Failing to protect sensitive personal data can have serious and distressing consequences for patients and their families but practices pay a heavy price too. As well as the breakdown of trust with patients and adverse publicity, the Information Commissioner’s Office (ICO) can impose fines for serious breaches of the Data Protection Act (DPA).
The Government plans to introduce a new set of ten data security standards for GP practices following recommendations by the National Data Guardian for Health and Care. The proposed new standards address staff training, regular audits of processes and systems and the need for properly supported operating systems and software. Details are yet to be finalised but they will be enforced by the CQC as part of its inspection regime.
Ahead of the new standards, it may help to consider these questions when reviewing the adequacy of your existing arrangements:
1. Do we comply with the law?
The DPA requires you to take appropriate technical and organisational measures to ensure personal data is protected from unauthorised or unlawful processing, accidental loss, destruction or damage. The ICO says this includes being clear about who is responsible for ensuring information security; having robust policies and procedures and well-trained staff; and being ready to respond swiftly and effectively to any breach.
GP practices can voluntarily report breaches to NHS Digital (formerly HSCIC) through its Information Governance Incident Reporting Tool. Where an incident’s severity rating is assessed as serious the ICO, NHS England and the DH are then informed by automatic e-mail.
You can read the ICO’s full guidance for healthcare providers here.
2. Do we meet our ethical requirements?
Paragraphs 12-16 of the GMC’s Confidentiality guidance address doctors’ ethical obligations to protect patient information. GPs not in a management role should familiarise themselves with this and follow workplace policies and procedures such as not sharing passwords (including not using the same password for multiple accounts); only accessing information if they have a legitimate reason; and being prepared to raise any concerns about information governance.
GPs with management responsibilities for patient information must ensure data is held securely and staff are trained and understand their responsibilities. Managers also need to get advice (eg from your Caldicott guardian) when selecting data providers and make sure administrative information, such as addresses, can be accessed separately from clinical information.
Part of your ethical requirements are to ensure patients understand how information about them will be collected, stored and used and how their confidentiality and privacy will be protected. (Paragraph 41 of the GMC’s Leadership and management for all doctors). This can be achieved by publishing your practice’s data protection policy online and/or on your practice noticeboard or practice leaflet.
3. When is data most vulnerable and how can we address weaknesses?
No manual or electronic system will ever be 100% secure but it’s important to know when you are most vulnerable and target your efforts accordingly. Activities that might cause problems include the transfer of unencrypted electronic records to other healthcare providers, the use of mobile electronic devices such as memory sticks which have the potential to be mislaid and the disposal of old computers or records.The UK health departments have guidance on the management and disposal of records.
All NHS organisations (CCGs in England or health boards outside the UK) should have a Caldicott Guardian responsible for protecting the confidentiality of patient and service user information and it’s a good idea to seek their advice about data security issues. NHS Digital also has a range of good practice guidelines on information governance.
In addition, look out for new guidance as NHS Digital is planning to refresh its Information Governance Toolkit to provide more tailored support. GP practices are already expected to complete the toolkit each year to evaluate their information governance procedures and security systems.
4. Does everyone understand their responsibilities?
Human error is perhaps the most common cause of data breaches so staff training is essential. As well as regular updates on data protection, it’s important that staff understand how to handle, store and transmit information securely. It is also important to include a confidentiality clause in employment contracts and written contracts with third party suppliers.
I would strongly advise practices to have an information security policy for staff and a designated person to oversee data protection. Points to cover in the policy might include a ban on password sharing and rules relating to the use of home computers or mobile devices.
Dr Sarah Jarvis is a medicolegal adviser at the MDU