Posted by Richard White, Partner
Healthcare providers and GDPR: are you ready?
25 May is nearly upon us, and there are only 3 working days left for you to finalise your preparations for GDPR, which will affect all businesses, including organisations in the health and social care sector. But what are the key points that you should be thinking about if you are in the care sector?
Health and social care organisations store huge amounts of sensitive personal data and operate very much under the close scrutiny of the public eye. The processing of personal data is integral for the daily operation of organisations in this sector. It is therefore crucial that all businesses comply with the changes to the new data protection legislation. One of the major changes introduced by the new General Data Protection Regulation (GDPR) is that of accountability. Organisations must not only be compliant with the new data protection principles, but they are also under a positive obligation to demonstrate compliance.
Personal data and sensitive personal data – what is it?
In its most simplified meaning, ‘personal data’ is any information relating to an identified or identifiable person. This can include an individual’s name, date of birth, address and photograph, as well as a NHS number and even their photograph. As health and social care organisations, you are also likely to hold significant amounts of ‘sensitive personal data’ such as:
- genetic data – relating to inherited or acquired genetic characteristics, including biological samples
- biometric data – relating to an individual’s physical, physiological or behavioural characteristics
- data concerning health – both physical or mental health and the provision of healthcare services.
Under the GDPR, data must be processed lawfully, fairly and in a transparent manner. The starting point will be for organisations to undertake a data audit and data mapping exercise in order to ascertain the data you are collecting, processing and sending out not only about your clients and residents, but also about your employees, carers and job applicants.
A legal basis that many organisations will seek to rely on is consent. Organisations in the health and social care sector could also consider this basis. However, consent can no longer be relied on for everything, as was previously thought to be the case:
- It is highly unlikely in an employment context that you will be able to rely on consent due to the imbalance of power between the employee and the employer.
- Similarly you must be mindful when working with potentially vulnerable individuals who lack capacity to consent.
It’s worth considering whether there are more appropriate grounds for processing their personal data, for example, to comply with a legal obligation or for performance of the contract.
As an aside, the ICO reminds healthcare organisations that patient consent for treatment or to share healthcare records is not the same as GDPR consent.
Following your data mapping exercise, health and social care organisations should look to implement privacy notices in order to inform service users/residents about the data you are holding about them and what you are doing with that data.
Separate privacy notices should be implemented for employees and for job applicants, whose data is likely to be different to that collated for service users, and on different legal basis. There is no ‘one size fits all’ approach when it comes to drafting these privacy notices and it will depend on the results of your data mapping exercise.
Update contracts and policies
Organisations will also need to look at updating employment contracts and other policies within their staff handbook, such as the data protection, IT & email, social media and disciplinary policies. You may also need to consider updating commercial contracts with third parties who you share data with, for example an external payroll company in respect of employees, or local authority or CQC for service users.
Spending time drafting, updating and implementing GDPR-complaint documents is all well and good, but compliance must also be demonstrated ‘on the ground’. Organisations should raise awareness amongst staff of the changes of the law to ensure that they are handling and storing data securely.
Employees involved in collecting, processing and sharing personal and sensitive personal data must be made aware of how the changes affect their daily tasks and how they can maintain compliant on behalf of their organisation.
If your organisation is in the health and social care sector and you require assistance to ensure that you are adequately protecting service user and employee information in light of GDPR, do not hesitate to contact us:
0800 182 2495 Email us
Health & Social Care
Part of your trusted team, on hand to provide expert advice