Is the NHS GDPR Ready?

The General Data Protection Regulation (GDPR) will become law on 25th May 2018, superseding the twenty-year-old Data Protection Act, which is no longer fit for purpose in this Digital Age.

GDPR enhances data protection laws across both the United Kingdom and European Union. Organisations, particularly those whom collect, process and share vast quantities of personal data will need to ensure that they are compliant or face action from the Information Commissioners Office (ICO). If organisations are found to be at fault, they may face hefty fines, either a maximum of €20 million or 4 percent of the organisations turn over, depending on the severity of the breach.

There has been some debate over whether, or not, the NHS need to adopt processes and policies aligned to GDPR. Some say it will only apply to commercial organisations or that “We are leaving the EU, so it no longer is applicable to us”. However, this is not true.

The UK is still a member state of the EU until the end of Article 50, which does not cease to exist before 25th May 2018. The UK will also be going further than just complying with the minimum standard or GDPR – The UK Data Protection Bill 2017, will implement the further articles of GDPR along with some additional legislation, that can be adopted at government digression.

Therefore, both private and public-sector organisations in the UK will need to address GDPR by 25th May 2018. There has been a grace period already, so this is the effective date.

For the NHS, it is particularly important that they adopt the principles of GDPR, to the correct standard, before it is implemented. The NHS holds extremely sensitive health data, on the majority of the population. The large quantities of data held centrally and shared by NHS England, NHS Digital, the Department of Health, regional trusts, Primary Care, Clinical Commissioning Groups, Private Hospitals and outsourced administration functions plus the differing privacy policies across multiple trusts, places NHS England, at risk of failing to comply with GDPR.

GDPR is there to enhance the citizen’s data rights. In regard to patients, it is going to enable their right to provide permissions for specific data processing and sharing methods. The NHS relies on patient data to operate effectively, with data sharing across the health sector. This can include many hand offs of information. Most patients do not understand the complexities of the NHS infrastructure thinking it to be one big single entity. It’s not.

Patient data is also shared with organisations outside of the NHS to generate new medical techniques and improve the operational efficiency of the NHS. Therefore, improvements regarding the transparency of what, where and which data is being processed about patients needs to take place to ensure patient trust is not undermined.

However, from primary research conducted by MyLife Digital, we have found that some NHS trusts are yet to update their privacy policies – a most simple step towards compliance with GDPR. Two main non-compliance issues were identified.

When trying to obtain a patient’s medical records, which is classed as a Subject Access Request (SAR)[1], we found a lengthy, out-dated system was still in place.

To obtain medical records from a hospital trust, a paper form needed to be sent to the specific trust.

Firstly, it was indicated that a request could take up to forty days to process, with no clear indication that the request would be granted and supplied with that time period.

GDPR clearly states that an organisation has no more than a month to provide requested data by the data subject (patient).

Secondly, the Trust clearly states a cost for the information. Under GDPR citizens have a right to obtain information without a financial transaction needed to secure it, rightly empowering the citizen.

Each trust is responsible for setting its privacy policy and complying with GDPR, with guidance from NHS England and Information Governance Alliance (IGA). The IGA have published a checklist of guidelines for trusts to follow, when preparing for GDPR.

Last September we did see encouraging progress from the Secretary of State for Health and Social Care, Jeremy Hunt, suggesting steps to improve trust and transparency between patient and the NHS. The Department for Health and Social Care aim to have a policy in place where all patients should have access to an “integrated app” to access NHS 111, view their health record, book a GP appointment and order repeat prescriptions[2], taking a step forward, with the aim of this decade becoming “the decade of patient power”.

However, at MyLife Digital, we can go a step further. We supply a permissions platform, aptly named Consentric Permissions. Our platform not only allows an organisation to be compliant with many of the associated article of GDPR[3], but it helps to rebalance trust and control of personal data between the organisation and the citizen in accordance with the six lawful processing justifications – not just consent.

It is vital the NHS acts quickly to ensure they are GDPR ready by 25th May this year. Not only will it mean avoiding fines for an already cash-strapped NHS, but it will also ensure that patients are fully aware of how their data is collected and shared.

By GDPR encouraging NHS trusts to adopt a more transparent outlook, research shows[4] that patients will be more likely to grant permission for the NHS to use their data, as long as they are made aware and that there is a clear value exchange between all parties, for productive means, creating both a public and private benefit – which could improve general research, health, wellness and care of society as a whole. It’s time for the NHS to get serious about GDPR.

 

Harry Cromack

Policy Analyst – MyLife Digital

[1]                  https://digital.nhs.uk/article/6851/How-to-make-a-subject-access-request

[2]                 https://www.digitalhealth.net/2017/09/hunt-promise-every-nhs-patient-app-access-records/

[3]                 https://consentric.io/wp-content/uploads/2018/01/A4-Consentric-Permissions-Product-Overview-WEB-MLD-GEN-002-3.pdf (page 4)

[4]                  https://wellcome.ac.uk/sites/default/files/public-attitudes-to-commercial-access-to-health-data-wellcome-mar16.pdf

Click here for a downloadable version of this blog