GDPR for Practice Managers General Data Protection Regulation Dr - - PowerPoint PPT Presentation
GDPR for Practice Managers General Data Protection Regulation Dr Nick Lowe Stephen Toulmin (Senior Executive Lead) Lancashire & Cumbria Consortium of LMCs www.nwlmcs.org April-May 2018 GDPR Day : which one are you? 25th May 2018 Sorted ?
General Data Protection Regulation
Dr Nick Lowe Stephen Toulmin (Senior Executive Lead) Lancashire & Cumbria Consortium of LMCs
www.nwlmcs.org April-May 2018
Brave Face Fear It’s all a fuss over nothing Sorted ?
Overview of the GDPR – Focus on issues that impact GPs/Health sector Headline issues and changes from current Data rules Key terminology, concepts and definitions Practical advice on next steps Resources : Health Sector specific guidance and keeping informed (DPA 2018 not in place yet) If time : the new 10 NHS Data security rules – DSP toolkit Questions & Answers and your views/concerns
The information today has been drawn from key documents and other sources for general supportive guidance only. It is not intended to be taken as accurate legal advice. The LMC consortium is not undertaking the role of a DPO CCGs/CSU are expected to have a future role in providing DPO support to practices If in doubt obtain advice from an Information Governance Specialist or your DPO service
A Whistle Stop Tour – a lot to cover Collaborate and Share
FALSE Two quotes from the Information Commissioner Elizabeth Denham’s blog best set this to rest: “GDPR compliance will be an ongoing journey”; and “… if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world”.
FALSE The GDPR sets a high standard for relying on consent, especially where that data is health related. However, it also provides alternative conditions that can be relied on instead of consent.
TRUE but The ICO has been a pragmatic and constructive regulator. It is likely that large fines will be only be used where organisations wilfully ignore their
As the Information Commissioner has said: “Issuing fines has always been and will continue to be, a last resort.”
The Information Commissioner’s Office (ICO) can levy fines of up to £17 million ?
Remember we are already expected to follow good IG practice and much will not be new. Confidentiality - Common Law duty The Data Protection Act 1998 will go - will be replaced after Data protection Bill in 2018 (GDPR and DPA 2018 in place side-by-side) Good record keeping – Good Practice
Step by Step but have a plan!
Convene a small team – ideally PM group and at practice level Use the LMC website (nwlmcs.org) GDPR page Read the BMA, ICO (12 steps),
IGA/NHS digital guidance, ICO GDPR webpages (detailed but good)
GPC GDPR document dropbox : Dr Paul Cundy (inc. Privacy Templates) Alert Partners to responsibilities (NHS contract data controllers) Designate a Practice DPO Draw up a plan with target date e.g. 6/12 to full compliance – evidence of working towards Staff awareness – everyone (ICO posters) Ensure CCG IT agreement signed Review data processes at practice Incoming/Internal/External Check with CCG what extractions are undertaken
Step by Step but have a plan!
Can be done with collective knowledge and through collaboration
What data do you hold ? How do you collect it? Where and how is that data stored? Who has access to it? How is the data currently used? Data flow mapping, information asset register How do you communicate your use of data to patients ? Transparency, patient rights, consent, how you keep data safe, when do you share ? Fair processing/privacy notice templates, ‘How we use your data’ on website and patient leaflet ? Providing patient information – basic notices with pointers to more detailed information NHS choices health record information
How do you demonstrate compliance and assurance ? Completing IG/DSP Toolkit – are you confident about your processes? Keep records, Training, staff DSP questionnaire, regular audit of processes Be ready to Implement key changes e.g. Breach Notifications – brief staff on new requirements and have a clear process. Log breaches on a spreadsheet or Datix ? IGA are to publish further breach guidance. Do a baseline survey of potential breaches, risks and near misses? Subject Access Requests – no fees – tighten processes and recording of response progress – 3rd party redactions – New Negotiating with patient and Targeting the SAR to minimise processing. Open up records for direct access? Designating a DPO, undertaking a DPIA when appropriate. Get ready to change processes and ensure staff are aware
Need to repeatedly read and discuss to familiarise with new concepts and requirements See links on the LMC website : GDPR support page : www.nwlmcs.org
Information Commissioners Office Good source of detailed and practical advice Do look at the website GDPR section Patients are Data Subjects (DS)
Promote and demonstrate a culture
Poster sets downloadable from ICO website : Think-Check-Share : Think Privacy https://ico.org.uk/media/for-organisations/think-check-share/1043597/think-check- share-toolkit.pdf
https://www.dropbox.com/sh/h22kak6pxlt8ily/AAB4gAuHKib_MZ44Xi3AbAf4a?dl=0
Dr Paul Cundy IT GPC – set of GP blogs, documents and template privacy notices
Informed source of GP IG advice Be prepared for many new concepts and terms Personal opinion blogs and options discussed as well as official guidance. Periodic updates will be posted as the new rules become more understood and integrated See links on the LMC website : GDPR support page : www.nwlmcs.org
Access may be restricted from within a secured network
A new Hub Page for GDPR information has now been launched on the BMA website.
https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/general-data-protection-regulation-gdpr
Aim: To protect citizens from privacy and data breaches/misuse Recognition of the 21st Century Social Media World and risks to our data
2018) proceeding through parliament. Further changes may apply.
permissions for it to be used or shared.
comply with the new law and also demonstrate that they comply
training and Audits
the regulation – not just data breaches.
the ICO within 72 hours where risk to data subjects.
records to patients or staff who make a subject access
Positive legislation that should increase trust – but will involve new work
Positive legislation that should increase trust – but will involve new work
public authorities (GPs).
risk or new processing. (Further guidance expected.)
processes at an early stage.
information to data subjects about how their information is used.
processing (there are alternatives to consent).
Any information that can be used to identify a living person - directly or indirectly – or that relates to them. What does that mean?
address, e-mail address, photo etc.
being identified (which could be: physical, mental, economic, social, genetic or cultural). Great care and consideration needs to be taken with sensitive personal data e.g. health data, religious beliefs – but we do that already!
Important to read through for the main concepts and planning ICO website is very helpful
Lawful, fair, transparent Purpose limitation – not re-used Data minimisation – relevant Accuracy – rectifications Storage Limitation – retention Integrity & Confidentiality
Data Protection Act 1998 - The eight principles under the old Data Protection Act
Data Protection Act 1998 (DPA 98).
remain valid under the GDPR and can be the starting point to build from.
understand and document this clearly and inform patients in privacy notices and SAR replies
interests.’
make sure you clearly document your lawful basis so that you can demonstrate your compliance
guidance page
Regulation-guidance
Needs to have appropriate knowledge of GDPR without conflict of interest All NHS GP practices must designate a DPO – it is mandatory – no debate Clearly defined expectations of the role, specific tasks and activities under GDPR:
laws
data protection activities, raising awareness of data protection issues, training staff and conducting internal audits
whose data is processed (employees, patients etc).
into account organisational structure and size, and may be either a member of staff
approach. A DPO cannot hold a position within the organisation that leads them to determine the purposes and the means of the processing of personal data.
Handed
See IGA , ICO and BMA guidance
NHS England will shortly publish an addendum to the GP IT Operating Model
services will include advice and support to GP designated DPOs.
practices are ultimately responsible.
recommend you monitor their webpages for updates.
https://www.england.nhs.uk/digitaltechnology/info-revolution/digital-primary-care
Recent advice is that CCGs will be REQUIRED to provide DPO ‘support’ but not an actual DPO. Some may offer to provide a DPO but likely at a cost. (April 2018)
The GDPR provides the following rights for individuals: The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling
practices must adopt organisational and technical data protections and consider risks of other systems used.
processing for ‘direct care’
what reason –simple language no ‘legalese’
Financial impact for practices (Don’t shoot the messenger!) Reduced time to reply to 1 calendar month
continuing to process – will rarely apply to GP records
apply health records . But consider requests case by case. Erasure is not available if processing under legal obligation, under official authority and if processing as special category Health data 9(2)(h)
won’t apply generally – only where ‘consent’ or ‘performance of contract’ are the legal basis for data processing.
The Right to object to data processing does apply to patients unless there are compelling legitimate grounds to continue In many cases GPs are likely to be able to demonstrate ‘compelling legitimate grounds’ for continued processing ‘for the safe provision of direct care’ and ‘processing which is necessary for compliance with a legal
In addition there medico-legal and contractual requirements to maintain accurate records
Compliance must be actively demonstrated, for example it will be necessary to: keep and maintain up-to-date records of data and flows from the practice, processing purposes and retention – kept in writing have a legal basis for these flows and have data protection policies and procedures in place. e.g. response to SARs
describe your technical and organisational security : DSP – ICO security checklist
provide information in ‘privacy notices’ for patients. Basic & Detailed report certain data breaches to ICO within 72 hrs. (legal requirement) Significantly increased financial penalties for breaches as well as non-compliance Practices will not be able to charge patients for access to medical records (save in exceptional circumstances). Response time less : 40 days -> 1 calendar month Designation of Data Protection Officers
Accountability & Transparency
CQC : Nigel’s Surgery data security and protection New DSP toolkit and staff questionnaire Completing the new Data Security and Protection Toolkit – GDPR overlap
toolkit 14.1 in 2018 – 10 data security standards
GDPR checklist for compliance
role in monitoring security standards
The special categories are: Religious or ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data
Data concerning health
Data concerning sex life and sexuality
The Data Protection Bill 2018 includes proposals for additional conditions and safeguards yet to be finalised These bases need to be defined and included in privacy notices
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Lawful bases for processing personal data under Article 6 of the GDPR. At least one of these must apply for any data :
(a) the data subject has given explicit
consent …… (b) …obligations and exercising specific rights … in the field of employment and social security and social protection law ... (c) …to protect the vital interests … where the data subject is physically or legally incapable of giving consent; (d) … in the course of its legitimate activities with appropriate safeguards by a foundation, association or any
(e) …relates to personal data which are manifestly made public by the data subject (f) …for the establishment, exercise
whenever courts are acting in their judicial capacity;
There are 10 available but note 9(h)
Full detail on ICO website
(g) …for reasons of substantial public interest
the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care …… (i) …reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (j) …for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
IGA suggested legal bases for direct care and administrative purposes
Understand different forms of consent for Direct care & Data processing
Common Law Duty of Confidentiality We have always had a requirement for confidentiality when giving direct care. We assume implied consent to share information when providing direct care e.g sending a hospital referral letter This implied consent does not meet DPA or GDPR data protection requirements. However this consent activity remains valid and integral to Health and Social Care practices and has not changed. GDPR Compliant Consent
..freely given, specific, informed and unambiguous..
Strict requirements may not be easy to meet. Will not be heavily used by us.
GDPR creates a lawful basis for processing special category health data for the provision of direct care that does not require explicit consent.
GP data controllers must establish both a lawful basis for processing and a special category condition for processing (will explain)
GDPR Compliant Consent – must be as easy
to withdraw as to opt in will only be used where ‘consent’ IS optional e.g. National Audits –Diabetes Audits
When deciding lawful bases for processing
Build and maintain an Information Register and record ‘Asset Owners’
Contact CCG IG teams to identify/confirm all current data extractions ? Lancashire Information Sharing Gateway : LPRES
Consultations Clinical Letters OOH A&E Lab results GP2GP Paper records from previous practice Other sources
Patient EHR,
Summary CR Local CR Paper records to PCSE GP2GP to new practice Letters/forms requested by patient Police (DP9) DWP (med 3) Shredding service SARs FP10 GPES/CQRS extract
Data processed/fed back as part
business Referral letters Appointment reminders Docmail EMIS ICE ERS Cloud based support services (lexacom) Patient online servcies GPES/CQRS Docman Automated arrivals IGPR
Workflow inputs and outputs:
parties)?
systems?
Templates are available View other practice websites
The first principle of the GDPR requires data controllers to process the data they hold ‘fairly’, ‘lawfully’ and ‘transparently’.
Should include the following:
6(1)(e) and 9(2)(h)
data corrected
This does not generally require every patient to be informed directly but the ICO expects reasonable attempts to be made to inform patients about how their medical records are handled. The ICO suggests that a layered approach can be used. Basic information from a variety of settings and formats with signposts to more detailed information, for example, the practice website or
GPC Dropbox has some templates
Example for GP as Employer : GPC dropbox
NHS choices health record information page Add a link on practice website?
https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/access-to-health-records
BMA access guidance is being updated Under the GDPR, individuals will have the right to obtain:
be provided in a privacy notice You must provide a copy of the information free of charge. A ‘reasonable fee’ is possible when a request is ‘manifestly unfounded or excessive’, particularly if it is repetitive e.g. same data within 6/12 Respond without delay and at the latest within one month of request Can extend the period of compliance by a further two months where requests are complex or numerous
Request could be verbal or written – staff need to recognise a SAR Will there be many more after GDPR ?
and processing information
explain how patient can complain against the decision
reply within 1/12 and explain reasons
voluntarily and freely – e.g. if just about a particular period or episode
accurate
common digital format
a good future option for a SAR
Update processes and logging Have a Designated Admin Role?
Responding to requests
What is a Data Protection Impact Assessment (DPIA)? A DPIA is a mechanism for identifying, quantifying and mitigating data privacy
new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced. When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted.
A data protection impact assessment (DPIA) is mandatory when practices engage in new data sharing arrangements or where new technologies are being
proportionality of the processing in relation to the purpose, an assessment of the risks posed and how the risk will be mitigated This assessment must be carried out by the practice – more detail expected The ICO are drafting guidance in relation to this process.
A Breach: if affects confidentiality, integrity or availablity of personal data e.g. personal data is wrongly accessed/shared, lost, destroyed, corrupted ,wrongly disclosed, made unavailable.
needed.
and freedoms’
informed directly What breaches do I need to notify to the ICO?
damage to reputation, financial loss, loss of confidentiality or other significant economic
Consider who else may need informing – DPO/CCG/IT/IG support ?
‘High Risk’ – not defined
Must keep a record of any personal data breaches, regardless
How do we minimise breaches and adopt best practice? Do staff recognise breaches? Do staff know how to notify the right people? Do senior staff act on breaches, inform patients & ICO if required ? Do breaches get recorded/logged ? (Datix or another process) Do breaches get shared across practices – on meeting agendas? What is learned from breaches and how does it inform processes?
Some questions
Under the current DPA, data controllers are required to notify the ICO that they are processing personal data and pay a fee (£35 for most organisations) The new data protection fee replaces the current requirement to ‘notify’ (or register) under the Data Protection Act 1998
On 25 May 2018 this arrangement will change under new regulations. The fee that is payable is either £40 if under 10 staff : £60 for most or (if over 250 staff) £2,900. (£5 discount for direct debit) ICO have the power to enforce the new 2018 fee regulations with penalties for those who refuse.
The new fees will be phased in when an organisation’s existing registration expires. If your registration has recently expired the highest fee (£2900) will be requested unless the ICO is contacted by you to inform them otherwise. https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf For full gdpr regulations: https://www.eugdpr.org/
https://www.gov.uk/government/publications/data-security-and-protection-for-health-and-care-organisations Training: https://www.e-lfh.org.uk/programmes/data-security-awareness/
2017-18 Data Security and Protection Requirements Data Security and Protection (DSP) toolkit to replace the Information Governance IG toolkit Applies to all Health and Care organisations CQC well led criteria
data and cyber security in the practice
previous IG training
responses to CareCERT advisories through CareCERT Collect. (Even if not directly relevant to GP)
including response to data and cyber security incidents