The Data Protection Act is an integral part of the cyber domain and legislation for anyone working in health and social care. It governs how to protect the information in health and social care. This blog post will explore the implications of the act on healthcare professionals, patients and other individuals who may have dealings with you as an organisation or individual providing care to others and the importance of protecting sensitive data in health and social care.
This article provides information that can help you comply with data protection law when storing personal information about people in your role as a health or social care professional.
Importance of data protection in health and social care
Data protection is essential because it helps people feel confident that their information will be used in a way they would expect. It allows them to control how others use the personal data they share with them. It also enables people who hold their sensitive data (e.g. GPs, social workers) to understand what they can do with it and how they can store it.
If people don’t feel confident that their data is being kept securely, this could harm the trust in sharing information with healthcare professionals who need to access it for them or others (e.g. carers). It also makes it more difficult for health and social workers to gain the trust of the people they work with.
If healthcare professionals do not protect the sensitive data in their care, this could lead to fines and penalties for them or even criminal charges if it is deemed that there was willful negligence in protecting people’s personal information. This can result in losing employment, loss of earnings and having a damaging impact on your reputation in the field.
Common data protection issues in healthcare
There are several problems in the health and social care sectors when it comes to data security; some of them are listed below:
1. Not being aware of how to store data properly
2. Making a mistake in storing the information could have been avoided if it was better known what is expected by law.
3. Losing documents containing sensitive data about people, whether this be on your computer
4. Inappropriate disclosure of personal data
5. Misdirected emails resulting in loss or exposure of sensitive information
6. Unauthorised storage and access to patient records
Data protection healthcare is essential for all individuals dealing with you as an organisation. This includes patients, carers, family members, other health professionals involved in their care, employers/employees etc.
As discussed in our security threats in the healthcare industry, here is a quick watch:
Should you need a deep dive into technical security risks in the healthcare industry, and best security practices, then read this article:
Data protection act 1998 and 2018 in social care and health
When storing information, it is essential to understand what you can and cannot do with patients’ data. The Data Protection Act places a duty of care on those who handle sensitive personal data in the UK (e.g. healthcare professionals and social workers). You must keep this data secure and safe from any unauthorised access or use, as well as keep records of how and with whom the information is shared.
Duties under the data protection act 1998 and 2018 in health and social care
Under the DPA, healthcare professionals have several duties in relation to the protection of data. This includes:
1. Records and documentation must be kept up to date with what you do with patients’ information.
2. Ensuring that any paper files containing personal data are kept locked or secure at all times.
3. Ensuring electronic records, e.g. patient medical history, is also protected from unauthorised access.
4. Ensuring that all staff is aware of the importance of keeping sensitive information secure and only sharing it with people who have a right to see or use that data.
5. Ensuring that personal data is disposed of using the correct procedures when no longer needed.
6. Ensuring that data is only used for its intended purpose.
7. Ensuring you keep up to date with the latest data legislation.
8. Ensuring that any staff who deal directly with patients are trained.
9. Ensuring staff are trained in identifying the signs of data breaches within your organisation.
10. Ensuring that any suspected data breach is reported immediately to the Information Commissioner’s Office (ICO).
Note that if you (and your organisation) work with individuals and their personal information outside of the UK, then other data protection laws apply. This includes any transfer or storage of this data overseas which must be done in accordance with the current Data Protection Act 2018 as well as other relevant legislation such as GDPR (General Data Protection Regulation) and e-privacy directive.
General Data Protection Regulation (GDPR) vs DPA
GDPR is the new legislation regarding the protection of data that replaced DPA in 2018. The principles of the Data Protection Act & GDPR are clear in protecting individuals’ privacy rights.
It is now the most important legislation for those in health and social care as it sets out how data must be handled with patients’ information.
GDPR regulates how organisations can use personal information about individuals, including sensitive data such as medical records. With regards to health and social care, there are some key differences between GDPR and DPA:
1. One of the biggest changes under GDPR is that consent must be explicit for data processing. This means that you should only request the information required to provide a service and not ask patients/clients for more than what is necessary.
2. The DPO is now mandatory under GDPR based on the data processing at scale, public authority or body. All organisations must appoint a DPO if they regularly process sensitive data or carry out large-scale systematic monitoring of individuals (e.g. CCTV).
3. Under GDPR, people have increased rights surrounding their data, including access to records of what has been shared with whom; erasure (Right to be forgotten); right to data portability and right to object (e.g. not to be profiled).
4. Under GDPR, you must report any data breach within 72 hours of its discovery – this can include one person’s PII being sent to the wrong recipient or a loss of physical files containing sensitive information such as medical records.
5. Under DPA, you can only keep patient records (paper or electronic) if they are required to provide a service; under GDPR, this has been extended, and you can no longer keep patient records if they are not necessary for the delivery of your service.
6. Under GDPR, you may need to appoint someone internally or externally responsible for ensuring data protection compliance within your organisation if this does not already fall under the remit of another role (e.g. Data Protection Officer).
It is important to note that any other legislation could replace GDPR once it ends in May 2022. This means data protection rules and regulations will change, which is why staying up-to-date with the latest information regarding this legislation is essential for those working within health and social care.
GDPR compliance checklist
The following questions help health, and social care organisations understand whether they meet the GDPR requirements.
1. Do your company has a Data Protection Officer? (This role is mandatory under GDPR)
2. Do you have a process to review the data collected?
4. Are patients aware of how their information will be used and why it is needed?
5. Is there an appropriate retention period for any data being collected?
6. Have you had any data breaches in the last 18 months? If so, have these been reported to the ICO within 72 hours of discovery as required by GDPR.
The above questions are designed to help organisations understand whether they meet the requirements of GDPR and continue providing care for their patients/clients.
Data protection by design and by default and DPIA
Data protection by default and data protection by design are vital concepts under GDPR that aim to ensure you must collect the minimum information required for your service.
Data protection by design
This is where organisations apply data minimisation techniques when designing systems, services or products. Organisations must justify why they need personal information and why processing that data is necessary for their service.
Data protection by default
This means privacy settings should be set to a minimum by default, and it should not be possible for an individual’s privacy preferences to be changed easily (e.g. automatically opting people in or out of marketing lists). Controls make it easy for people to understand how their data is being used and give them the option of not using a service if they choose.
Data Protection Impact Assessment (DPIA)
DPIA is a tool that organisations can use to identify the data protection risks of any new service, process or product. The DPIA must be carried out before starting work on a project with an impact on privacy rights/freedoms.
What to do if there are signs of a data breach within your organisation?
If there are any signs of a data breach within your organisation, it is vital to act as soon as possible. Here’s what you should do:
1. If the suspected or apparent personal data breach involves more than one member of staff, then notify the DPO immediately and ensure they record all evidence.
2. If the suspected or apparent personal data breach involves only one staff member, then notify your organisation’s DPO. All organisations need a process to help you do this quickly and easily, for example, by using an online form. The ICO guides what constitutes ‘large scale’ processing, which would require a DPO; you can find this guidance here.
3. You should also inform the ICO as soon as possible. However, it is advisable to notify them within 24 hours of becoming aware of a suspected data breach so they can investigate further if necessary.
What happens after I have reported my organisation’s potential data breach?
The ICO will contact you again if they need additional information regarding a data breach. If there is sufficient evidence, the ICO may want to assess your organisation’s security measures and practices as part of their investigation. It is essential to remember that under GDPR, organisations have a legal duty to report personal data breaches, so failure to do so could result in a fine.
Suppose you do not comply with the ICO’s request for information. In that case, they may apply to a court for an order that requires you to provide it within a specific period or face prosecution and a financial penalty of up to €20 million or four per cent of your organisation’s annual global turnover (whichever is greater).
Health and social care is an ever-changing sector, requiring data protection to change alongside it. This blog post has provided a summary of the changes required in health and social care under GDPR to ensure that your organisation is prepared for the new regulation.
According to the data protection act, this blog post has provided detailed guidance on storing information in health and social care. It’s essential for those working within this sector to stay up-to-date with the latest news about GDPR; otherwise, they could face legal action.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.