Organisations in the health and social care sectors, much like other organisations, hold personal data about their employees, suppliers and business contacts. However, they differ in the fact that a large proportion of patient data is health data, part of the GDPR’s ‘special’ category of data. As such, this data is subject to strict regulation under the new legislation. Data breaches in healthcare settings can have catastrophic consequences for organisations and individuals alike: organisations can incur crippling fines, and the rights, freedoms, and privacy of patients can be impaired. Training all of your staff members in data protection best practices is vital to protect both your organisation and your patients.

Data Protection and Medical Records

Health records contain both facts and professional opinions on a patient’s physical and/or mental health. Consultation notes, scan results, videos, audio recordings, photographs, tissue samples and correspondence between professionals (to name a few) all feature in health records. These records contain an abundance of sensitive and confidential information and must be protected accordingly. When processing large volumes of sensitive health data, it is imperative that all your staff members are equipped with good data protection education.

Health records have a minimum retention period of 8 years for hospital records, 10 years for GP records, and longer for paediatric, obstetric and mental health records. After these times, the records must be properly disposed of in confidential waste.

Sharing Health Records

Subject Access Requests (SARs) can be submitted by a patient (or a third party authorised by the patient) seeking access to the information held about them. Competent patients have a right to access this information and your organisation is obliged to comply with the request within 28 days. Whilst patients can authorise a third party to make a SAR, requests from insurance providers can enter a grey area and risk breaching GDPR. To avoid a breach, health records can be issued to the patient directly, allowing them to disclose their records if they desire. When asking staff to operate in such grey areas it is a fundamental necessity that you train them comprehensively in data protection.

Whilst healthcare providers are required to uphold the confidentiality of their patients, they are also expected to prevent harm to others. In the absence of a court order or warranty, police can make an informal request to access a patients heath records. Whilst disclosure is at the professional’s discretion, they could find themselves liable if they fail to prevent serious harm to their patient or others by failing to disclose relevant information. Again, when working in an area of ambiguity your staff require good data protection training to appreciate the restrictions they must abide by.

Data Protection in the NHS

All organisations contracted to provide services under the NHS Standard contract are required to abide by NHS data protection policies. The NHS has issued standardised privacy notices (publications informing data subjects on how their personal data will be processed) which are circulated on NHS websites and displayed in patient waiting areas. All public authorities, ranging from trusts to individual practitioners within the NHS, are required to appoint a Data Protection Officer (DPO). A DPO is an individual, removed from the data processing, who is responsible for ensuring data protection compliance.

Breaches in the News

Serious data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours of discovery. A breach is deemed serious if it is likely to harm the rights, freedom or privacy of any persons. As well as the massive effects on individuals, the repercussions that a data breach can have on an organisation must be considered. Patients must have trust in your organisation when disclosing personal information such as health data, therefore damage to your organisation’s reputation could hinder the services you are able to offer. You can also incur massive fines from the ICO, up to 4% of your annual turnover or €20,000,000, whichever is greater. Data protection training is essential in avoiding these dear consequences.

In 2017 the NHS fell victim to a large-scale cyber-attack. Ransomware encrypted the files of various NHS health organisations and demanded payment in bitcoin to recover the data and return it to NHS staff. The affected organisations were forced to turn patients away, stop prescriptions, and cancel appointments, thus causing widespread chaos for GP surgeries, pharmacies and more. In light of the attack, it was found that staff were working on outdated operating systems and that updating this software to current OSs may have protected these sensitive files against unauthorised access and encryption. Our increasing reliance on technology means that a cyber-attack can bring an organisation to its knees.

In 2016, a hospital data slip had devastating effects on a foster family. Correspondence regarding a baby who was taken into care at birth accidentally disclosed the foster parents’ names, address and phone numbers to the child’s birth parents. The foster parents received death threats from the birth parents and were forced to live in hotels for weeks until it was deemed safe for them to return home. The baby was immediately removed from their care and the couple were prohibited from adopting a second child they had planned to care for. This experience illustrates how a seemingly minor slip can have crippling effects on those it implicates and highlight the importance of rigorous data protection training.