Primary Care Network

GDPR & security in healthcare

May 22nd, 2019 Posted in Compliance, Data Protection, Information Security

2021 update

In June, the government announced a two-month delay to the creation of a central NHS digital database from GP records in England. If you hadn’t heard about the database, you are probably not alone. The objectives are well-meaning, but the implications for sharing have given rise to concerns and led to the matter being described as a ‘data grab’ by some commentators. 

Our more recent blog on this topic highlights everything you need to know about the “data grab”. You can also check out our blog on the NHS Data Strategy here.  

Original blog published 22nd May 2019

Access to and the sharing of patient data will remain a hot topic over the next 12 months. This year sees the introduction of Primary Care Networks, with signups required by 19th June 2019. By March 2020 all health and care organisations are required to be compliant with the national data opt-out policy.

Both initiatives have data protection and related information security considerations. We therefore thought it would be helpful to provide some information around both initiatives along with steps to take.

In this blog, we start with Primary Care Networks.

Primary care networks background

PCNs are a cornerstone initiative of the £20.5bn extra funding annually for the NHS Long Term Plan. They are intended to address three very different challenges facing the NHS. Firstly, there is a deep workforce crisis in general practice. The number of practices closing has risen rapidly in recent years, and the most affected areas are characterised with older, poorer populations and older GPs, often in rural and coastal locations where attracting new staff has been particularly difficult. Secondly, to fill a key gap in NHS architecture; the integration of primary care with community and other services, or Integrated Care Systems is required. Lastly, they will also be expected to play a key role in efforts to improve population health, targeting a range of conditions from preventing coronary heart disease to tackling neighbourhood inequalities.

In simple terms, the PCN plan requires that general practices join to form groups of neighbouring practices, typically covering 30–50,000 people. These practices will enter network contracts. PCNs will be expected to take a proactive approach to managing population health, first assessing the needs of their local population to identify people who would benefit from targeted, proactive support. A key component of the service delivery is the adoption of digital services (data and technologies) so that within five years all patients will have the right to access GP consultations via telephone or online.

The Implications for Patient Data

Greater efficiency through scale, pooled resources and the adoption of digital and tele-health services are clearly key objectives of PCNs. Providing access to, and combining and sharing patient data bring data protection considerations as well as information security risks. Whilst sharing patient data can have clear benefits (and is also a duty following the updated Caldicott review in 2013 and subsequent legislation) it still needs to meet the requirements of the GDPR and Data Protection Act 2018.

Patient data is clearly going to include ‘special category’ data under the GDPR. When processing (including sharing) special category data, a higher level of lawfulness is required (pursuant to Article 9 of GDPR) and the risks to data subjects are much higher because of the sensitivity of the data. It doesn’t necessary follow that all patient data shared within a PCN is shared within the public interest so it’s going to be important to determine the correct lawful basis for transferring patient data for different purposes.

It is also going to be necessary to implement a data sharing agreement between PCN members. NHS England has said it will produce a data sharing agreement template, but this is still awaited. As with any data sharing agreement there are a number of considerations to be determined, especially around roles and responsibilities of the parties.

Things to consider include:

  • What data is being shared, with whom and why? What is the lawful basis for sharing?
  • How will patients be informed about data sharing? How will privacy notices and communications be updated to ensure transparency?
  • Who will the data controller(s) be, or will parties be joint controllers?
  • How will subject rights requests, such as Subject Access Requests, be handled?
  • How will potential data breaches be investigated and who is responsible for reporting them if required?
  • Which data processors are used and who is responsible for ensuring suitable data processing agreements are in place?
  • Should Data Protection Impact Assessment be carried out in respect of the sharing?
  • What mechanism will be used to share the data and how will the PCN members ensure security of the information during transit and when by the other parties?

Securing Patient Data

The last point of the previous paragraph is critically important. The security of the data during transfer and when available to other members of the PCN is going to be paramount. With greater pressure on the NHS to deliver more for less, the ambitious plans to make efficiency gains by scaling up and making data sharing more effective, will undoubtedly heighten the risk of further data breaches.

Under pressure to meet these deadlines, it could be easy for healthcare providers to lose sight of their obligation to ensure data protection ‘by design and default’ and to implement best practice security measures.

Given the scale and complexity of the NHS, it’s not surprising that data breaches are not uncommon. According to FOI requests, in 2017 the NHS reported data breaches involving nearly 10,000 paper documents which were either stolen or missing from 68 hospitals.

Our advice is to map the data flows and identify the risks associated with each step. Then apply suitable security controls to mitigate the risks on a prioritised basis. This doesn’t necessarily mean new technology. Human error is the most common cause of data breaches in our experience. Setting out minimum employee expectations, roles, responsibilities and providing training aligned to clear policies and procedures is going to be important.

How We Can Help

We have worked with NHS trusts as well as health and social care providers and we understand that staying on top of all data protection and information security risks is challenging. Resource and budgets are tight and the environments in which you work can be complex.

If you need assistance to ensure your PCN is meeting your data protection obligations and managing security risks, we can help. If you’d like to discuss your requirements or just get some informal feedback, please do contact us.

Phil Harris Evalian 250x250

Written by Philip Harris

Philip consults on data protection and acts as outsourced DPO for clients. He has a long history of working with innovative, technology led businesses and in technology licensing. He is experienced in building and supporting operational and compliance business functions, including HR, ICT, H&S and Quality Management Systems. Phil is also Operations Director at Evalian™. His qualifications include IAPP CIPP-E, ISO 27001 Lead Implementer, CIPD and APM. He also holds an MBA from Imperial College.