Is your medico-legal practice GDPR compliant?
What does that mean? The General Data Protection Regulations came into force in May 2018, replacing the Data Protection Act 1998 The GDPR sets out how organisations must handle personal data There are additional rules for health records as they are considered to be a special category NB. information about a deceased person is not subject to the GDPR The GDPR will still matter to the UK after Brexit. The Data Protection Act 2018 incorporates the GDPR into English law. After the UK has left the EU, our data protection laws will almost mirror those of the EU.
Why does it matter to me? As a medico-legal expert, you could be considered to be a data controller You will be using personal data, determining the means of the processing and the purpose of the processing As a data controller, you have specific obligations under the GDPR The ICO has the power to fine you if you do not comply NB. If you have already taken the following steps in relation to your private medical practice, you must still take these steps, separately, in respect of your medico-legal work You need to assess and minimise the risk to the data subject & your instructing solicitors. You must have an up to date record of what data you hold, why you hold it and where you hold it.
What are my obligations? Register online with the Information Commissioner’s Office Pay the fee and be added to the Data Protection Register Report any data protection breach within 72 hours Follow the 7 principles set out in Article 6 of the GDPR …what are the 7 principles? Data controllers are accountable for what they do with personal data and how they protect it. You must need demonstrate how you comply with the legislation: clear, documented processes, ie. you must both comply AND demonstrate compliance. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/02/blog-show-you-mean-business-by-paying-the-data-protection-fee/
GDPR 7 principles 1. Lawfulness, fairness & transparency On what basis are you collecting and processing this data? GDPR Article 6(f) legitimate interests Healthcare records are a special category of personal data, so your reason for processing them must also meet a GDPR Article 9 ‘special condition’ for use. Use Article 9(2) ‘…establishment, exercise or defence of legal claims.’ Is your data processing for fair use? A negative effect on the data subject does not make your processing unfair Is your data processing transparent? Do people know who you are and why you are using their data? You would set this information out in your privacy notice and in your data audit records…documentation matters! Legitimate interest – that is, the litigation in which you are instructed to act. Still, always worth knowing that the claimant solicitor has the relevant consent for access to and use of the health records, including a that they have provided the claimant a summary of parties likely to access/use them.
GDPR 7 principles 2. Purpose Limitation Why are you processing the data; what is your remit? 3. Data Minimisation Is the data you hold relevant for you to fulfil your remit? 4. Accuracy Is the data you are using accurate and up to date for your requirements? Documentation! It can be brief, but you should identify what information you have, what it is for, whether it is sufficient for your purpose.
GDPR 7 principles 5. Storage Limitation How long should you keep the data and why? You must carry out periodic reviews/audits NB. 6 year limitation for professional negligence claims 6. Security Principle You are responsible for secure storage and transfer of the data Consider: encryption; data rooms; couriers for hard copies; secure filing Security: Tip: document all risks to the data and how those risks will be controlled. Eg. being emailed to wrong person…you double check your email before sending/disable autocomplete; being left on a bus…you don’t take them on public transport! Are your systems adequate to identify potential data breaches before they occur. Can you flag up adverse incidents in time to comply with the deadlines for reporting (72 hours). NB. Security also covers things like working on public transport – on laptops, on phones, in discussion with colleagues. See, for example: http://heleblundell.blogspot.com/2013/01/are-you-being-heard.html ICO Audit team say: The main areas of weakness that we have found when we have audited Records Management: lack of formal RM framework – including a lack of any training programme incorporating RM; and then a failure to monitor training attendance against KPIs lack of regular internal audit, compliance monitoring & reporting, or external assurance in the area of records management lack of effective security for manual records especially when being transported or transferred AND/OR a lack of effective retention and destruction controls for both electronic and manual records
GDPR 7 principles 7. Accountability You are responsible for compliance and you must demonstrate how you do so Ensure those you work with are also compliant, eg. instructing solicitors, administrative assistants, storage facility Document everything: reasons for holding and processing the data; annual or regular review of data library; choice of encryption and storage of the data; maintain records with the ICO Maintain and publish an up to date privacy policy Do your contracts with data processors meet the GDPR requirements? You may well enter into a data processing or data sharing agreement. You must ensure they also have compliant processes and be satisfied that they will be implemented. Check they are on the register https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/ Your privacy policy must be concise, transparent, intelligible and easily accessible; written in clear and plain language; and free of charge. Many people post it on their website.
Additional resources Information Governance Alliance @NHSDigital https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information- governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance#when-guidance-is- being-published Complete Guide to GDPR compliance (includes documents on which to base your privacy policy and data processing agreement) https://gdpr.eu/tag/gdpr/ We don’t offer template policies. It is important to read what the required content is and then write your own. This is the best way to ensure you understand the requirements on you as a data controller and the practical implications for your business. However, it is of course helpful to have some documents to read by way of guidance.
Additional resources Write down your data audit policy, and then be sure to carry it out. Talk to colleagues about what they do, share good practice. Here's a sample register of information you might need. Do not overwrite info, add info. Write down how regularly you will review all the records, and do it. When there is a significant change in your role in a case (it settles, it is appealed etc) update that one record. It will save you time when you do a regular review if you know that your records are up to date. Make a note on this register if you are taking records out for any reason – conference/client appointment etc. And update risks/steps to mitigate. Note when they are returned. If you review and there’s been no change, perhaps contact instructing solicitors for an update. Mention why you’re asking!