New rules introduced this month could see GP practices being fined up to £500,000 for a serious patient data breach, but there are many things you can do to protect yourself explains Dr Catriona James.
GPs are already obliged to ensure information about patients is held securely, but beefed-up data protection rules will come into force this month.
The Data Protection (Monetary Penalties) Order 2010 will come into force on 6 April 2010 and could see GP practices facing fines of up to £500,000 for serious breaches of the Data Protection Act (DPA).
This article will outline the new procedures on data protection and how GPs can avoid falling foul of them.
What is changing?
The new order is designed to act as a serious deterrent to those data controllers who recklessly flout data protection principles by, for example, using unencrypted laptops containing personal information.
GPs already under an obligation to hold patient records securely and to make use of professional expertise when choosing and using systems to record, access and send electronic data (GMC Confidentiality guidance, paragraphs 14 and 15).
The Information Commissioner’s Office (ICO) will be able to impose fines where there has been a serious contravention of the DPA which is likely to cause substantial damage or distress and which was either deliberate or the data controller knew or should have known of the risk but failed to take reasonable steps to prevent the contravention.
Reasonable steps include carrying out a risk assessment or having a policy in place to encrypt all portable devices including laptops.
The Government says it estimates that the Information Commissioner will need to use his new powers in around eight cases a year. Safeguards have also been introduced to ensure that penalties are administered fairly.
The Commissioner will first issue a notice setting out the details of the breach, the proposed penalty, the next steps and how the data controller can make representations. Any penalty notice would only be issued after the representations had been received and considered by the Commissioner or the deadline for the representations had passed. Data controllers also have the right to appeal against any penalty notice received.
The ICO has said it will take a ‘pragmatic and proportionate’ approach to issuing any fine and will take into account an organisation’s financial resources, sector, size and the severity of the data breach. The ICO has also published guidance on the use of its new powers to issue fines which is available at www.ico.gov.uk.
How can my practice ensure electronic information is secure?
GPs who act as data controllers should ensure they understand their legal duty under the DPA to ensure personal information is held secure and protected from unauthorised or unlawful processing.
There may be a greater potential for loss of data that is held electronically because it is more easily transmitted and more portable. With this in mind, the MDU advises doctors to:
• Avoid inputting patient-identifiable data on to personal mobile devices such as memory sticks and PDAs
• Ensure you have an information security policy in place, covering issues such as the use of laptop computers, and that all staff are aware of and follow it
• Never put patient data on your personal computer – it could lead to confidentiality breaches and it is notoriously difficult to erase some information permanently from a hard disk
• Consider taking advice from IT specialists about ensuring the security of practice computer systems
• Be aware of GMC and NHS guidance on this issue. For example, Connecting for Health’s Good Practice in Mobile Computing, covering the secure use of laptops, PDAs and other mobile devices (February 2008)
• Report any loss of data to the nominated senior person within your practice, so that action can be taken and affected patients and the information commissioner informed if appropriate
Dr Catriona James is a medico-legal adviser at the MDU
Dr Catriona James