Not only does incoming regulation on processing personal data represent pivotal changes in the handling of patients’ information for general practices, but they will carry legal force, Valerie Ryan reports
After four years of debate and preparation, the General Data Protection Regulation (GDPR) strengthening individuals’ right to privacy is to be enforced in two weeks’ time, and doctors are being urged to carry out the necessary steps before the May 25 deadline.
As it is a regulation and not just a directive, the incoming GDPR will become immediately enforceable legislation in all European Union (EU) Member States on the same date.
One of the biggest issues in the new regulation is that if data is lost, an individual can sue for compensation and does not have to show harm. Cases of non-compliance may face heavy fines and there is a tiered approach to fines and ‘clouds’ will not be exempt from GDPR enforcement.
The main principles on privacy are in line with the previous EU Directive and Organisation for Economic Co-operation and Development (OECD) guidelines, devised during the 1990s when social media and cloud storage were not a reality, and when only approximately 1 per cent of the European population was using the internet.
The GDPR, approved by the EU Parliament on April 14, 2016, is meant to update the standards for personal data to fit today’s technology, while remaining general to simply protect the fundamental rights of individuals’ data throughout future waves of innovation.
Medical records are always going to be about personal data but the definition of personal data depends on context, data protection expert and solicitor, Fleur O’Shea told general practitioners (GPs) at the recent Irish Medical Organisation annual conference.
A common misconception about the term ‘processing’ is that it implies that the data is being used actively for some purpose, but O’Shea stressed that once entered or held on a system in a practice, it is being ‘processed’ and the doctor is in charge of it, and needs to make sure he or she is processing it in accordance with the law.
In order to enter or hold personal data onto an IT system, or into the files of a practice, there must be legal grounds for doing so. “You cannot process information unless you are permitted to do it by law,” O’Shea cautioned.
There are two types of data under the GDPR. One is the standard category which may cover processing the personal data of employees such as names, contact details and addresses, disciplinary records or other such records. There are six different quite lengthy grounds set out in the new law as the legal basis for processing this standard category of data, and processing this type of data requires that one of the legal grounds must be met. However, information about employees in a practice does not always necessarily come under the definition of ‘personal data’.
O’Shea cautioned that consent used as a ground to hold personal information is “very much” misunderstood. There are five elements incorporated in the legal basis of consent, including that if the individual changes their mind, consent has to be managed.
To have a legal basis for processing the second category of information called Special Category Data, there are 10 grounds. This category is “very sensitive” and includes data concerning health.
“You need to be extra careful,” O’Shea advised. By way of example, the only type of sick certificate that could be taken in — as an employer — was one, signed off by the doctor, stating that an individual was sick from x date to y date, with no mention of the medical reasons.
In the run up to the enforcement date, the interpretation of many of the notable changes is evolving, as the European institutions have differing guidance on certain pivotal changes.
From May 25, notable changes include enhanced rights for patients whose information is held on a practice system; the time to give access to medical records — and it is to be free of charge — is down from 40 days to a month; the right to be forgotten is enshrined in the new law but in its guidance, the Irish College of General Practitioners (ICGP) advises that the right to erasure of medical records is not an absolute right.
Restrictions may apply because the GP has a requirement to keep medical records, and also has a right to defend medico-legal claims. This would need to be examined on a case-by-case basis.
Data Protection Officer
One of the significant changes which have been flagged is the legally undefined ‘large-scale’ processing of data. While the designation of a Data Protection Officer (DPO) is mandatory for companies or bodies passing certain thresholds, according to the European Commission and the Parliament but they differ on the exact metric.
The Parliament’s view is that a DPO should be mandatory for all enterprises that process “special categories” of data, including information such as health data, religious and political beliefs. The Commission text requires a DPO for any enterprise with more than 250 employees, while the Parliament text calls for those processing the personal data of greater than 5,000 data subjects in any 12-month period to appoint a DPO.
The other arm of European government, the European Council, made up of the members’ heads of state, does not mandate the appointment of a DPO unless it is required by EU or Member State law. It may be that — in the end — the Council will press for a relaxation of DPO appointments against the views of the Commission and the Parliament.
In its latest guidance to GPs, the ICGP counsels: “We do not consider a general practice to be processing data on a large scale, and thus do not believe that individual general practices need to appoint a DPO.
“Even when the GDPR does not specifically require the appointment of a DPO, general practices may sometimes find it useful to designate a DPO on a voluntary basis.”
Advice emerging in the UK is that this role can be shared across practices or organisations. While GPs heard from O’Shea that the guidance to date has indicated that this particular measure is unlikely to apply to an individual GP, she supported the concept of good practice to have someone who will oversee and organise matters relating to data protection, but not as a DPO, as they would then be held to higher standing, in line with the statutory responsibilities of the role.
A key point highlighted by O’Shea was if the system were hacked, if the practice was broken into or information in a car lost or stolen, the Data Protection Commissioner must be notified within 72 hours of first having become aware of the breach. In the 72 hours, “You have to identify — is there a risk to the rights and freedoms of a natural person?” she added. “If there is a high risk, you have to notify the individuals affected as well. If there is no risk, if the situation involves anonymised data where no one can be identified, you don’t have to notify them.”
Part of the expanded rights of data subjects outlined by the GDPR is the right for patients to obtain confirmation from the practice as to whether or not personal data concerning them is being processed, where and for what purpose.
The ICGP advises, in its recently published guidelines, that GPs must commission regular information security audits to ensure that appropriate measures are in place to secure patient data in the practice. Such an audit should cover: operating systems and security patches, hardware, networks including Wi-Fi, antivirus and anti-malware, firewalls, data backup, peripheral and medical devices, access controls and appropriate use of the internet.
The College advice on Personal Public Service Numbers (PPSNs) is clear. “It is an offence for any person or body to request or hold a record of a PPSN unless they are permitted by law (the Social Welfare Acts) to do so. GPs are not specified bodies under the Social Welfare Acts, but they may ask patients for their PPSN as part of specified HSE schemes such as the Mother and Child Scheme, childhood immunisations and cervical screening or sickness certification for the Department of Social Protection.
“In each case, the requests must be justifiable and the capture of the PPSN must not be made on a ‘just-in-case’ basis or be used as a practice identifier. This latter point is of particular importance, as any use of the PPSN by a GP that is beyond that required by the Health Service Executive or the Department of Social Protection may leave the GP open to legal action under the provisions of the Social Welfare Acts.”
Where possible, the ICGP also advises transmission of personal health information by fax should be avoided. GPs are encouraged to use Healthlink and Healthmail, secure clinical email, to transfer confidential patient identifiable clinical information. Where medical information is required urgently, and a more secure mechanism is unavailable, the ICGP advice is echoed by O’Shea, who said the use of a fax cover sheet that clearly identifies the sender and intended recipient should be considered in relation to the use of faxes.
The College suggests a fax cover sheet could be worded: “Confidentiality Notice. The information contained in this facsimile message is privileged and confidential information intended for the use of the individual or entity named above. If you have received this fax in error please contact us immediately and then destroy the faxed material.”
Ensuring that the fax number to which the patient information is being sent is correct is strongly emphasised, as well as asking the recipient to confirm by phone that they have received the faxed document, or by follow up with a phone call.
For use of SMS texts, a practice policy needs to be put in place that covers consent, appropriate age groups, content of texts and confidentiality, the ICGP recommends.
O’Shea urged GPs to take steps before May 25 and at least complete an audit and make a list of everything on the system while still on the “safe side” of the GDPR.
She recommended asking a series of simple questions about the data on practice system: “What are we doing with that? Who are we sending it to? How long are we holding this for? Do you need to retain it?” and she added, “If you don’t need it, get rid of it.”