Article • New regulation
GDPR: Healthcare sector must be ready for data shake-up
Healthcare organisations across Europe are being warned to be ready for new laws which mark the biggest shake-up in data protection legislation in decades.
Report: Mark Nicholls
The General Data Protection Regulation (GDPR) comes into effect across Europe on May 25, and despite the vote to leave the European Union the British Government has confirmed that it will be enshrined in UK law on that date. To help NHS and other healthcare providers in the UK prepare ready for the new legislation, a course entitled “Preparing for GDPR: Health and Social Care” being staged at Salford University in Manchester on March 26. It will cover a wide range of issues, outlining what organisations need to do to instil a privacy culture and avoid penalties, include heavy fines. Whilst the new legislation affects a wide range of organisations and businesses, Freelance Data Privacy Consultant Darren Rose emphasises the importance of healthcare providers being ready for the change.
I also draw organisations attention to the potential impact of loss of reputation or judicial remedy for the data subjectDarren Rose
Topics to be covered during the Preparing for GDPR: Health and Social Care course include understanding the new GDPR privacy law and its possible implications; understanding the organisation’s responsibilities as a Data Controller; dealing with Data Processors; understanding Data Subject Rights; and identifying sensitive personal data. Additionally, awareness will be raised for understanding locations and storage methods; Personal Information Management Systems (PIMS); Information Security Management Systems (ISMS); risk and risk mitigation; register beaches; and understanding the process of reporting a breach to the supervisory authority. Mr Rose added: “The course covers an overview of the changes within the GDPR as well as methodologies for addressing risks for both electronic and human aspects, by embedding a privacy culture.”
When the GDPR becomes law, organisations and firms need to be aware of the possible heavy fines, subjects’ right to compensation, a new specific consent with evidence and rights to withdraw consent, and mandatory privacy impact assessments, mandatory documentation of compliance and mandatory breach notifications within 72 hours of discovery. “I also draw organisations attention to the potential impact of loss of reputation or judicial remedy for the data subject which can be far reaching even if the local supervisory authority chooses not to impose a fine on the organisation,” continued Mr Rose.
While there are stricter rules for gathering and storing sensitive data as well as increased powers for regulators, he believes this should not have a major impact on the health and social care sector as the “fundamental principles upon which data is gathered, transported and processed” should already be at the heart of the organisation. “Individuals already responsible for delivering data protection readiness will be very aware of the current,” he said. “But within the context of health and social care, organisations should take particular note of the inclusion of biometric (retina imagery) and genetic data into the special categories as well as changes to sharing of data for medical research purposes and the correct use of anonymisation.”
Organisations, regardless of their sector, must understand the importance of training and awareness as the cornerstone of a privacy culture, said Mr Rose, as the ‘human factor’ is often overlooked when it could be the simplest risk to address. He added: “Within the social care element, I advise particular attention to the quantity of sensitive data being transported and shared between organisations, especially within the elderly care context, including medical notes between residential care and health providers for appointments, social work and mental capacity assessments.”
*For more information on the GDPR health and social care course provided by Salford University Professional Development, visit http://www.salford.ac.uk/onecpd/courses/preparing-for-gdpr-health-and-social-care
Darren Rose is a Freelance Data Privacy Consultant/Trainer. A lead education consultant, he is a member of the International Association of Privacy Professionals (IAPP) and has been providing data handling consultancy and training, to education for almost a decade through his roles as SIMS Consultant and school compliance advisor.