Healthcare providers and GDPR: are you ready?
Health and social care organisations store huge amounts of sensitive personal data and operate very much under the close scrutiny of the public eye. The processing of personal data is integral for the daily operation of organisations in this sector. It is therefore crucial that all businesses comply with the changes to the new data protection legislation. One of the major changes introduced by the new General Data Protection Regulation (GDPR) is that of accountability. Organisations must not only be compliant with the new data protection principles, but they are also under a positive obligation to demonstrate compliance.
Personal data and sensitive personal data - what is it?
In its most simplified meaning, 'personal data' is any information relating to an identified or identifiable person. This can include an individual's name, date of birth, address and photograph, as well as a NHS number and even their photograph. As health and social care organisations, you are also likely to hold significant amounts of 'sensitive personal data' such as:
- genetic data – relating to inherited or acquired genetic characteristics, including biological samples
- biometric data – relating to an individual’s physical, physiological or behavioural characteristics
- data concerning health – both physical or mental health and the provision of healthcare services.
Lawful basis
Under the GDPR, data must be processed lawfully, fairly and in a transparent manner. The starting point will be for organisations to undertake a data audit and data mapping exercise in order to ascertain the data you are collecting, processing and sending out not only about your clients and residents, but also about your employees, carers and job applicants.
A legal basis that many organisations will seek to rely on is consent. Organisations in the health and social care sector could also consider this basis. However, consent can no longer be relied on for everything, as was previously thought to be the case:
- It is highly unlikely in an employment context that you will be able to rely on consent due to the imbalance of power between the employee and the employer.
- Similarly you must be mindful when working with potentially vulnerable individuals who lack capacity to consent.
It's worth considering whether there are more appropriate grounds for processing their personal data, for example, to comply with a legal obligation or for performance of the contract.
As an aside, the ICO reminds healthcare organisations that patient consent for treatment or to share healthcare records is not the same as GDPR consent.
Privacy notices
Following your data mapping exercise, health and social care organisations should look to implement privacy notices in order to inform service users/residents about the data you are holding about them and what you are doing with that data.
Separate privacy notices should be implemented for employees and for job applicants, whose data is likely to be different to that collated for service users, and on different legal basis. There is no 'one size fits all' approach when it comes to drafting these privacy notices and it will depend on the results of your data mapping exercise.
Update contracts and policies
Organisations will also need to look at updating employment contracts and other policies within their staff handbook, such as the data protection, IT & email, social media and disciplinary policies. You may also need to consider updating commercial contracts with third parties who you share data with, for example an external payroll company in respect of employees, or local authority or CQC for service users.
Staff training
Spending time drafting, updating and implementing GDPR-complaint documents is all well and good, but compliance must also be demonstrated 'on the ground'. Organisations should raise awareness amongst staff of the changes of the law to ensure that they are handling and storing data securely.
Employees involved in collecting, processing and sharing personal and sensitive personal data must be made aware of how the changes affect their daily tasks and how they can maintain compliant on behalf of their organisation.