The General Data Protection Regulations (GDPR), which came into law on 25 May of this year, provide a strengthened framework for the protection of personal data in the European Union. In Ireland, the Data Protection Act 2018 has been introduced to give further effect to the GDPR at ground level.
The necessity for Consultants, handling sensitive personal data, to comply with the GDPR is vital and the potential ramifications for failing to comply are severe.
This article provides an overview of the legislation and explores simple steps that you can take to make your practice GDPR compliant.
Key GDPR Definitions
- “Personal data” is data pertaining to living individuals, who can be identified from the data. Personal data does not just include clinical notes, but also includes patient hospital numbers, email addresses and phone numbers.
- “Special category data” is data that is particularly sensitive and requires extra vigilance in how it
is handled. Special category data is defined as data pertaining to:
- Racial or ethnic origin.
- Political opinion.
- Religious or philosophical beliefs.
- Trade union membership.
- Genetic data, biometric data for the purposes of uniquely identifying a person (e.g. retinal scans, finger print scans).
- Health data.
- Data concerning a person’s sex life or sexual orientation.
- The “data controller” has particular obligations with regards to protecting the data in its possession. Private Consultants would be the data controller of their private clinical notes, for instance. The data controller decides how, why, what, when, where and for how long the data is to be processed.
- The “data processor” processes personal data on behalf of the data controller. For instance, your secretary or IT system manager will constitute the data processor in your practice. The data processor can only act in response to the instruction of the data controller. The data controller has a responsibility to ensure that the data processor processes the data appropriately.
- The “data subject” is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In the context of your business this will usually be a patient but could also, for instance, be the patient’s family.
- A “personal data breach” means a breach of security by the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, transmitted, stored or otherwise processed.
Why the fuss over medical records?
Medical records contain highly personal and often sensitive data about patients and, occasionally, third parties.
Data breaches, including lost or stolen medical records, could result in a loss of the relationship of trust with your patient, reputational damage to you as a Consultant, potential harm to your patient and staggeringly high financial penalties for your business.
Over the last number of years, cybercrime has particularly begun to target the health sector. This was exemplified in the 2016 Ransomware attack which affected 150 countries but targeted the NHS in particular. The malware encrypted data on NHS computers, rendering them unusable, and the cybercriminals demanded ransom to unlock the infected computers. Over 30% of NHS Trusts in the UK were affected, resulting in forced cancellation of 20,000 hospital appointments and operations, leading to huge inconvenience to patients and massive expense to the NHS. This was a financially motivated ‘unsophisticated’ ransomware attack but it is feared that future attacks could be more targeted in intent, resulting in the theft or compromise of medical records.
Cybercrime is the fastest growing type of criminal activity in the United States. Cybercriminals in the US have successfully stolen whole databases containing thousands of patient’s medical records and have then attempted to sell the medical records on the black market or the dark web for hundreds of thousands of dollars.
Medical records are easily monetised and are traded on the dark web at 10 to 20 times the value of a stolen credit card, for instance. Credit cards can be stopped but the sensitive information in medical records, including telephone numbers, email addresses and home addresses can be used time and time again for criminal purposes including identity theft, setting up fraudulent bank accounts and money laundering.
Medical records also often contain sensitive information, for instance, in relation to sexual health and mental health issues. Such information, if placed in the wrong hands, could be used to blackmail the data subject for ‘hush money’.
The potential financial ramifications for a data protection breach under the GDPR are enormous and could include fines of up to €20 million or 4% of global turnover. A failure to report a breach to the relevant authority could in itself result in a sanction, in addition to the sanction for the actual breach. It is therefore imperative that the GDPR are taken seriously and that measures are put in place now to protect the data which you hold in relation to your patients.
GDPR - The basics
Storing medical records
Are your medical records securely maintained?
- Paper records should be stored securely in a locked cabinet where only authorised personnel have access to the keys.
- Electronic record access should only be designated to authorised personnel (data processors) with unique log-ins and passwords. Staff should be warned that passwords should not be obvious and are not to be shared.
- Medical photographs should only be taken using a designated office camera and the camera should be stored in a secure locked cabinet. Medical photographs should not be taken on a personal mobile device where there is a risk that the handheld device could be lost or stolen.
Communications
Are your communications with patients and third parties secure?
- Find out from your hospital IT team, if your private hospital email portal is GDPR compliant. If so, this should be the preferred method of communication with patients and third parties.
- Gmail and Hotmail accounts can be used to send special category health data but these email systems are not secure and an encrypted/GDPR compliant portal should always be the preferred method to communicate with patients and third parties.
- You, and your data processors, should take particular care when typing email addresses, or when picking an email address from an auto-complete suggestion, to ensure that you are typing/choosing the correct email address. (Data breaches frequently happen because the incorrect email address is typed or selected and information is sent to the wrong parties).
- Post can be used to send letters containing special category health data but secure email is the preferable method, in terms of providing the best security for the sharing of information.
- Fax machines can also be used to send special category heath data, but again, secure email is a more secure method. If sending a fax, you should ensure that you have a cover sheet saying that the information is confidential and for the recipient only. Where feasible, and particularly if information is being frequently sent to the same fax machine, attempts should be made to clarify that the fax machine is not in a public place where the data could be picked up by someone who is not the intended recipient.
- When receiving telephone calls from patients requesting information, or when telephoning patients with relevant information, it is important to clarify the identity of the caller in order to ensure that the information is being passed to the correct individual. This may mean that you and your data processors ask relevant security questions to verify the identity of the caller, such as requesting the caller’s date of birth and address.
- WhatsApp should not be used to send special category health data. Although there is end-to end encryption of WhatsApp messaging, all messages are backed up on servers which are potentially not secure. Further, if you are sharing information over WhatsApp you are likely doing so from a personal handheld device which could easily be mislaid, or stolen.
Lawful bases for processing (sharing) health data
In what circumstances am I authorised to share special category health data?
For treatment
- Under the GDPR explicit consent is not required for processing special category health data for “direct care”.
Direct care is defined as care:
“necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”. Article 9 (2) (h).
- For example, a referral by you to another healthcare professional would be for direct care purposes and relevant healthcare information can be shared without explicit consent. (This is different from the consent required to make the referral itself, which is still required from the patient).
- If information is intended to be shared for purposes other than direct care, for example for medical research or statistical collation, then explicit consent should be sought from the patient in relation to the sharing of this information.
For legal advice
- The processing of special category health data for the purposes of legal advice or legal proceedings is protected under Article 9 (f) of the GDPR, and Article 47 of the Data Protection Act 2018. This provision allows you (and your legal team and insurers) to process (share) special category health data for the purposes of providing or obtaining legal advice in connection with legal claims, prospective legal claims, legal proceedings or prospective legal proceedings or as otherwise necessary for the purposes of establishing, exercising or defending legal rights.
Data subject access requests
- Under the GDPR data subjects can still request copies of their medical file which must be provided within one month of receiving the request. (The time limit of 40 days is no longer applicable). In certain limited circumstances, the one month period may be extended to two months (taking into account the complexity of the request) but the data subject must be informed of the need for the additional time within the initial one month time limit.
- There is now no fee payable by a patient making the subject access request. However, if it is believed that the patient’s request is manifestly unfounded or excessive (for example where an individual makes repeated requests for the same records) you may decide to either charge a fee, taking into account the administrative costs in dealing with the request(s), or refuse to act on the request(s). The burden of demonstrating why a request is manifestly unfounded or excessive rests on the private Consultant.
Right to erasure
Can patients demand to have their medical records deleted?
- Under the GDPR, data subjects have a right to be forgotten which has now been called the “right to erasure”. However, this is not an absolute right. The right to erasure is only exercisable by the data subject when the processing of the information is no longer necessary or when the processing has been unlawful. It is extremely difficult to envisage how this could apply in the healthcare context, as the special category health data is necessary for the continuing care of the patient and as a record of the patient’s medical history.
- Patients do have a right to request that inaccuracies in the medical records are corrected. It is imperative that the original information, containing the inaccuracy, is maintained in the medical records but with an addendum or an addition, dated and signed at the time of the amendment, indicating that the patient wishes for an inaccuracy to be corrected and then setting out the correct information.
- Under normal circumstances, patients have no right to request that information be deleted permanently from their medical records.
Breach notification process
How do I deal with a data breach in light of the GDPR?
- GDPR introduces a requirement for organisations to report personal data breaches to the Data Protection Commissioner (DPC), where the breach presents a “high risk to the rights and freedoms of a data subject”.
- If your hospital has a Data Protection Policy you should ensure that you action their breach policy accordingly. This will probably involve you reporting the breach to the hospital Data Protection Officer, if one has been appointed.
- To facilitate decision-making and determine whether or not you will need to notify the DPC and affected individuals about a breach, you/your hospital should have a high-quality risk management process and robust breach detection process in place for investigating, mitigating and reporting breaches.
- You/your hospital must keep a breach log or inventory regardless of whether you are required to notify the DPC or not. This must contain an internal record of the breach, the means for deciding the level of risk for the data subject, who decided the level of risk and the risk rating that was recorded. (See examples below).
Three step breach notification process:
-
Determine how serious you consider the breach to be for the data subject(s)?
This will involve:
- Urgently informing and consulting with your hospital Data Protection Officer (if one has been appointed);
- Assessing the type/sensitivity of the data exposed;
- Identifying the cause of the breach;
- Try and mitigate the damage; and
- Identify has the personal data of vulnerable individuals been exposed.
The GDPR defines the levels of risk as:
- Low risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal
- Medium risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial
- High risk: The breach may have a considerable impact on affected individuals
- Severe risk: The breach may have a critical, extensive or dangerous impact on affected
individuals
-
Consider whether you need to notify the Data Protection Commissioner?
- If, following your above assessment, you consider that the breach presents a high or severe risk to the rights and freedoms of the data subject you must notify the DPC within 72 hours. If the notification to the DPC is not made within 72 hours, the notification should be accompanied with reasons for the delay.
- All such breach notification forms must be emailed to the Data Protection Commissioner at breaches@dataprotection.ie. All national breach and
cross-border breach notifications forms are available to download on the DPC’s website: www.dataprotection.ie.
-
Consider whether you need to notify the data subject?
- If your investigation concludes that there is a high or severe risk to the rights and freedoms of the data subject, the GDPR requires that the data subject(s) affected must be notified without undue delay. (This period of time is not specified but we would recommend an urgent notification – within 72 hours at the latest).
- The notification should describe in clear and plain language the nature of the breach and the name and contact details of the Data Protection Officer or the contact point where more information can be obtained. Where possible the notification should provide a description of the likely consequences of the breach and a description of the measures taken or proposed to be taken by the practice to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
What immediate steps can I take it there has been a data breach?
This will depend on the type of breach but, as an example, if the breach is by email you could:
- Make attempts to recall the email;
- Call the unintended recipient of the email, ask them not to open the email and to delete the email. Ask the unintended recipient if they printed the email or attachment and if they did ask them to shred the paper copy in the confidential waste. (Many of these steps will also apply to data breaches by post).
- Where feasible, ask the unintended recipient to confirm in writing that they have taken the above steps. You should then save this record with your breach inventory.
Appointing a Data Protection Officer (DPO)
Do I need to appoint a data protection officer?
- This is mandatory for organisations which process special category health data on a large scale. (Your hospital should most likely have appointed a DPO).
- You can appoint a DPO if you wish, even if you are not required to and it is advisable to do so, to demonstrate accountability and process, in the event that there is a reportable breach.
- Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR.
Joanne O’Sullivan is healthcare Partner at Kennedys Law, specialising in healthcare defence litigation and medical law. She is dual qualified as a solicitor in Ireland and England and Wales and was previously Deputy Head of Legal Services for the Royal Free Hospital in London.
Example breach log
Details of breach – Low risk |
|
Date of breach |
14.06.18 |
No. people affected |
1 |
Nature of breach |
Low risk |
Description of breach |
Emailed patient referral letter to wrong surgeon |
How you became aware of breach |
Surgeon contacted office on receipt of email |
Description of data |
Patient name, address, date of birth, and details of medical history |
Consequences of breach |
|
No consequences Surgeon contacted office to confirm email has been deleted |
|
Measures taken/to be taken |
|
All individuals informed? |
No |
Remedial action |
Surgeon deleted email and confirmed did not print copy. Secretary reminded to check email addresses against medical record details and particularly to check auto-select email addresses before sending. |
When did you first notify the DPC of the breach? |
N/A |
Was the DPC contacted within 72 hours? |
N/A |
Details of breach – High Risk |
|
Date of breach |
15.06.18 |
No. people affected |
1 |
Nature of breach |
High Risk |
Description of breach |
Sent patient letter to wrong address |
How you became aware of breach |
Third party contacted office to advise letter had been sent to wrong address |
Description of data |
Patient name, address, contact details, details of medical history, including HIV diagnosis |
Consequences of breach |
|
Breach may have a considerable impact on patient as family and community not aware of his HIV status. |
|
Measures taken/to be taken |
|
All individuals informed? |
Yes patient informed |
Remedial action |
Patient notes updated. Third party confirmed letter has been destroyed in confidential waste. Secretary reminded to cross-reference addresses on file before sending letters or emails. |
When did you first notify the DPC of the breach? |
16.06.18 |
Was the DPC contacted within 72 hours? |
Yes |