The right of rectification– you must allow people’s information to be amended if information is inaccurate or incomplete.
The right to be forgotten– the right to erasure is also known as ‘the right to be forgotten’. This right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
GDPR requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The data you process must be:
- Obtained lawfully, fairly and transparent
- For a specified and legitimate purpose
- Adequate, relevant and necessary in line with stated purpose
- Processed and kept securely in an appropriate way for the type of data being held
- Accurate and up-to-date, only kept for as long as necessary
Data Controllers and Data Processors can both be held accountable so you will need to:
- Follow comprehensive but proportionate governance measures
- Make use of good practice tools outlined by Information Commissioner’s Office (ICO), such as privacy impact assessments
- Minimise the risk of breaches
GDPR contains the below principles and requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individualsCollected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The Information Commissioner Office’s guidance note states that you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits and processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
You will need to ensure that personal information is:
1. Processed fairly, lawfully, and in a transparent manner
2. Collected for specified, limited purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and kept up-to-date
5. Kept in a form which permits identification for as long as necessary and no longer
6. Processed in a manner that ensures appropriate security
There are significant penalties for those who don’t comply, including a fine of up to €20 million or 4% of the company’s total profit. Any data breach also needs to be reported to the relevant authorities within 72 hours, and if there’s a risk involved to the data subject (i.e the people the data concerns) you will have to inform your customers too.
You can get GDPR-certified, but you don't need to. GDPR compliance is self-certified. The GDPR expressly recognises ‘external certifications’ as acceptable mechanisms for demonstrating compliance however, it does not mandate any.
As a care provider, you will likely have data stored across many different mediums.
To be GDPR compliant you must have a documented reason for holding personal data, and an explanation as to why it is stored in each format. You must consider where your data is held:
You must ensure all your paper records are documented and accounted for, including but not limited to care plans, daily records, charts, staff information and 3rd party contact details.
Standard or Software Encrypted USB Sticks and Hard Drives
Under GDPR standard or even software encrypted USB drives will not be compliant.
A regular USB drive hoards all data that you store on it, never removing anything until it absolutely has to. Files are not truly deleted when you push delete on a file or empty the trash bin - not even when you quick format a regular USB drive - all the data in some cases may still be recoverable. This leaves the standard USB drive with not only traces of what has been stored on it, but in many cases full copies. A software encrypted USB drive is also not compliant as the encryption can often be removed.
Hardware encrypted USB sticks and Hard Drives do offer compliance, as there are crypto processors built into the devices.
Printing from a computer system
If you print records or care plans from a digital platform you will then have two copies. Both of these copies will need to be documented and evidence provided as to how they are processed.
Storing your documents with a cloud storage provider or a Digital Care System such as StoriiCare that uses cloud storage is a good way to become GDPR compliant. Check with your cloud provider to view their GDPR compliance documentation.
We recommend getting independent legal advice to support your preparations, but a good place to start if you have not already would be to:
- Ask questions of your software provider(s) to obtain GDPR compliance evidence
- Document what data you are holding on whom and why
- Understand and define why you hold this data
- Complete Data Privacy Impact Assessments (DPIA’s) - templates can be found online - StoriiCare clients will be provided with DPIA’s
- Define an Escalation and notification policy
- Define your Digital Strategy
- Appoint an individual responsible for data protection (data officer)
- Identify potential data breach risks and how to mitigate them
- Educate and train staff on data protection and handling. Raise overall awareness of GDPR in your organisation. If you are yet to start, start now!
StoriiCare gives you a quicker and easier route to becoming compliant with GDPR.
StoriiCare meets all the data processing requirements under GDPR. Alongside the likes of many governments, Adobe, AirBnB and Netflix we use Amazon Web Services (AWS), the largest cloud provider on the planet, to host our client data. We will provide all our clients with our GDPR documentation, and this can be used alongside your own documentation to evidence compliance.
Using StoriiCare gives you the peace of mind and knowledge that your information is secure and quickly accessible when needed, but only accessible to authorised individuals.
As a company you will still be responsible for ensuring your own compliance, but if your data is managed by a third party such as StoriiCare, you can ask the third party to document how they manage GDPR compliance.
View some of the companies that also use AWS for cloud storage - https://aws.amazon.com/solutions/case-studies/all/
Read more on cloud computing and AWS here - https://aws.amazon.com/health/?nc1=f_dr
View the AWS GDPR Help centre - https://aws.amazon.com/compliance/gdpr-center/
- The ICO- Your assigned Data Protection Officer
- Independent GDPR consultants
- Legal advice
- Business Insurance- Ask us a question!- https://aws.amazon.com/compliance/gdpr-center/- https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf