Data Protection for NHS, Healthcare, MedTech and Life science
The GDPR was enacted into UK Law as the Data Protection Act 2018. It imposes legal obligations on medical and healthcare organisations around how they must manage and process personal data.
The new legislation complements the NHS Data Security and Protection Toolkit (DSPT) and requirements for Caldicott Guardians. It gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties for non-compliance.
This, along with the increased focus on data collection and developments in Artificial Intelligence (AI) along with various codes of conduct within healthcare, are making the need for robust personal data protection practices essential.
The experienced data protection consultants at The DPO Centre will help ensure your organisation’s compliance framework is compliant with the relevant healthcare and medical data protection requirements and regulations.
This page explains what the new legislation means for medical and healthcare organisations and the key areas they need to consider when managing and protecting personal data.
WHAT DOES THE GDPR LEGISLATION MEAN FOR MEDICAL AND HEALTHCARE ORGANISATIONS?
Like all other organisations, medical and healthcare organisations must:
- Access the data stored on them
- Ensure it is correct and modify it as necessary
- Have it deleted (unless needed for legitimate reasons)
- Are a public body
- Process data on a large scale especially special category data or data relating to criminal convictions
- Use the data for automated decision making
“I became acquainted with The DPO Centre through one of their Data Protection Officers (DPO) who acts as outside DPO for one of our US-based clients. We were negotiating a DPA for a unique trial his client is conducting in the EU which utilizes my company’s mobile research services. The DPO I had the pleasure of working with on that project is one of the best DPO/counsels I have worked with when it came to thoughtfully negotiating through a clinical trials-DPA, given his great knowledge of the GDPR and the crossover with clinical trials regulations in both EU & UK. He’s also just a solid, nice person, and I have greatly enjoyed and am very grateful to have him across the table to get the trials up and running.”
Professional Case Management
DATA PROTECTION SERVICES FOR MEDICAL AND HEALTHCARE
Healthcare and medical organisations must take extra precautions when processing sensitive patient data. Our range of data protection services will help ensure that your organisation is taking the best care of patients’ data. We provide consultancy, outsourced DPOs, UK and EU GDPR Representatives, Caldicott Guardians, staff training and awareness sessions, and a data protection advice line staffed by our expert DPOs.
UK National Health Service (NHS) and social care organisations must appoint a Caldicott Guardian to ensure their organisation adheres to the National Data Guardian’s data protection principles. The DPO Centre provides outsourced Caldicott Guardians to health and social care organisations to help them process, manage, and protect patient data.
Health and social care organisations have particular data protection needs, as they collect and process sensitive and vulnerable patient data. Our outsourced DPOs have a broad range of experience working with the health and social care sectors, so they’re able to help you organise your data protection framework so it’s more compliant.
If your medical organisation processes data on UK or EU residents but you don’t have a presence in these territories, you may be required to appoint a UK or EU Representative to help you adhere to Article 27 of the GDPR. Our UK and EU Representation service helps you to construct your Records of Processing Activities (RoPA) and respond to data subject rights requests.
We have one of the largest teams of data protection consultants available who’ve worked across multiple sectors, including healthcare, medtech and life science. These experts provide advice and guidance tailored to your organisation’s data protection needs, keeping the particular concerns of these specialist sectors in mind. By engaging our consultancy service, you can improve transparency, be more accountable for the personal data you process and reduce the risk of breaches and compliance failure.
Often, it’s not enough to have a compliance framework in place for your healthcare or medical organisation. All of your organisation’s stakeholders, regardless of their level of seniority, must also understand the basics of data protection compliance. With training from The DPO Centre, your staff members will learn not only the importance of data protection but also how to manage and process data in their specific roles, supporting your organisation to remain compliant.
The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that all organisations processing NHS patient data must use. Our experts can help you complete the yearly assessment, ensuring you meet all NHS data protection requirements. We can also help you identify gaps in your data security practices and provide you with the necessary documentation, policies and procedures.
As part of our outsourced DPO and UK and EU GDPR Representative services, we offer an Advice Line, staffed by our experienced DPOs. When your healthcare organisation has a pressing question or needs urgent advice on a data protection matter, you can access our helpline. This service is also offered standalone, to provide additional support and expertise to your existing in-house resources.
IMPORTANT DATA PROTECTION CONSIDERATIONS FOR MEDICAL AND HEALTHCARE ORGANISATIONS
Medical and healthcare organisations must protect personal data across all of their operations and be aware of multiple regulations. Major considerations include:
Complementary regulations, guidance and inspections
- NHS Data Security and Protection Toolkit (DSPT)
- GDPR and Data Protection Act (2018)
- Caldicott Guardianship
- CQC audits and inspections
- Privacy, retention and data protection policies
- Staff handbooks
Marketing, communications and consent management
- Social media and posting
- Emails, Bring Your Own Device (BYOD), NHSmail
- Maintaining network and server security
- Email systems
- Staff payroll, pension and HR records
- Visitors’ book and access systems
Sharing data with others
- Clinicians and healthcare professionals
- Local authorities
Managing sensitive information
- Data Protection Impact Assessments
- Managing sensitive medical information
- Safeguarding, family issues and DBS checks
Data gathering for predicting clinical outcomes
- Automated processing
- Data anonymisation and pseudo-anonymisation
Patient facing care and getting the job done
- Bedside data
- Patient notes
- Managing paper records
Care management systems and medical records
- Carer planning and management systems such as CarePlanner, Zuri, Access Care
- Electronic Medication Administration Records (eMAR)
BENEFITS OF OUR OUTSOURCED DATA PROTECTION SERVICES
With our extensive subject matter knowledge of data protection and compliance for medical and healthcare organisations, we’re able to deliver far greater value to your organisation than an independent data protection contractor or small team and far more cost effectively than a large consultancy or law firm. Our consultants have worked with many different platforms, tools, vendors, and software used in the healthcare and medical sector, allowing us to provide you with the most appropriate solutions for your organisation.
Fill in your details below and we’ll get back to you as soon as possible
DATA PROTECTION SERVICES FOR SECTORS
“Our DPO from the DPO Centre has been excellent. They are happy to answer any questions we have, and have been a great sounding board for our Information Governance team which has supported all the great work the team does. By helping to provide a clear and prioritised plan of action, our DPO has ensured that we stay on track to meet our compliance goals.”
PCCTC Contracts Manager
“By having The DPO Centre take responsibility for the role of GDPR representative for the PCCTC we are confident we are meeting the legal requirements of the GDPR.
The DPO Centre’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any trial member across the EU.”