Data Protection Laws are changing and all podiatrists will need to comply!
Published 26 Nov 2017
Data protection rules are set to change in May 2018. These changes may impact on your use of PASCOM-10. The college of Podiatry hase recently published the following statement on their website here
Key Learning Points
- The Data Protection act is being updated with the EU General Data Protection Regulations (GDPR).
- All healthcare professionals should be aware of the key terms within the GDPR.
- Podiatrists will need to consider carefully the ways in which they process personal data.
Under EU law, the rights to privacy and fair processing of personal data are treated as fundamental rights. In the UK, these rights have been protected under the Data Protection Acts since 1984.
The existing regime is undergoing a major overhaul, and from 25 May 2018 a new system will take effect. At the heart is the EU General Data Protection Regulation (GDPR). In the UK the regulation will apply directly, but it will be supplemented by a new Data Protection Act, aspects of which are as yet unconfirmed. The new regime emphasises accountability and will affect the way that we all work with, and store, personal data.
People and organisations (including podiatrists) who process personal data will need to demonstrate that they have considered certain Data Protection Principles and adopted appropriate processes to achieve compliance. For podiatrists who are employed, the major burden will fall on the employer organisations such as the NHS. Employees of those organisations will need to adapt to changes in local policies and procedures implementing the new regime.
For podiatrists in independent or private group practice, there is far more work to do, as the burden of implementing reform and ensuring ongoing compliance will fall on you as controllers of the personal data that you collect and process. While the new system is evolutionary, not revolutionary, it appears that the prospect of new substantial fines has caused many data controllers to think seriously about their obligations for the first time.
The new regime is undoubtedly complex. As with any new major regulation, there are questions about the precise meaning of aspects of the new rules. However, the main thrust is clear, and the time to implementation is short, so the lack of certainty around the detail should not be a barrier to early action. There are areas where compliance will require controllers to put in a great amount thought and time.
In addition to driving a culture of accountability in data processing, the new system strengthens the rights of data subjects in areas such as access to personal data and rights to rectification and erasure. It also tightens up the regime relating to consent, setting more exacting requirements for consent when this is relied upon as the justification for data processing.
In this, the first of a series of articles looking at the key points of relevance to podiatrists, we explain some of the terminology and outline the first steps to implementing the changes.
Personal data is data that relate to identifiable natural persons.
Special Category Personal Data
The GDPR affords special protection to specific categories of data that are particular sensitive. These are referred to as ‘Special Category’ personal data, and include information about a person’s physical or mental health. Clinical records contain these data. Podiatrists may also be processing special category personal data in emails or other communications, although processing of these data is prohibited unless certain requirements are met.
A Data Controller is an individual or organisation that determines the way in which personal data is processed. It is likely that controllers will be required to pay an annual fee to the Information Commissioner.
The definition of processing is wide. It includes a range of common operations such as collecting, recording, accessing, disclosing, storing and destruction of personal data.
Data Protection Principles
The GDPR sets out six core principles that apply to the processing of personal data. These are similar to the existing principles under the Data Protection Act and can be summarised as follows:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
Lawful Grounds for processing
In assessing the lawfulness of processing, at least one of the permitted ‘Lawful Grounds’ in Article 6 GDPR must apply. When processing special category personal data, it is also necessary that one of the lawful grounds in Article 9 GDPR applies.
These will be explored in more detail in a future article. For now we note that consent is one of the available lawful grounds, but that it may not be the most appropriate to rely upon. The full list can be accessed at: https://ico.org.uk
FIRST STEP IN COMPLYING WITH THE GDPR
Know your data
Podiatrists in independent practice will be processing the personal data of their patients, which includes special category personal data. The starting point in achieving compliance is to identify and understand the nature of the personal data that you process by data mapping. This entails reviewing how and where personal data is processed, whether it is shared, and if so with whom, and describing those data flows either in words or graphically.
The first step in data mapping is to consider where you process personal data. The obvious starting point is a patient’s clinical records. These will contain special category personal data about the patient, and possible personal data about third parties, such as records of the patient’s family history or details of next of kin. They are also likely to include the podiatrist’s personal data.
However, it is probable that the processing of personal data will extend beyond the clinical record. You will need to think about how you communicate with, and about, patients. No doubt you send emails to patients about appointments or possibly more specific clinical issues. These emails comprise personal data, so it is important to think about how and where the information is stored. One way of approaching this is to think about the patient’s journey from their first enquiry to the end of treatment, and the storage of records after treatment is complete. You will also need to decide how to manage personal data from enquirers who never become patients.
Whether records are electronic or paper, it is important to think about who can access them and what security measures are in place. You should also think about where data are accessed, for example on remote devices, and to consider the security of electronic communications in transit.
If you use a cloud storage provider or email service provider you need to know where in the world your data is processed, and ensure that the processor is compliant with the GDPR.
Mapping your data collection and use in this way allows you to think about compliance in a structured way. It will help identify vulnerabilities and solutions and prioritise them. Once you understand your data flows you can document your risk assessment and write a formal policy for the processing of personal data. You should also review any contracts you have with third parties for processing your data, bearing in mind that Article 28 of the GDPR requires controllers to include certain express contractual terms in their contracts with data processors.
Mapping your data processing will also allow you to think about what processing operations you undertake and determine the most appropriate lawful grounds on which to rely for that processing. This in turn will help you to decide to what information to include in the privacy notice you give to your patients.
In subsequent articles we will look at the following:
- Consent and its limitations
- Fair processing and privacy notices
- Data security and data breaches
- The rights of data subjects