LEGAL/ETHICS
Data protection law – no longer a toothless tiger
GPs will need to become fully up to speed with onerous new laws which introduce severe penalties for data breaches. He provides a guide on taking steps to ensure compliance by next spring
November 1, 2017
-
An early literary citing of ‘shooting the messenger’ in Plutarch’s Lives states: “The first messenger, that gave notice of Lucullus’ coming was so far from pleasing Tigranes that, he had his head cut off for his pains; and no man dared to bring further information. Without any intelligence at all, Tigranes sat while war was already blazing around him, giving ear only to those who flattered him.” (Plutarch’s Life of Lucullus, extracted from Wikipedia)
So here’s an important message: the General Data Protection Regulation (GDPR) is a European Union regulation intended to unify and strengthen data protection for European citizens. GDPR comes into effect on May 25, 2018. It will replace the existing Data Protection Acts 1998 and 2003. GDPR will come into effect on time, and it has major implications for how GPs, as data controllers, and their staff manage personal health information.
GPs will need to be aware of the changes in data protection related to GDPR and take action in their practices to be compliant with the new regulation when it comes into force. There will be changes in a number of different areas:
- The Data Protection Commissioner (DPC) can impose substantial fines for non-compliance with GDPR. Fines of up to €20 million can be imposed, depending on the seriousness of the breach
- Patients can sue GPs for compensation for damage suffered as a result of a breach of the GDPR
- GPs must notify the DPC within 72 hours of a data breach
- Patients must be provided with their personal data within one month of an access request
- There is a new data protection principle of accountability, which requires data controllers to demonstrate how they comply with the data protection regulation
- The powers of the Data Protection Commissioner are strengthened.
Actions needed at practice level
The first steps are to be aware of the changes and accept you are going to have to spend time and money on data protection. You need to identify a lead GP in the practice to get informed and lead out the necessary protocols, training and actions. Here is a task list for your consideration:
- Schedule a practice meeting to discuss GDPR and identify a GP lead for GDPR.
- Review the ICGP guidelines on data protection from 2011, available at http://www.icgp.ie/data. These are a good start, but not totally sufficient for GDPR
- Complete the General Practice Data Protection Checklist, available as Appendix 6 on www.icgp.ie/data
- Commission an IT company to carry out an information security audit of your practice, to ensure your protocols and technology are up to date in respect of viruses, malware and backups
- Develop procedures and protocols around how your practice supports GDPR, including the management of access requests, information for patients and management of data breaches
- Train your GPs and your practice staff
- Review your contracts with your GP practice software vendor
- Review your data protection agreements with external agencies such as Healthlink and Healthmail
- Reconsider your use of insecure and unsafe faxes.
Huge task
As you can see from the initial task list above, this is a huge body of work. It is important to start now. May 2018 is coming up fast. The following Q&A addresses some of the general practice issues involved:
Q. Why is GDPR being introduced?
The stimulus to develop GDPR comes from the rapid expansion in computing power over the past 20 years and the impact of data science. The EU Data Protection Directive of 1995 led individual states to introduce their own legislation. Different laws were introduced in different EU states, with differences in implementation between jurisdictions. GDPR is a regulation, not a directive. It is essentially an EU law that is the same across all states. It strengthens and unifies data protection for all individuals in the EU and deals with the export of personal data outside the EU. It will have major impacts on companies such as Facebook, Twitter, Microsoft and Apple.
Q. In terms of risk management, what are the most important tasks for GP practices?
I believe there are three high risk areas. Are your IT systems up to date and secure and have you taken all reasonable steps to guard against hackers, viruses and malware? Secondly, are you aware of your responsibilities under GDPR and have you procedures and protocols and documentation in place to prove that you are accountable? And lastly, have you trained your GP partners and your support staff, both clinical and administrative, so that they are aware of their responsibilities in terms of privacy, confidentiality and data breaches?
Q. It is going to cost a lot of money to be compliant with GDPR? Are there financial supports or grants available from the HSE or the State?
No. Compliance with GDPR is now a cost of doing business. If you are not compliant and a data breach occurs then you risk facing heavy fines from the Data Protection Commissioner (up to €20 million or 4% of a company’s turnover, whichever is greater). Furthermore, a patient of yours who suffers damages due to a data breach at the practice level may now sue you for compensation.
Q. What is the first thing I should do?
Have a look at http://gdprandyou.ie/organisations/ and the 12-step programme outlined on this site by the Data Protection Commissioner. The first step is becoming aware that the law is changing to GDPR and that you need to be compliant. GDPR is as important to your practice as maintaining your registration with the Medical Council and having medical indemnity insurance.
Q. Will our practice need to employ a data protection officer?
The data protection officer (DPO) is an important component of GDPR. A DPO is meant to have an expert knowledge of data protection and the legal aspects of GDPR. A DPO may be a member of staff with the appropriate training, an external consultant or a shared outsourced service.
A DPO is needed by all public authorities and bodies, including the HSE and the voluntary hospitals. A DPO is also needed where the core activities of the organisation consist of special categories of data, such as health data. The Data Protection Commissioner is clear that “processing of patient data by an individual doctor” does not require the appointment of a DPO. It is not clear what the cut off mark is and what is meant by processing on a large scale of special categories of data. Would a three-doctor practice need to appoint a DOP? Would a 10-doctor practice need to appoint a DPO? It seems clear that a large commercial organisation that runs several different general practice sites will need a DPO. We don’t yet know all the answers. You can read more about the role of the data protection officer at http://gdprandyou.ie/data-protection-officer/
Q. What outflows of data are GPs most concerned about?
The normal outflows of data, for example referrals to secondary care or requests for diagnostic tests are part of the routine work of general practice. They are part of the contract between the patient and the GP. Many GPs have expressed concerns about broad requests for patient records, coming in as part of a Data Protection access request or a freedom of information request from agencies, companies and solicitors. These, even though they include patient consent, are a very broad and indiscriminate way of requesting information on specific aspects of care or medical history. In some senses, they are gaming the Data Protection environment. One GP referred to it as a ‘phishing technique’.
Q. What is the ICGP doing to assist GPs with GDPR?
The ICGP has identified a number of deliverables on GDPR and plans to engage with external Data Protection and GDPR experts to provide advice to GPs at different levels.
Organisational level
- Develop a code of practice for GPs on GDPR
- Revise the 2011 Data Protection Guidelines
GP practice level
- Create a series of simple protocol documents on: data protection impact assessment, security audit, data breaches, accountability and consent
- Identify or provide training courses online for GPs and practice support staff
- Provide resources for presentations at conferences and small group CME meetings.
Patient level
- Create patient leaflets on consent, use of data, access to record and data mobility.
Q. Is it likely that Ireland will get a derogation from GDPR, to give businesses a bit more time to get ready?
No, GDPR was approved by the EU Parliament in April 2016 and provided for a two-year period of preparation. It will come into effect in all EU countries on May 25, 2018. The May 2017 issue of Forum flagged to GPs the impact of GDPR and the need to prepare. Subsequent notes on data protection and GDPR appeared in Forum in July/August 2017 and September 2017.
Q. Could you please list some resources to help me prepare for GDPR?
- ICGP Data Protection Guidelines, www.icgp.ie/data
- Data Protection Commissioner (DPC),
- http://gdprandyou.ie/resources/
- EU GDPR Portal, www.eugdpr.org
- Final text of the GDPR, including recitals,
- https://gdpr-info.eu
- GDPR Awareness Coalition,
- http://gdprcoalition.ie/infographics/