Data protection laws are set to change in a few weeks as we prepare for the introduction of the new General Data Protection Regulation (GDPR). But what do the new rules mean, and why do they matter for care homes?
The GDPR replaces the current Data Protection Act, and will set a stronger framework for how we collect, store and share data across the health and care system in future.
With the current scandal engulfing Facebook and Cambridge Analytica, as well as high profile security breaches affecting a number of sectors over recent years, the new rules come in at a time when public awareness of data issues has never been greater.
It is my strong belief that GDPR will give us the framework we need to build patient confidence in how their information will be accessed and used, and ensure that we can continue to yield the benefits of having a more connected and integrated approach to data management.
At the core of GDPR is the need to appoint a data protection officer or data protection lead within every organisation – a named person responsible for overseeing the handling of sensitive personal data either within a practice or across multiple practices.
All organisations will also be required to demonstrate that they are complying with the new regulations and must report any security breaches within 72 hours in a bid to boost transparency and accountability. We need to have the same fast and forensic approach to addressing any compromised data as we do to failures in patient care – both are fundamentally breaches of patient trust and safety.
The new laws also put more power into the hands of the patient. They will mean that for the first time patient data can be requested and obtained within a month – rather than the current 40 days. Patients will also have the power to request their information is moved, deleted or altered. They will, in other words, have greater agency and control over how their data is managed than ever before.
There are, clearly, important logistical challenges for organisations in preparing for the new regulations, which is why we have been working with NHS Digital and the Information Commissioner’s Office to prepare a range of tailored advice to help organisations prepare and get to grips with the new rules as quickly as possible.
But let’s not lose sight of why this matters. In the 70 years since the NHS was created, clinicians and scientists have consistently approached data with the guiding principle that it can make a huge difference to patient care. And there is consensus now that this matters now more than ever, not least as we seek to deliver fast, effective transfer of records helping to join up care for patient with complex and multiple conditions.
Yet we can only travel as fast and as far as the public’s confidence allows us, and in a volatile climate, where people are asking serious questions about the ethics of Big Data, the introduction of this new regulation – alongside the work already being done in the wake of Fiona Caldicott’s Review – gives us definitive answers within healthcare.
By implementing the regulation, we can win permission to ensure more patients can benefit from an improved experience and better outcomes as a result of fully integrated and shared personal medical records.
Many of the main requirements of GDPR are similar to those in the current Data Protection Act – however there are a number of new elements which may need significant changes in the way organisations handle data.
· The requirement, where appropriate, to appoint a Data Protection Officer
· Organisations will be obliged to demonstrate that they comply with the new law
· Significantly increased penalties possible for any breach of the Regulation – not just data breaches
· A legal requirement for security breach notification within 72 hours
· The removal of charges, in most cases, for providing copies of records to patients or staff who request them and a new timescale to provide this within one calendar month
· The requirement to keep records of data processing activities
· Increased rights of the data subject
Sector-specific information for health organisations has been published by the Information Governance Alliance (IGA) on their website to try and support the transition. This includes a GDPR checklist, FAQ section and general advice with links to further information.
The information is available here: https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance