Nine ways to avoid costly data breaches
GPs will face increasing demands to share data – so it is essential to understand the regulations. Dawn Monaghan from the Information Commissioner’s Office explains.
Data protection is likely to become a hot topic as GPs enter the new world of clinical commissioning. Under CCGs, GPs are likely to be sharing more of their patient and other data with many other organisations – both within and outside the NHS.
Priorities for GPs are:
- to make sure they fully understand their obligations under the Data Protection Act and Freedom of Information Act
- to put practical systems in place to ensure they can meet those obligations.
GPs need to be sure that they fully understand that they can share data, but must identify the risks associated with that sharing and mitigate them. The following nine points will help GPs ensure practice data is protected and that they understand what information can and can't be shared.
1. Beware of information breaches
Activities that can risk data breaches include putting data onto memory sticks or sending data to work from home without using a secure network or encryption process. If any data is downloaded to a mobile device, it should be encrypted. There is guidance on the Information Commissioner's Office (ICO) website about suitable encryption packages. There are a number of different commercial options available and data controllers should ensure they meet the current standard, such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197.
If GPs are working from home or sending information to somebody else, they should always use NHS.net and send data on a secure connection. This doesn't always happen, particularly in small organisations where people may send data to their hotmail account, for example.
We also see a lot of breaches involving faxes. Our guidance is not to use a fax machine as a secure means of transferring data. If you have no other option, there must be stringent policies in place and staff must be trained in how to use the policies – for example, staff should ring the recipient and make sure someone will be at the machine to collect it immediately, double-check the fax is being sent to the right number and ring back after the fax has been sent to make sure it has arrived.
There is also the issue of staff unlawfully accessing or using data. This is usually because of incompetence rather than for malicious reasons. Staff must be made aware that they only have access to data for certain purposes and are not allowed to use it in any other way.
Another common data breach is when someone – for example, a private detective – will pretend to be someone's relative to blag information over the phone. Practices could use security passwords or questions to ask enquirers before providing them with personal data.
2. Remember that the GP holds responsibility for the data
GPs have obligations under the Data Protection Act, but staff at the ICO often find they pass on their responsibility to the practice manager too readily. A GP is able to delegate the tasks, but not the responsibility – if something happens to data held by the practice, the GP is seen as the ‘controller' of that data regardless of their involvement or otherwise with a breach.
GPs should make sure the people they are delegating to are fully aware of what the obligations are and how they must deliver them. It is also important that the person delegated to makes the GP aware of:
- how the data is being managed
- whether security measures are working
- what data monitoring systems are in place
- what agreements cover sharing arrangements if data is being shared.
GPs and their staff are already very aware of issues of confidentiality. What often needs more consideration is how data is stored, who has access, how it is shared and awareness of what GPs' responsibilities are.
3. Report data incidents
When you've had a breach – such as losing a memory stick with personal data on that you know is not encrypted – it's worthwhile reporting it. The ICO can help in ensuring the right questions are asked, such as: what was the data on the memory stick, was it encrypted and what has the GP done about it? We can make an assessment and recommend what systems to put in place to make sure it doesn't happen again. Practices can then handle the matter themselves with our support and assistance, which will cover the practice and the GP's reputation.
4. Put systems in place to avoid future breaches
You should know what personal data is held and how it is stored. Establish where the risks are and identify weak points in security measures. Monitor staff awareness of security and consider setting up a group to discuss ‘what if?' issues. Data security is a role for the information governance lead rather than the information technology lead – although in general practice, the practice manager may cover both roles. It is not just to do with technical aspects – the data controller should have technical, such as encryption, and organisational measures in place. Most of the breaches we see are to do with human error, not technology.
5. Tailor training for your staff
It is important to tailor training to the needs of your staff. There is no point in sending staff to a conference on data protection to be subjected to a day of legalese. Staff need practical training in areas such as: what do GPs need to do? What is the role and responsibility of the practice manager? What is everyone else's role and to what level do they need training? GPs should contact the information governance manager at their PCT or CCG for advice about good local courses.
The Department of Health's Information governance online training toolkit is a good place to start to raise awareness when you have a new member of staff, or staff who have never been trained in data protection. However, beware of using it as a tick-box exercise – don't assume your staff are trained because they have done the toolkit.
6. Be clear about handling data access requests
There are currently two means of requesting access to information. Personal data can be accessed by the individual in question through the Data Protection Act, via a subject access request. If a practice receives a subject access request in writing, the data must be provided to the individual making the request within 40 days. Practices can charge a fee, but be careful that all the data the practice holds on them is provided – not just the patient's medical records, but also items such as emails or letters.
The Freedom of Information Act covers access to official, rather than personal, information – for instance, if someone asked the practice to provide them with their policy on chaperoning. If a patient wants information provided to the practice about themselves, that is more complicated. It might slip out of data covered under the Freedom of Information Act into data protection, as there might be personal information involved. There might also be third-party data that might be exempt.
If a patient is requesting their own personal data it needs to be provided, and if it's official information it needs to be provided unless it is exempt – for instance, if disclosure would be likely to prejudice a criminal investigation or someone's commercial interests. There is a list of exemptions on the ICO website.
7. Understand the regulations about data sharing
Data requests from sources such as the police, social services or the CCG can be complex. They are data sharing, rather than a request for information. Data sharing means the disclosure of data from one organisation or more to a third-party organisation or organisations, or the sharing of data between different parts of an organisation. Each situation is very dependent upon the circumstances.
A data controller cannot share information unless certain criteria are met. In the case of sensitive personal data, it must meet one of the criteria in both schedule 1 and 2 of the Data Protection Act (which cover areas such as whether the person the data relates to has consented to it being shared, how the data was obtained, how long it is kept, whether it is being transferred outside the European Economic Area and whether processing is necessary to protect the individual's ‘vital interests'). If you get explicit consent from an individual to share their data with someone else that would be compliant, but often that is not practical or possible.
It is incumbent on the data controller to decide whether or not they share the data based on whether they think they have the grounds to do so. Information on data sharing can be found in the data sharing code here. This includes a checklist covering such questions as whether sharing is justified, whether you have the power to share, key points to consider and recording your decision.
Specific legislation covers data sharing with certain organisations – the police, for instance, can obtain a court order to access information.
8. Check your marketing policies are ICO-compliant
Marketing communications fall under the Privacy and electronic communications regulations, which are stringent rules on what practices can and can't market to people. The key point to bear in mind is: what did you collect the data for in the first place? Would those people expect to receive information relating to that?
A patient knows their GP is collecting their data for the purposes of healthcare, so if the practice was marketing a Well Woman clinic to them that should be perfectly safe.
But if the practice were to share a patient's contact details with a company selling smoking patches, it could be in trouble as the information wasn't collected for that purpose.
9. Don't let information governance hold your practice back
GPs often think they can't do something that involves sharing data because of data protection legislation.
But not sharing data can be just as dangerous as sharing it – GPs just need to be confident that they are familiar with what can and cannot be done. It should be treated as any other business process. Ask yourself: what am I doing and why? What are the risks? Can I mitigate them?
Dawn Monaghan is the group manager for public services at the Information Commissioner's Office