Posted by Mei-Ling Huang, Partner
Data breaches in the health and care sector
As we are all well aware by now, the General Data Protection Regulation (GDPR) came into force on 25 May 2018 and with it came a duty on all organisations to report certain types of personal data breaches to relevant supervisory authorities.
The health and social care sector will control and process some of the most sensitive personal data there is and data subjects have the right to expect those organisations to have robust procedures in place in order for their personal data to be properly secured.
However, whether intentionally or entirely by mistake, data breaches can and do occur. During the period 24 May 2018 (when the system was launched) to 30 June 2018, a total of 122 incidents were notified to the ICO through the DSPT by organisations in the health and care sector. Examples of incidents that were reported include the loss of a patient’s scanned in notes; a cyber incident (similar to the WannaCry incident of 2017) affecting the availability of clinical services; 10 DNA profiles (biometric data) with names sent to the wrong email address; and a set of case notes found in a bin outside a supermarket.
In the event such a data security incident occurs in this sector, the Information Commissioner’s Office (ICO) has asked that all health and social care organisations use the Data Security and Protection Incident Reporting Toolkit (DSPT), rather than the usual ICO provided reporting mechanism.
Notifying the ICO of a breach through the DSPT
Not only is it a contractual requirement of the standard NHS contract to notify incidents, but Article 33 of the GDPR now states that the ICO must be notified of a personal data breach within 72 hours unless it is unlikely to result in a risk to the rights and freedoms of individuals. Organisations are also obliged to notify anyone affected by the breach without undue delay in circumstances where it is likely to result in a high risk to individuals’ rights and freedoms.
As stated above, all health service organisations in England must now use the DSPT which can be found here. This system will report Serious Incidents Requiring Investigation to NHS Digital, the Department of Health, the ICO and other regulators.
72 hours is not a lot of time to conduct internal investigations in to the incident, decide whether or not it is notifiable and deal with the immediate aftermath of the breach. As such, organisations should consider what they can do now in order to save some of that time. For example, reviewing internal processes to ensure robust procedures are in place for breach detection, internal investigation and internal reporting. Effective internal procedures will assist those tasked with deciding whether or not the ICO (and any affected individuals) need to be notified of a breach and if they do, that the correct notification processes are followed promptly and within the prescribed time limits. If they have not done so already, organisations should also register for the DSPT now so that, in the event an incident does need to be reported, they do not have to waste any of the crucial time during the initial 72 hour period registering to be able to use the system.
If you have any queries about the DSPT or notifying supervisory authorities of a potential personal data breach, please do not hesitate to contact Lucy Nash.
01865 268 685 Email us
Health & Social Care
Part of your trusted team, on hand to provide expert advice