WHY THE NHS MUST BE ONE STEP AHEAD WITH ITS DATA MANAGEMENT KNOW-HOW AS THE REGULATORY FRAMEWORK TIGHTENS
Paul Moonan, Managing Director at Restore Digital, highlights key data challenges faced by healthcare organisations in light of The General Data Protection Regulations (GDPR) and how outsourcing key functions will not only ensure compliance and data security but could save money.
The General Data Protection Regulations (GDPR), enforceable in the UK from the 25th May 2018, places a far greater burden on those controlling, processing and managing data in the NHS than ever before. This extensive piece of legislation sees the biggest shake-up in personal data protection since the Data Protection Act of 1998.
Going on past history, the public sector is going to be hit hard. According to the Information Commissioner’s Office (ICO), which will be responsible for policing GDPR, between January and March 2016 there were 448 UK data breaches: 184 of these were in health, 43 local government, 25 finance, insurance and credit and 23 charitable and voluntary. These new data processing rules will inevitably result in organisations like the NHS or even household national charities not only getting named and shamed but also fined in the event of any data compromises.
At a time when the NHS is struggling to make its budgets stretch, it can ill afford to lose vital funds to fines for administrative inadequacies. Organisations may be ‘looking down the barrel’ at data breach fines of up to a maximum of €20 million, 4% of turnover or whichever is greater. To put things in perspective the fine issued by the ICO to TalkTalk for a major data leak in 2016 was just £400,000, but under the new rules next year it could be based on 4% of TalkTalk’s turnover in which case the fine would be a staggering $67 million.
Ultimately, a budget deficit of 4% could result in cuts to front-line services including nursing staff. It would be an outrage to suffer serious cuts directly affecting patient care by simply not having back-office processes that are up to speed with regulatory requirements. The only sensible route for NHS managers to take is to make sure that they are totally ‘au fait’ with what the regulations require of their organisation. New data subjects’ rights must be fully integrated into their data processing procedures with the aim of acting fairly and lawfully at all times.
Accountability is an area which is clearly laid down by the GDPR. For NHS organisations which process a large amount of data classified as special categories of personal data, it is mandatory for them to appoint a Data Protection Officer (DPO) who fully understands its data system and the risks it engenders for data privacy. It is recommended that a ‘data privacy culture’ should be inherent in the way the NHS manages and processes personal and sensitive data and should not be a solution which is ‘bolted on’ to an existing system.
Data controllers and data processors have enhanced GDPR responsibilities not only to protect data but, in the event of a leak, to communicate it within 72 hours to the ICO as well as to the individuals affected. Failure to do so, under the new rules, will potentially incur the highest penalties.
Medical records and other highly sensitive data that are routinely processed by hospitals, GP practices, pharmacies and other healthcare providers are treated as the processing of special categories of personal data, which requires the highest level of protection from theft and exposure.
Personal data includes any information relating to an identifiable natural person (data subject) who can be identified by an ID number, location data, online identifier or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR is wrapped around a number of key data processing principles. Personal data must be processed lawfully, fairly and in a transparent manner. It should be collected for specified, explicit and legitimate purposes. It must be adequate, relevant and limited to what is necessary. The data must be accurate and, where necessary, kept up to date. Data should only be retained for as long as necessary and processed in an appropriate manner to maintain security.
To complicate matters further, data subjects have also been given new enhanced rights including the right to rectification, erasure, restriction, objection and the right to data portability. Healthcare organisations now have a month to respond to data requests from data subjects and can no longer charge for the first data disclosure request. It should be noted that certain special categories of personal data can be obtained by healthcare organisations without the data subject’s specific permission where they can show it is in the data subjects’ interest and the data subject is incapable of giving their approval.
Under GDPR, the storage of documents is a key issue too. Article 5 requires that documentation is only retained for the minimum time necessary. Keeping payroll details of former staff, unnecessary duplications of patient data from, for example, old scans and x-rays could land the organisation in trouble with the ICO. Due to the vast quantity of data handled daily, the risks of data breach to NHS and its partner organisations are huge.
Prime weaknesses which make data breaches a realistic, if not constant, threat are such things as: computer system hacking, defective backups, corruption amongst employees, paper records being duplicated or lost, records being held much longer than is necessary then being dumped insecurely and ‘en masse’ whilst a department has a ‘clear-out’. All are organisational problems that need addressing before the ICO strikes.
As in most industries, there are some organisations which are ahead of the game and have already audited their data management systems and turned them into the lean, lawful data machines that the government is striving for. However, there are bound to be departments and partners in the healthcare sector who are not yet ‘up-to-speed’ and who require serious help in order to be ready for next year’s deadline.
Where serious data processing is involved, data protection officers are now recommending the outsourcing of personal sensitive data processes like payroll, scanning of records, storage and destruction of data to a third party who is fully GDPR compliant and can bring expert compliance to these procedures easily. This is particularly key for organisations that simply do not have the in-house skills or necessary technologies to do this properly.
A prime example of such work, where data management companies like Restore Digital have come to the rescue and taken on the scanning and storage of sensitive data is at the Royal Liverpool University Hospital. As the hospital currently manages over 1,000 requests for medical records per day, ensuring that the correct files are privacy protected and available for clinicians when patients arrive for appointments is paramount. Using resources effectively to treat patients efficiently is always top priority for healthcare professionals and managers alike and not just led by GDPR compliance.
Physically moving, managing and storing a huge amount of paper documents and files was both a time-consuming and costly process for the Trust, and also a potentially insecure one. The chance of patient notes being lost or misplaced, and people having to wait longer than was necessary before clinicians were able to see them was a real cause for concern. However, management at The Royal Liverpool soon realised that if its documents were digitised by scanning and then fed into a secure electronic patient records’ system, many risks would be instantly reduced and access to accurate crucial, data would be speeded up. Restore was engaged to carry out all the medical scanning, archiving, indexing and retrieval of medical records for the hospital which needed to find a document scanning solution to digitise and index over 100 million pages of active medical records as well as having them in an electronic format ready for import into the Trust’s EDMS. The project needed to incorporate both scanning and archiving ‘live’ files and ongoing/day forward notes.
In this case, as the outsourcing partner had a ISO27001 compliant high tech centre in which the scanning process was completed, the hospital received a host of benefits. These included a compliant records management process backed by enhanced security, incorporating IG Toolkit compliance. All staff involved in the process were security checked too so that the hospital could be certain that their sensitive data did not land in the wrong hands.
As a result of its move to outsource the scanning and digitisation process of its records, in addition to enhanced security and compliance, the Royal Liverpool has reduced its administration costs relating to the physical management of records. This has brought with it an improvement in patient care due to the speed at which clinicians can now access accurate, secure patient information. This even includes allowing patient records to be retrieved simultaneously by numerous clinicians anywhere in the world, if needed.
Whilst the Royal Liverpool may be ahead of the curve, it is still believed that many hospital trusts, GP practices, opticians and dentists are slowly getting to grips with what the legislation means in practice. They need to find a workable solution that puts the privacy of data subjects and data security at the top of their agenda.
Whether healthcare organisations choose to go it alone or join forces with an expert, GDPR compliant, external partner, it is vital that administrative issues are not allowed to detract from the amazing medical work being undertaken on a daily basis. Wouldn’t it be a patient care tragedy to squeeze a tight budget to breaking point by simply not having a GDPR plan in place?