Blogs

NHS Trust boards must take control of new data laws – or face the fines

Rachel Rowson

There will be no excuses for the NHS organisations on day one (25 May) of the General Data Protection Regulation – the new rules to put citizens rather than companies and states back in control of their data. Those not compliant will face potentially significant fines and reputational risk.

The NHS’s compliance efforts will be as good as in the public domain, and trusts also face a potential double whammy in financial risk for trusts: money needs to be made available immediately to cover the costs of scaling up resources to implement and comply with GDPR, as well as the threat of hefty fines for non-compliance.

This blog examines how prepared the NHS is for GDPR; the uncertainty about how GDPR applies to the health service, and the steps trust leaders and their organisations must take to best manage the risks.

A quick guide to GDPR

GDPR attempts to balance progress with privacy; putting citizens back in control of their personal information.  It is the most important change to data protection in 20 years, to make this fit for purpose for the contemporary world where data and its uses are very different compared to ten years ago when previous legislation was produced.

Reducing timeframes is a theme across GDPR.  Data breaches now need to be reported within 72 hours.  Based on data from the ICO healthcare reports four times more data breaches than any other sector, so having a slick reporting process in place will be a necessity.

This will have far-reaching consequences for the NHS and it is essential that NHS executives take urgent action to ensure that plans are in place as the 25 May deadline approaches, to avoid penalties for non-compliance.

 The scale of potential fines has been well publicised and can’t be ignored.  The financial penalty of being found to breach the regulations is a maximum of €20m (£18m) or 4 per cent of global annual turnover.

This would be significant even for the biggest multi-national company and could be devastating for a cash strapped NHS body.  NHS executives are well aware of the threat of these fines, but what they seem to be most worried about in the short term is implementing the detail of the regulations (which in the long term will mitigate the threat of fines).

If trusts are already following existing guidance then they are 80 per cent of the way to being ready for 25 May. But the other 20 per cent is where the risk lies. 

Uncertainty for the NHS

Firstly, there is some good news. What is clear from my dealings with NHS executives is that trusts are already on a journey to be compliant with GDPR.  If trusts are already following existing guidance then they are 80 per cent of the way to being ready for 25 May. But the other 20 per cent is where the risk lies.

Boards are grappling with uncertainty about how much risk they are exposed to for parts of the regulations which aren’t fully implemented by May.  As GDPR is ‘general’, and not sector specific, how the regulations are applied to NHS bodies is not yet clear.

The ‘12 steps to take now’ from the Information Commissioner’s Office is helping trusts get preparations in place. But guidance specific to the health service has been delayed from the Information Governance Alliance and this has created uncertainty about how the rules will be interpreted and applied to the NHS.

In reality it is likely that we will only have certainty about how GDPR applies to trusts as regulators intervene in areas that they consider to not be compliant, as case law builds over time and as specific central guidance for the NHS is published.  Managing risk over the next two years is going to be key to not becoming part of case law.

Keeping and using personal contact details of individuals must have a proactive opt-in and this is one of the most important areas to get in order now

Questions of consent

Proactive consent is one of the tricky issues for the NHS.  It will no longer be enough to use any stored data about an individual without explicitly getting their consent for this.  As soon as data which have been previously collected need to be reused then new consent for the holding and use of this data will be required before it can be used in continuing care.

This explicit consent not only applies to critical health information, but also to more run of the mill data, such as mailing lists which are used to inform the community about developments in a local hospital or the provision of additional services provided by a trust.  Keeping and using personal contact details of individuals must have a proactive opt-in and this is one of the most important areas to get in order now.  Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, preticked boxes or inactivity.

Enabling citizens to be more engaged with and in control of their personal data will also have implications for how much resource trusts need to spend on providing prompt responses to citizens’ enquiries about their data (subject access requests).  Timelines for responding to citizens’ requests will be reduced from 40 days to one month.

Fees which may have been chargeable to an individual for access to their personal information and health records will now become free of charge. So, trusts need to be prepared to rapidly scale up capacity to process an increased volume of requests in the shortened timeframe and with no fees paid and this thinking should be done now.

The full implications of GDPR on the health service are currently unknown.  It is imperative that NHS trusts get their house in order, to avoid the possibility of bad publicity and loss of trust with the public.  Should compliance efforts fall short in any way, there will be no hiding.