The GDPR was enacted into UK Law as the Data Protection Act 2018. It imposes legal obligations on medical and healthcare organisations around how they must manage and process personal data.

The new legislation complements the NHS Data Security and Protection Toolkit (DSPT) and requirements for Caldicott Guardians. It gives the Information Commissioner’s Office (ICO) powers to impose significant financial penalties for non-compliance.

This, along with the increased focus on data collection and developments in AI for healthcare, are making the need for robust personal data protection practices essential.

This page explains what the new legislation means for medical and healthcare organisations and the key areas they need to consider when managing and protecting personal data.

WHAT DOES THE LEGISLATION MEAN FOR MEDICAL AND HEALTHCARE ORGANISATIONS?

Like all other organisations, medical and healthcare organisations must:

ok2
Be transparent in the way they process personal data and accountable for doing so
ok2
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Offfice (ICO)
ok2
Understand the data they have, where it is stored and who has access to it
ok2
Implement robust processes and procedures to protect personal data
ok2
Allow patients, health care professionals, staff and employees, local authorities, family and next of kin, guardians and suppliers to:

  • Access the data stored on them
  • Ensure it is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

ok2
Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale especially special category data or data relating to criminal convictions
  • Use the data for automated decision making

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR MEDICAL AND HEALTHCARE

Medical and healthcare organisations must protect personal data across all of their operations and be aware of multiple regulations. Major considerations include:

Complementary regulations, guidance and inspections

ok2
NHS Data Security and Protection Toolkit (DSPT)
ok2
GDPR and Data Protection Act (2018)
ok2
Caldicott Guardianship
ok2
CQC audits and inspections

Policies

ok2
Privacy, retention and data protection policies
ok2
Staff handbooks

Marketing, communications and consent management

ok2
Social media and posting
ok2
Emails, Bring Your Own Device (BYOD), NHSmail

Administration

ok2
Maintaining network and server security
ok2
Email systems
ok2
Staff payroll, pension and HR records
ok2
Visitors’ book and access systems

Sharing data with others

ok2
Clinicians and healthcare professionals
ok2
Local authorities

Managing sensitive information

ok2
Data Protection Impact Assessments
ok2
Managing sensitive medical information
ok2
Safeguarding, family issues and DBS checks

Data gathering for predicting clinical outcomes

ok2
Automated processing
ok2
Data anonymisation and pseudo-anonymisation

Patient facing care and getting the job done

ok2
Bedside data
ok2
Patient notes
ok2
Managing paper records

Care management systems and medical records

ok2
Carer planning and management systems such as CarePlanner, Zuri, Access Care
ok2
Electronic Medication Administration Records (eMAR)

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us