osborneclarke.com
0
Challenges and Opportunities in the Paperless NHS and Beyond:A Data Protection PerspectiveEmily Jones, Partner
4 June 2014
Data protection compliance in contextosborneclarke.com
osborneclarke.com
2
ChallengesPrivate & Confidential
NHS is facing:1. Huge increase in volumes of sensitive data 2. Public perception issues3. Fines and enforcement action4. Political and public pressure to improve data handling
A paperless NHS will bring new challenges in these areas.
osborneclarke.com
3
Snapshot of recent health sector audit
19 audits carried out primarily with NHS Trusts by the ICO during 2013:
Private & Confidential
PasswordsLack of simple
password controls
Policies In place but
compliance not always effectively
monitored
Record tracking• Records tracked but
not all conduct audits for missing files
• Concerns regarding security of physical records
Fax machinesConcern regarding
use of fax machines for sending personal
information
Information governance
• Appropriate risk registers
• Risk assessments
• Regular review
osborneclarke.com
4
Impact on suppliers
Private & Confidential
• Demonstrating compliance is key• The Data Protection Act 1998 says:"Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage"• Competitive advantage for suppliers with a focussed approach to data protection using:
- Data retention practices- Good management of data storage and destruction- Careful and well managed use of sub-contractors- Robust security measures- Staff reliability processes- Barriers to overseas data transfers- Regular audits and disaster recovery
osborneclarke.com
5
Improving compliance and mitigating riskPrivate & Confidential
1. Assign responsibility to a DPO
2. Implement a training programme
3. Review and update policies
4. Review approach to hiring sub-contractors
5. Use of encryption
6. Security breach notification
7. Insurance
osborneclarke.com
6
Non-compliance – the "so what?" question It's not only about the fines and contract breaches
Private & Confidential
1. Negative impact on share value
2. Negative impact on current and future customers (private and public sector)
3. Breach of contract (liability)4. Diversion of time and
resources5. Staff trust
osborneclarke.com
7
Opportunities
Private & Confidential
Big data:• Commercial use and benefits vs. concerns about identification
Anonymisation:• Concern about "true anonymisation"
Mobile health/agile working:• Drives efficiencies
• Security and monitoring issues
Tracking access to records:• Improvements to audits
osborneclarke.com
8
Private & Confidential
Potential future data protection obligationsRestrictions on transfers outside the
EEA Keep data accurate & up-to-date
Retain data for an
appropriate period
Respond to data
subject requests
Annual notification obligation
Get opt in / out consent for email /
SMS marketing
Screen against
TPS/FPS "do not call"
lists
Get opt-in consent to
use cookies
Data must be relevant
and not excessive
Notify ICO of security
breaches (not yet
compulsory for all)
Knowledge/Consent
Data protection obligations
DPO requirement
Enhanced data subject rights: - right to be forgotten- data portability
24 / 72 hours to notify data / cyberbreaches
Fines to increase (>2% world-wide turnover or €1m)
Expanded definition of personal data
Data processor responsibility
Higher level of consent required
Increased use of Privacy Impact Assessments (PIAs) and emphasis on accountability
Processor BCRS
Annual notification scrapped
osborneclarke.com
9
Contact
Emily JonesPartnerT +44 (0) 117 917 3652M +44 (0) 7824 491 [email protected]
Paste end slide graphics over this grey box in slide deck