gdpr, data protection and the practice › wp-content › uploads › 2018 › 02 › ... · gdpr,...
TRANSCRIPT
GDPR, DATA PROTECTION AND THE PRACTICE
Data protection law has been with us for some time andwas last updated nearly 20 years ago. However, overthe last few years Europe has become more aware of aneed for an update to the legal position and, finally, inMay 2016, it adopted the General Data ProtectionRegulation1 (GDPR).
As a piece of legislation, the GDPR represents thebiggest shake-up in data protection law for years.Interestingly, and surprisingly for some considering thevote in June 2016, this European regulation will comeinto effect on 25 May 2018 and will be directly effectivewithin the UK. Nothing, not even Brexit, will save apractice from having to comply.
Data protection is naturally a serious issue for those inthe medical professions. In terms of optometry, theGeneral Optical Council (GOC), in its Standards ofPractice for Optometrists and Dispensing Opticians2,makes clear reference to the need for maintainingpatients’ confidentiality and respecting their privacy.With vast amounts of personal data, some of it relatingto children, practices clearly need to recognise that theGDPR is heading their way and that they have justmonths to understand the rules and make thenecessary changes.
BACKGROUND The GDPR replaces the current Data Protection Act19983 (DPA) and it builds on and upgrades itsrequirements; it imposes much stricter obligations onbusinesses and organisations alike and brings in a wholenew set of legal requirements relating to the protectionof personal information – with sky-high fines for non-compliance.
In simple terms, the main driver behind the GDPR was:the need to bring data protection law up to speed withtechnological advances and current usage, which hadoutstripped the limits of the current legislation; torebalance the relationship between individuals andthose using their details, returning power and control tothose individuals; and to deliver a more harmonisedapproach to data protection requirements across theEU member states.
As noted, the GDPR will come into force on 25 May2018, 10 months prior to the UK’s planned exit of the EU.
The Information Commissioner’s Office 4 (ICO) hasmade it clear that the UK should continue to preparefor GDPR and the government has also confirmed thatGDPR will continue to apply.
Following any departure from the EU, some limitedchanges may be made to the GDPR as it is adoptedinto UK law, but it is unlikely that any significant changeswill be made. Even so, practices should not expect theGDPR requirements to be watered down in the UK, northat the ICO will overlook breaches of those obligations.Those wanting to steal a march can see thegovernment’s line of thinking in the Data Protection Bill5that it intends to introduce into parliament.
While more likely to affect optical manufacturers thanpractices within the UK, it’s still worth noting that thosebusinesses outside the EU may have to comply with theGDPR if they are monitoring the behaviour of individualsin the EU, or targeting sales of goods and services atthem.
Being outside ofEurope introducesmore dataprotectionproblems forBritish businessesandorganisations.Brexit means thatthe UK may nolongerautomatically berecognised as
being a ‘safe place for personal data’, meaning thatadditional steps – such as using EU approved modelclause data transfer agreement – may need to betaken to ensure flows of personal data from the EEA tothe UK are lawful and can continue to be made. Thismay be an issue where, for example, products aremade to order for UK customers by Europeanmanufacturers with personal data attached to theorder.
>>
Association of British Dispensing Opticians
LEADERSHIP
A NEW PENALTIES REGIMEA key change brought in by the GDPR is a muchtougher line on enforcement. Regulators across the EUwill have the ability to fine businesses in breach of theregulation up to the higher of €20m (£18.2m at the timeof writing), or four per cent annual global turnover,which may be calculated on group-level turnover. Thisis a radical step up from the maximum £500,000 thatthe ICO can levy at present.
Considering the new in-bound penalty regime, it isinteresting to contemplate how past instances of DataProtection Act breaches by the medical professionwould have been treated had the GDPR been inforce. Take, for example, the warning given to OpticalExpress (Westfield) Limited6 by the ICO in January 2015after 4,600 individuals registered concerns about thecompany in just seven months. They reportedunsolicited messages to the mobile phone networks’Spam Reporting Service indicating they had not givenpermission for the company to use their details formarketing.
In October 2015, Pharmacy2U Ltd7 sold details of morethan 20,000 customers to marketing companies andwas subsequently fined £130,000 by the ICO.Pharmacy 2U had offered the customer names andaddresses for sale through an online marketing listcompany. And in February 2017, the ICO fined aprivate health company, HCA International Ltd8,£200,000 for failing to keep fertility patients’ personalinformation secure.
KEY CHANGESThe new fines regime is understandably designed toenforce the importance of new obligations on thoseholding and processing data. They will need to beaware that the GDPR concerns itself with the provisionof privacy notices to individuals, or clauses to beincluded in agreements with service providers.
In addition, there are many new obligations which willbe unfamiliar in the UK, including use of mandatorydata protection officers and legal obligations to reportsecurity breaches. There are many material changes todata protection law.
For further information visit www.abdo.org.uk/business-hub/ Page 2
Data controllers and data processors
Presently under the DPA, obligations fall on a datacontroller – here, the business or organisation decidingwhat personal data to collect and what to use it for –say a practice collecting patient data. It does notaffect service providers (a data processor) whenhandling personal data on behalf of their clients, saythe business running the payroll on behalf of thepractice.
GDPR changes this approach entirely and imposescertain new legal obligations directly on dataprocessors. It also exposes data processors toenforcement action from regulators like the ICO,including the possibility of fines, and exposes them tothe risk of individual compensation claims fromaffected individuals.
Data controllers, ie. practices, must vet data processorsto ensure they are capable of meeting therequirements of the GDPR, particularly in relation tosecurity. It will be important for them to know who isbeing contracted with, any proposed sub-contractingand where providers and sub-contractors are basedand will provide their services from.
Practice contracts with data processors must contain adetailed list of provisions to comply with the GDPR.These obligations are not limited to data security butalso include co-operation to facilitate individuals (staffor patients) exercising their GDPR rights and alsoundergoing audits. The mandatory contract terms alsoneed to be passed down in their entirety to sub-contractors. It will be challenging for practices tocomply, for example, with the GDPR when dealing withcloud providers who hold practice data offsite.
Current contracts, which continue post May 2018, mustbe reviewed and upgraded to ensure compliance withthe new requirements, and all new contracts shouldtake account of the GDPR’s requirements, including themandatory obligation to ensure privacy by design anddefault.
>>
GDPR, DATA PROTECTION AND THE PRACTICE
For further information visit www.abdo.org.uk/business-hub/ Page 3
Individuals will be accustomed to being told that theirdetails are being used and which details are being keptand why; but they are unlikely to have been providedmuch more detail. Under the GDPR, prescriptive detailsare mandatory. Not only must practices explain whythey use the personal details but the legal basis for suchuse – say to keep a medical history up-to-date, or tocomply with legal obligations to report on staffpayments to HMRC.
It’s important to know and explain whether thepersonal details will be transferred outside the EEA andon what legal basis (if, for example, payroll processing iscarried out overseas or if a US-based cloud provider isbeing used to hold patient records). The recipients, orcategories of recipients, with whom those firms mayshare the personal data must be noted. The retentionperiod during which details will be kept, or the criteriafor determining that period, must also be explained toindividuals too.
In addition, practices need to spell out the variousindividual rights which apply under the GDPR andexplain how those rights can be exercised – as well asproviding information about the right to lodge acomplaint with the supervisory authority (here, the ICO).This means that practices need to be clear on whatthey collect, why it is collected, what is done with thatinformation, including who it is shared with, where it issent and how long it is kept for.
Consent
Under the DPA, use of personal data requires businessesto meet at least one lawful ground to do so. In the past,they have often relied upon consent. The GDPRcontinues that requirement for a lawful basis of use butmakes it more important, as the legal basis selectedmust be explained to individuals. In addition, relianceon consent, especially in a patient context – even moreso where children are involved – becomes far morechallenging.
In essence, under the GDPR consent cannot beimplied. Consent is now something that comes with awarning label and should be avoided where possible.Individuals can withdraw their consent at any time (andalso have enhanced rights under the GDPR whenconsent has been given and is being relied upon).
Mandatory security breach notification
The GDPR creates a new legal requirement for themandatory reporting of any personal data securitybreaches if there is any risk to the rights and freedomsof individuals whose personal information is involved inthe breach (such as employees or patients).
A security breach is where there is unauthorised orunlawful access to, or loss of (including deletion),personal information. This could be down to somethingas simple as accidently typing in the wrong emailaddress and so sending out patient reminders to thewrong addressee, losing a laptop containing personaldata, or criminal theft of data following a hacking.
Indeed, criminal access of data will not absolve apractice from the risk of penalty. Back in June 2017, theICO issued a £60,000 fine to Boomerang Video Ltd 9after it suffered a cyber-attack. The fine followed aninvestigation by the ICO, which found that theBerkshire-based company had failed to take basicsteps to stop its website being attacked.
The requirement to notify the ICO (or relevantsupervisory authority dependant on the details of thebreach) must be made within 72 hours of knowledgeof the breach. Importantly, if the breach comes toattention on a Friday afternoon, that means workingthrough the weekend to be able to comply. It isabsolutely vital that practices have the necessarysecurity measures in place, procedures to spot asecurity breach, and the correct staff training.
Currently, based on records on the ICO website,security breaches present the biggest risk area for finesand enforcement action. It is important for practices tohave clear policies and procedures in place to helpquickly assess the situation and report when necessary.
Fair notice requirements
Another key change for data controllers relates to fairnotice. This is the information contained within anyprivacy policy/notice explaining to employees /patients/suppliers how their personal information isused. The information that is required to be providedbefore the data controller – the practice – collects anduses any personal information has increasedsignificantly. The emphasis here is on transparency.
GDPR, DATA PROTECTION AND THE PRACTICE
>>
For further information visit www.abdo.org.uk/business-hub/ Page 4
GDPR, DATA PROTECTION AND THE PRACTICE
Any consent given must be clear, unambiguous, freelygiven and informed. Consent also cannot be bundledwith other matters (ie. within an employment contractor a monthly contact lens contract) and records ofconsent must be kept. It is therefore key to look toother lawful grounds for processing personal data suchas, for example, where the processing is necessary tolook after a patient.
An area of concern for all is that draft guidance fromat least one of the supervisory authorities regulating thisarea, including the ICO10, has said that if consentobtained prior to GDPR does not meet therequirements of the GDPR, it cannot be relied uponafter 25 May 2018. Practices, in other words, need torevisit their past documentation.
CONCLUSIONIt has taken 20 years for businesses and organisation toget used to the DPA. Adjusting to the GDPR will not bean immediate single project but a long-termprogramme of awareness and change. While theremay be some who consider the GDPR relativelyunimportant compared to running their practice, asthey will find, should there be a breach or complaint,the authorities will have some particularly potentpenalties with which to punish non-compliance.
LEGAL COMMENTLiz Fitzsimons, a partner in the privacy, cyber andinformation team at Eversheds Sutherland(International) LLP, says that: “The GDPR will have asignificant impact within the UK, so practices shouldmake sure the key individuals and stakeholders withintheir business are aware of the GDPR and itsimplications”.
Liz considers that the start of the GDPR journey foreach practice should involve the taking stock of theirdata position. “Practices should seriously look at whatpersonal information is held, why it is held and whetheror not there are still lawful reasons to retain and use it.Many businesses are currently completing audits tohelp them assess what they have, what they reallyneed and what they should no longer hold.”
From this position,explains Liz, theprocess can beassessed to allowdecisions to bemade on whatbasis relevantdetails “can belawfully used andhow long thedetails can beretained for.” Thepoint she makes
here is that decisions on those issues will help with anyreview and amendment of privacy notices and policiesthat are issued to individuals. “In parallel, privacyinformation should be separated from contract termswherever possible and if consent is still to be requested,a suitable GDPR form of consent must be prepared andobtained.”
Her advice also extends to examining contracts withthird party suppliers and service providers. “Theseshould be reviewed to see if they extend beyond May2018. It is unlikely that these contracts are GDPRcompliant, so their terms need to be adjusted and anew contract template prepared for new terms beingnegotiated.”
Lastly, Liz advises practices to check the proceduresthat are in place for any security breach handling andreporting. “It may be that there are none or that theprocess needs revising. Even so, it is vital that thecorrect measures are in place and staff are aware ofhow to recognise a security breach and who toinform.”
ICO ADVICEThe ICO has published a nine-page document,Preparing for the General Data Protection Regulation:12 steps to take now11, which offers guidance to thoseneeding to comply with the GDPR. While it takes abroad-brush approach to the subject, it is a useful inthat it provides a structure for considering the positionof data protection within a practice. It covers matterssuch as information held, communicating privacy
>>
For further information visit www.abdo.org.uk/business-hub/ Page 5
GDPR, DATA PROTECTION AND THE PRACTICE
information, individual’s rights, subject access rights,processing data, consent, children, handling databreaches, and the need to appoint data protectionofficers.
A data protection self-assessment toolkit12 is alsoavailable from the ICO. Even with the guidance fromthe ICO, practices should still consider what help andoutside advice they need and seek it accordingly.
Adam Bernstein is a freelance business writer andwriter’s agent based in Oxfordshire. He holds a degreein government, politics and modern history and has 30years’ experience in running a small business thatserves the business-to-business magazine sector.
REFERENCES
1. Regulation (EU) 2016/679 of the European Parliamentand of the Council available from
http://eur-lex.europa.eu/legalcontent/en/TXT/?uri=CELEX%3A32016R0679. Accessed 23 August 2017
2. General Optical Council. Standards for optometristsand dispensing opticians. Available fromhttps://www.optical.org/en/Standards/Standards_for_optometrists_dispensing_opticians.cfm. Accessed 23 August 2017.
3. The Data Protection Act. Available fromhttps://www.gov.uk/data-protection/the-data-protection-act. Accessed 23 August 2017.
4. Information Commissioner’s Office. [GDPR]Guidance: what to expect and when. Available fromhttps://ico.org.uk/for-organisations/data-protection-reform/guidance-what-to-expect-and-when/.Accessed 23 August 2017.
5. Government to strengthen UK data protection law:Available fromhttps://www.gov.uk/government/news/government-to-strengthen-uk-data-protection-law. Accessed 23 August 2017.
6. Information Commissioner’s Office. Eye care firmwarned ‘Stop nuisance text messages’. Available fromhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/01/eye-care-firm-warned-stop-nuisance-text-messages/. Accessed 23 August 2017.
7. Information Commissioner’s Office. Enforcementaction against Pharmacy2U Ltd. Available fromhttps://ico.org.uk/action-weve-taken/enforcement/pharmacy2u-ltd. Accessed 23 August 2017.
8. Information Commissioner’s Office. Private healthfirm fined £200,000 after IVF patients’ confidentialconversations revealed online. Available fromhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/02/private-health-firm-fined-200-000-after-ivf-patients-confidential-conversations-revealed-online/. Accessed 23 August 2017.
9. Information Commissioner’s Office. Enforcementaction against Boomerang Video Ltd. Available fromhttps://ico.org.uk/action-weve-taken/enforcement/boomerang-video-ltd/. Accessed 23 August 2017.
10. Information Commissioner’s Office. Consultation:GDPR consent guidance. Available fromhttps://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf. Accessed 23 August 2017.
11. Information Commissioner’s Office. Preparing forthe General Data Protection Regulation (GDPR): 12steps to take now. Available fromhttps://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf. Accessed 23 August 2017.
12. Information Commissioner’s Office. Data protectionself assessment toolkit. Available fromhttps://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/.Accessed 23 August 2017.
By Adam Bernstein