Barely a week goes by without another organisation being called before the Information Commissioner's Office (ICO) for breaching the Data Protection Act (DPA). New powers permit the ICO to issue fines of up to £500,000 and some breaches are criminal offences carrying custodial sentences.
Getting to grips with the legislation is not easy, but the following practical tips will help you keep your data safe and protect you and your practice from falling foul of the DPA.
What are your legal responsibilities?
Responsibility for personal data rests with the data controller: the patient’s registered GP. However, the patient might see any partner, making GPs ‘data controllers in common’, where responsibility lies with the partner responsible for the breach.
This does not absolve employed practice staff of responsibility, however. They must follow their employer’s clear definition as to which personal data they may access, how they can use them, and for what purpose. If they stray from this, they will be guilty of unauthorised processing of personal data.
Practice-wide breaches are likely to be the responsibility of the senior partner or the partner responsible for making decisions in the breach area. Audits are the only way of ensuring you are operating within the law.
|DATA PROTECTION ACT PRINCIPLES|
|Personal data must be:
What can and cannot be shared?
Sharing personal data for the purpose of patient care is, of course, perfectly acceptable.
When sharing personal data, keep a record of what was shared, why, with whom, and how it was shared (for example, by email).
Avoid sharing data by telephone, as in the event of a breach, the audit trail is harder to establish and could leave you exposed.
Requests for data from organisations such as insurance and law firms require consent from the data subject (patient or staff member, say). Where sensitive personal data is requested, the consent must be explicit. Obtaining consent from employees is often viewed as duress, so beware. And when seeking consent, always consider the data subject’s mental capacity.
Police requests require a court order. When asked for this, police officers often quote DPA exemption, section 29 (3) (crime and taxation), claiming it permits them access. It does not.
The exemptions are for the benefit of the data controller. The buck stops with you, so consider your actions carefully. Using the Act, record how you came to the decision to release (or not) any personal data. Remember that the data subject has rights.
A parent may make a request to see their child’s medical records. But no matter how young, the child is still a data subject and still has rights. According to the Act, parents do not have access to their children’s personal data.
How should data be transported?
If at all possible, anonymise the data or remove as much of the personal content as you can. If you are transporting sensitive personal data, you must take greater precautions. The level of security you use should be proportionate to the consequences should that data get misplaced.
Only take the records you need out of the surgery. Keep them locked in the boot of your car, and only carry the file needed for the specific patient concerned (in a locked bag).
Personal data stored on electronic devices, such as laptops, smartphones or memory sticks, must be encrypted and only accessible with a password. If your mobile device does not meet these criteria, do not take it out of the surgery premises until security is rectified.
What training should you provide?
What should you do in the event of a breach?
Your practice should have a data security breach policy that tells you what to do. Inform the data controller and senior management team. Accurately record the event which led to the breach; how you responded; which data were breached; and how you contained the situation.
Whether you choose to inform the ICO and data subject is optional, and should be based on the data breached, the possible consequences and your moral judgement.
- David Taylor is the principle data protection act practitioner at Data Protection Consultancy, www.dataprotectionconsultancy.com