The new data protection regulations came into force on 25 May. Is your practice compliant? Dr Rachel Birch, medicolegal adviser at Medical Protection, has previously written about GDPR.
Here, Dr Birch is delighted to welcome a helpful recap on the main changes from Dr Conor O’Shea, a GP and member of the ICGP Data Protection Working Group
The concepts of data privacy and protection did not begin on 25 May 2018, but the legislation has undergone a significant upgrade in the form of the General Data Protection Regulation (GDPR).
We await a new Data Privacy Act from the Irish government, and GPs are doing their best to keep up with this moving landscape. The aim of this article is to help GPs to assess if the necessary changes are being made in their practices.
To begin, we should remember two important points. Firstly, the principle that an individual’s personal data should be respected and carefully managed is a reasonable one. It is what we would expect for ourselves or our families. Secondly, when we refer to data we mean all personal information, both in electronic and paper format. The workflows in a typical general practice are such that data breaches involving paper are as likely to occur as electronic mishaps.
Let us consider what has changed under GDPR:
- It is now necessary for practices to be able to demonstrate that they have data protection policies and procedures in place and that they are in compliance
- Privacy notices should be in place (waiting room, website) and policy documents should be available to patients
- All data breaches that result in a risk to an individual’s rights must be notified to the Data Protection Commissioner without undue delay and within 72 hours
- There are potentially significantly increased penalties for non-compliance or breaches, and you may be sued by an individual.
While this looks somewhat daunting, there are some sensible measures that GPs can put in place to avoid problems.
Examples of data protection policies and procedures can be found in a number of guideline documents. Although this is not the only reference available, for consistency this article will refer to the ICGP publication Processing of Patient Personal Data: A Guideline for General Practitioners, which was specifically written for Irish GPs. It will also be subject to regular review, particularly in the coming months as the interpretation of data protection regulations evolve.
The cornerstones of compliance are clear policies and good staff training. Training should include all staff – GPs, nurses and office – and a record of all training should be retained. There is no specifically recommended training, but consideration should be given to a practice meeting, reference reading material or online education. What may be most helpful is to discuss issues and queries as they arise, and to keep a record of these. Practice policies should be reviewed regularly, and informal discussion may be an appropriate form of ongoing training.
While all should be trained, it is a requirement for a practice to have a data controller. This may be the practice if it is a legal entity, or one or all of the GP principals. Nominating all GP principals in the practice to be joint data controllers may encourage shared responsibility, while at the same time nominating an individual GP or other practice member as a data protection lead. The data protection lead would be the person(s) responsible for the implementation of the practice policies. The full responsibilities of the data controller are laid out in Part 1, Section 2 of the ICGP guidelines.
There is also a role of Data Protection Officer (DPO) described in GDPR, which is required where processing of personal data is taking place on a large scale. The current ICGP position is that most general practices are not “large scale” (although the definition is vague) and, therefore, that the appointment of a DPO is not essential. According to ICGP guidelines, there may be a requirement to appoint a DPO in a large general practice or when a commercial organisation manages a number of different practices. Medical Protection will be looking at this aspect of the regulations in more detail over the coming months, and will update members when we have greater clarity.
A fundamental aim of practice data protection policies should be to prevent either wilful or accidental loss, destruction, alteration or unintended access to personal data. However, in the eventuality of a data breach occurring, it is essential that the practice should have clear documentation available.
Recommended documents would include:
- Practice privacy statement
- Record of processing activities
- Data protection accountability log and training record
- Confidentiality agreements (staff, medical students)
- Data breach protocol and record
- Internet security policy.
Examples of most of these are to be found in the guidelines. It would be sensible to keep all relevant documents in a dedicated data protection folder, which would be readily available to access.
Audit your security
As well as preparing documentation, it is required under GDPR that regular information security audits are performed to ensure that patient data is secured appropriately. The audit would include reviewing all hardware and software in the practice network, virus and malware protection, areas of internet connectivity and data back-up. This is a technical challenge and likely to be beyond the capabilities of most GPs or their staff, and therefore will likely require GPs to commission an external expert. If GPs have hardware support, their suppliers who know their systems may be well placed to perform this audit. It is recommended that GPs who have not yet commissioned an initial audit should do so as soon as possible.
While technical security can be provided by experts, it is important that all members of the practice adopt sensible online behaviour to minimise the risk of cyber attacks. Accessing information from the web is now a part of clinical practice, but it would be recommended that only approved and recognised websites be visited, and for work-related activity only. Social media and shopping sites should not be visited from practice computers. Likewise email activity should be restricted to work-related, and staff should be shown how to avoid various malware. Healthmail is the free secure email available to all GPs/practices that connects to the majority of health institutions and related agencies: it is likely that GDPR will lead to an increased use of Healthmail in the years ahead. The use of fax is not prohibited under GDPR but carries a higher risk to data security.
It is also important to remember that most general practices have an additional data protection role as small businesses. It is equally necessary that any other personal information such as staff files, employment details, bank accounts and other business information should be subject to appropriate levels of security.
Attention to detail
The successful implementation of data protection policies is likely to require attention to detail. It is not just about technical matters. Data breaches might occur if the wrong prescription, letter or result is issued to the wrong person. Leaving reports or letters in the wrong place, or computer screens unlocked and visible, could be simple causes of problems. Third party requests for information can also be challenging; however, the situations in which these occur tend to be repetitive, and are best addressed by a consistent policy.
Having understood the principles of data protection, GPs and practice staff should adopt safe procedures that minimise risk. In time it is hoped that these would not be intrusive; rather they will become standard practice or second nature. For unusual or challenging circumstances, a conservative approach is likely to be best, and if in doubt your medical defence organisation would be pleased to offer advice.
Medical Protection advice
In summary, Dr Rachel Birch recommends that you:
- Familiarise yourself fully with the ICGP guidance1 and ensure that you check it regularly in the coming months, as there may be changes once the GDPR is in force.
- Review the Data Protection Commissioner (DPC) website dedicated to the GDPR.2
- Follow the DPC’s GDPR checklist for organisations.3