Between 2015 and 2017 the Information Commissioner’s Office (ICO) received nearly 4,000 complaints from members of the public about data protection issues from the healthcare sector – significantly more than from any other sector.
Of these complaints, some 2,000 related to subject access requests, around 600-700 were about disclosures of information to third parties and the other main area related to inaccurate data or security breaches. In 1,300 of these cases some action had to be taken.
Over the same period, there were also 1,900 data breaches in the healthcare sector that were self-reported to the regulator.
These figures were presented by ICO senior policy officer Andrew Rose at the Practice Managers Association annual conference in Manchester last week. Mr Rose was using the figures to highlight why data protection is something that every practice needs to take seriously. He went on to discuss what practices can do to prevent complaints and data breaches.
The information below is taken from his presentation to the conference.
First steps in data protection
- What data do you have? Understand what personal data you are processing, why you are processing it and who you’re sharing it with. Think about all of your sources of data and work out exactly where you’ve got data – computers, paper files, mobile devices, multiple copies of the same information on different devices – and all the different locations you’ve got data. This creates an information assets register for your practice. Don’t forget to include information you hold on employees, for example, HR files.
- Create a network of information asset owners, particular in larger organisations, so that people have responsibility for looking after the personal data you are processing.
- Fair processing - you need to tell people what you do with their data. Patients need to understand how and why their personal data is used and who it is shared with and under what circumstances. Look at the ICO Privacy Notices Code of Practice for information on how to do this and what your responsibilities are. You should also be able to get help and support from you CCGs on this.
Guarding against data breaches
- Security is a critical component of your data protection process. Activity apply security to both electronic and paper records. You are obliged to protect against unauthorised and unlawful access as well as modification and loss. Don't just think about external attacks but also about what can happen inside the organisation. Train staff – think about how you can make sure people are aware of the risks and you can then take steps to train people to mitigate those risks.
- Don’t forget about physical security of your buildings and devices. If anyone is doing mobile working make sure you use encryption.
- Do people take files off site? If so, think about how you can move information securely. For paper records you need procedures about how they are stored, transported and how they are disposed of when they are no longer needed.
- Make sure you have disaster recovery in place. Read more on disaster recovery here.
- Take extra care when you are dealing with sensitive personal data.
- Leadership is vital. Enthusiasm for doing data protection right has got to come from the top. If you don’t believe in it, that will spread throughout your practice and staff won’t respect it and won’t do the right thing and that could put your practice at risk.
- Undertake a risk assessment – think about the biggest issues in your practice and then prioritise those areas.
- Make sure you have policies and procedures in place for subject access requests and other disclosures, particularly for disclosures to the police.
- Check your policies are being followed.
- Is your technology it up to date? If you are in control of IT in your practice look at Cyber Essentials, which provides some good fundamental steps you can take that can prevent against around 80% of cyber attacks.
- Challenge contractors and processors to make sure they are helping you meeting your data protection obligation.
- Staff training is crucial. Make sure staff get training when they start and that it’s refreshed on a regular basis. Think about the different roles and jobs that people do and their relationships with data. You may need different training for different staff.
- Collaborate - work with other practices so that you can share the load. You can adopt policies across whole areas. Networking groups can provide a good opportunity to share good practice and information.