Get In Gear – Data Protection

  • Home
  • News
  • Get In Gear – Data Protection

General Data Protection Regulation

No doubt you will have heard much discussion about the General Data Protection Regulation (“GDPR”) by now. It will come into immediate force in Irish law on 25 May 2018 and this has been well sign-posted and flagged for some time.

The GDPR imposes greater obligations on organisations which collect and process personal data and this includes GP practices of all sizes.

The GDPR has serious implications for you and your practice and you need to be fully up to speed with it. This article will give you an overview of what the GDRP is about and what it means for your practice. It will also set out a detailed road-map for your preparations, to get you on the way to compliance.

Preparing for the GDPR must be a key priority for your practice over the coming months. This is an opportunity for your practice to streamline procedures, with potential time and cost efficiencies. GDPR compliance will help you to safeguard personal data, build trust with your patients and staff and to protect your practice against complaints.

Background

The GDPR will replace the existing EU Data Protection framework and will standardise Data Protection rights for European citizens. The GDPR keeps and enhances many of the existing Data Protection principles. It puts great emphasis on transparency and security.

The GDPR will give individuals additional and stronger Data Protection rights. For example, it will be easier for individuals to bring private claims for compensation against data controllers for breach of data privacy.

How will the GDPR be enforced?

The GDPR gives Data Protection Authorities the power to sanction non-compliance. Sanctions can include fines of up to €20,000,000 or 4% of total global annual turnover.

A failure to report a breach could result in a sanction, in addition to a sanction for the actual breach. Financial sanctions are a serious consideration but the associated reputational damage for your practice could also be very damaging.

Get prepared!

You should inform your staff as soon as possible that the law is changing in relation to Data Protection and that it will mean changes in how your practice operates.

Someone in your practice must be responsible for Data Protection compliance, a designated Data Protection Officer (“DPO”). Many GP practices already have a designated DPO. Your practice DPO will be a key player in driving GDPR compliance within your practice. He/she will need the right knowledge, authority and support and may benefit from upskilling or specific training.

Preparing for the GPDR will be time and resource intensive. Your practice will need time to introduce changes required in a controlled manner. You should commence your preparations as soon as possible.

It is important to keep a paper trail of all steps taken towards GDPR compliance. We recommend starting with an education session for your staff on the GDPR and what it entails, followed by a paper-based exercise and meetings / workshops with your staff to work through the road-map set out below.

Where can I get more information?

The Office of the Data Protection Commissioner plans to issue a series of documents in advance of 25 May 2018. The first document, entitled “The GDPR and You” is now available at www.dataprotection.ie. More information and very helpful infographics are available at www.gdprcoalition.ie.

A detailed road map towards GPDR compliance:

It has been suggested that the main steps you need to take can be usefully grouped under the broad headings of: encryption and segregation of data, education, incident response planning and cyber insurance. The following suggestions will help you tackle each of these areas.

Appoint a Data Protection Officer

  • This is mandatory for organisations which process sensitive personal data (e.g. health information) on a large scale which includes GP practices.
  • Consider whether your DPO needs to be supported with training. If you already have a DPO, he/she may benefit from GDPR specific training or upskilling.

Consider whether you need a GDPR project team

  • Preparing for the GDPR will be time and resource intensive. Depending on the size of your practice, the available resources in terms of staff and the competing demands on their time, you may need to set up a team or working group to lead GDPR compliance for you.
  • If you are concerned about your ability to put resources behind GDPR preparation and compliance, you might consider prioritising the jobs that need to be done or getting external assistance and support.

Create an inventory

  • You need to prepare a complete inventory of all the personal data that your practice holds. You need the input of all staff members to prepare the inventory. This will be your baseline information. For example, in respect of a patient, you might find that you hold the following data: personal details, contact details including next of kin contact details, date of birth, GMS number, details of previous GP (if any), payment history, medical history, clinical records, details of attendances / interactions, imaging, test results and correspondence.
  • Bear in mind that the inventory will be a working document which will need to be updated. Make sure it is created in a user friendly format and that it is backed up. Start by asking your staff to complete a questionnaire with the details of the data they use in their day to day jobs.
  • Ask your staff to highlight any high risk areas that they perceive and ask for their suggestions on how to mitigate those risks.
  • Set a deadline for their responses and keep their completed questionnaires as part of the paper-trail.
  • Hold a meeting to discuss their responses and to get a full understanding of the current position. Keep a note of what action points are identified and discussed.

Review the inventory

  • For each piece of data, ask yourself:
    • How did you obtain it?
    • Why did you originally obtain it and what did you use it for?
    • Why are you holding it now?
    • How long will you retain it?
    • How secure is it?
    • If there was a breach of data privacy in relation to it, would there be a risk of harm to the individual concerned?
    • Do you ever share it with third parties and if so, on what basis?
  • Keep a note of any concerns / issues / suggestions to work on.
  • You may discover that there are records in your practice which should now be securely shredded / deleted. You will find a helpful guide to retention periods for records on medisec.ie.

How secure is the data you hold?

  • You need to examine how securely you hold data. Does everyone in your practice have a unique log-on and password to the computer network? Passwords should be robust, routinely updated and they should not be shared.
  • Consider the access authorisations that your support staff may have. Are they appropriate and necessary?   
  • Are you at risk of a breach of personal data for the want of a simple shredding protocol in your practice?
  • Are your emails secure? Healthmail is a service available at no cost to GPs which allows healthcare providers to send and receive clinical patient information securely. Medisec recommends that its members should all use secure email.
  • You may need to liaise with IT / software providers and have a security audit carried out to get a proper understanding of how robust your computer systems are and to learn about what improvements may be possible.
  • Are your staff members aware of and trained about the risks of phishing/ scam emails and malware?
  • What could you observe if you sat in your own waiting room with fresh eyes? For example:
    1. Do your receptionists inadvertently reveal personal data or clinical information when speaking with patients in person or by telephone?
    2. Are computer screens shielded from a patient’s view at the reception desk?
    3. Are letters waiting to be scanned or prescriptions for collection left in clear sight?
    4. Can consultations in progress be overheard from the waiting room?

Establish the legal basis on which you collect and process data

  • You need to consider the legal basis on which you hold and process personal data. GP practices largely obtain and process personal data with consent.
  • Consent must be “freely given, specific, informed and unambiguous”. Obtaining consent requires a positive indication of agreement. Consent cannot be inferred from silence or inactivity.
  • You need to review how you obtain and record consent to ensure that it is appropriate and verifiable. A pro forma can be developed and designed to ensure your practice is GDPR compliant.
  • If there is no paper trail, consider whether the consent actually complies with GDPR and if not, whether you need to seek consent again. For example, can you prove that you obtained consent to holding your patient’s personal contact details?
  • Don’t forget to consider also the basis on which you collect your employees’ data!
  • There may be situations where you process personal data on a different legal basis e.g. statutory reporting requirements for infectious diseases etc. You must consider carefully what happens within your own practice.

Check what information is being shared with third parties and why

  • In a GP setting, you may for example, share data with third parties when you send blood samples for analysis, when you write patient referrals to secondary care etc.
  • As an employer, you may be sharing data with third parties if you have outsourced your payroll, HR function or accounts.
  • Review the contracts you have with your third party service providers and make sure there are suitable confidentiality clauses and security obligations around protecting any shared data.
  • Make sure that your patients / staff members are aware that their personal data may be shared in this way and that they have clearly consented to same.

Establish procedures to process requests

Your patients may want to exercise their Data Protection rights, which include: access, correction of inaccuracies, erasure of information, objections to direct marketing, restriction of processing and data portability.

  • Some GP practices have procedures in place already for dealing with Data Protection requests and those procedures may only need to be tweaked. Other GP practices have been dealing with Data Protection requests on a more ad hoc basis. GDPR compliance will require standardised procedures to be in place.
  • Your procedures will need to ensure that requests are processed within the new timelines i.e. within one month (currently the period allowed is 40 days, so you will have less time in future). If your practice frequently receives access requests, processing them in time could be a challenge.
  • In most cases, you will not be able to charge for processing an access request. You may be able to charge a fee if processing the request will be administratively burdensome.
  • Make sure your agreed process is workable and will meet your obligations. For example, you may need to look at IT solutions, like taking advice from external consultants or perhaps upgrading your systems. You should also assign specific responsibilities to specific staff members and have a contingency plan and written protocols in place in case a key member of staff is on leave etc.
  • Your procedures should include a clear refusal policy and procedure. You have to be able to explain why a data protection request was legitimately refused e.g. why you might decline to rectify a record etc.
  • A sample request handling process might look like:
    1. DPO logs the date of receipt of the request in a central Data Protection register.
    2. DPO records the deadline for response and an advance reminder in a Data Protection diary which is reviewed weekly.
  • DPO acknowledges the request and confirms that a response will issue before the 30 day deadline.
  1. DPO identifies and locates the relevant records.
  2. It may be appropriate for your DPO to make decisions on requests regarding restriction of processing and data portability. It may be more appropriate for the treating GP to make decisions on access / correction / deletion requests.
  3. DPO implements decision made e.g. preparing copy records for release, arranging rectification / deletion and notifies requestor of decision within 30 day timeline. Medisec recommends that any records to be released are checked through beforehand by a medical member of the team.

Policy for dealing with a data breach

  • Breaches must be notified to the Data Protection Commissioner within 72 hours unless the data was anonymised or encrypted so you will need to review the procedures you have in place to detect, report and investigate a personal data breach.
  • Breaches which are likely to bring harm to an individual must be notified to the individuals concerned as well.
  • Make sure your staff are aware of and compliant with these policies

Review your privacy notices

Data subjects need to be fully informed about how you collect and use their data.

  • Your practice’s Data Privacy Notice will need to be updated. Currently, your Data Privacy Notice has to tell patients your identity, your reasons for gathering their data, the use to which it will be put, to whom it will be disclosed and if it will be transferred outside the EU. Under the GDPR, you will have to set out more information including the legal basis for processing the data, the applicable retention periods and details of the rights patients have under the GPDR, including the right to complain.
  • Arrange to review your privacy notices at suitable intervals to make sure that your privacy notices are fully accurate and up to date.

Data Protection Impact Assessment (“DPIA”)

Future projects will require a Data Protection Impact Assessment (“DPIA”). This means looking at any potential Data Protection issues associated with an intended project and finding a way to mitigate them. A GP practice might, for example, have to complete a DPIA as part of introducing new practice software.

Keep a paper trail

  • You will need to demonstrate that Data Protection principles are complied with. It will be essential to embed a culture of awareness and compliance amongst staff. Your practice will need to keep records of processing activities going forward.
  • Document all the steps you take towards GPDR compliance, from a note of your first planning meeting, to sign-in sheets at staff training and education sessions, to a paper trail of your consultation with your IT/ software providers, to an audit plan for ongoing monitoring and future compliance.
  • It will help your practice move towards GDPR compliance to have the following templates:
    1. A website Privacy Statement;
    2. A practice Privacy and Confidentiality Policy.
    3. A patient leaflet regarding Data Protection;
    4. Consent form regarding the processing of personal data;
    5. Confidentiality agreements with staff members / confidentiality clauses in staff contracts / employee handbooks;
    6. Data processing contracts with third party service providers;
    7. Written procedures regarding the exercise of Data Protection rights including the policy on refusal;
    8. Written Personal Data Breach protocol; and
    9. Written complaints policy for the practice.

Remember that GDPR compliance is not a once-off project. Getting ready for its introduction will involve an initial wave of preparatory work but GPDR compliance must remain an ongoing priority for your practice thereafter. A full suite of sample policies is available at medisec.ie. Please note that any sample policy will require careful review and will need to be tailored to the particular workings of your practice.

Please also note that this article is intended to assist you with your preparations for GDPR compliance and is not intended to be an exhaustive summary of all steps required. If you are a Member and need further advice or have a specific query, please contact Medisec. 

To access Medisec’s GDPR related sample policies, please click here.

 


Share this article: