The managing director of Kaleidoscope Consulting talks to Lyn Whitfield from Highland Marketing about the General Data Protection Regulation, and the challenge the NHS faces in implementing it.
On his Twitter profile, David Stone says he “spends an unhealthy amount of time thinking of ways to try and improve the legal and ethical use of information in the NHS.”
So, it’s no surprise that the managing director of Kaleidoscope Consulting has spent a lot of the past few months thinking about the impact of the General Data Protection regulation on health and social care providers and their IT suppliers.
“We are doing a lot of work on readiness,” he says, “and what we are finding is a split between providers that have good IG resources, and those that do not. Although there isn’t always a correlation between the two, there’s no doubt that some people are a lot further ahead than others.”
New regime, old problems
The GDPR was approved by the EU Parliament on 14 April 2016 and will take effect on 25 May. It aims to harmonise data protection regulation across Europe, “to reshape the way organisations approach data privacy”, and to give EU citizens and residents control over what happens to their personal data.
The EU’s website describes it as “the most important change in data privacy regulation in 20 years.” However, the Information Commissioner’s Office has been stressing that the Data Protection Bill, which will incorporate the GDPR into UK law, is an “evolution” of the familiar data protection landscape.
At last year’s UK Health Show, Stacey Egerton, a lead policy officer at the ICO, told health and care delegates that if their organisations were “following good data protection practices at the moment” they would be “well on the way to doing GDPR.”
The problem, Stone says, is that a lot of health and care organisations have not been following good data protection processes. Or, the work they have been doing to prepare for the GDPR has shown they were not as good as they thought they were.
For example, he says, the Information Governance Toolkit [an online resource that NHS organisations can use to assess themselves against IG standards] covers data flow mapping, information asset registers and risk assessments.
Its requirements map closely to the GDPR, so trusts that have put themselves on the higher levels of the IGT should be well ahead. In reality, Stone says: “When you go in and look at what some trusts are doing, it becomes clear that they are nowhere close.”
“The reality of the situation is that you can map the IGT to the GDPR and that does show that not a lot is changing for health. But if you have not been doing IGT as well as you think you have been doing it, you have a problem.”
Risk based, not tick-box
While there is a lot of continuity with the old data protection regime, the GDPR does introduce some new requirements.
The Information Governance Alliance [of central NHS bodies with an interest in IG and IT] flags ten ‘headline impacts’, of which the first is a requirement on organisations to “not only comply with the new law, but to demonstrate that they comply with the new law.”
Other ‘headline impacts’ include new penalties – the well-publicised 20 million Euros or 4% of global turnover – for “any breach of the regulation, not just data breaches” and a legal requirement to report breaches to the ICO within 72 hours.
Also, a requirement to appoint a data protection officer, to conduct data protection risk assessments, and to address data protection issues “at an early stage” of projects and services that require information processing.
Stone says the GDPR’s risk-based approach is key to complying with it. “We see a lot of organisations treating this as a tick-box exercise, when it is not,” he says. “It’s all about the assessment of risk and proportional controls.”
The vexed issue of consent
Stone is concerned that some organisations have become focused on specific projects that they think will make them GDPR compliant, such as finding and logging all the personal information they hold, or establishing a legal basis for holding it.
He’s particularly worried that some organisations have become obsessed with ‘consent’ – which is one of the GDPR’s six legal basis’ for processing personal information, and an exemption for processing ‘special categories’ of data, including health data. “There is lots of confusion about consent, and some very peculiar practices going on,” he says.
“The ICO consultation suggests health should not rely on consent as a lawful basis for data processing. But we have worked on a lot of projects in organisations where people have been going around, trying to get bits of paper signed.”
This situation is unlikely to be helped by the government’s decision to introduce a single opt-out for patients who do not want to have their personal identifiable data used for planning or research on the same day as the GDPR comes into effect.
The move is a response to Dame Fiona Caldicott’s call for a “simple” opt-out for patients in her third report on NHS information governance and security. But it’s likely to add a further level of confusion for staff, who already struggle to understand when they can share information.
If trusts have problems, consider GPs…
Stone sympathises. “Dame Fiona identified a lack of IG capacity and capability as a system-wide problem, and we definitely see this as an issue,” he says. “This stuff is complicated. People say they would like to see an A4 page on it.
“But in social care there are something like 2,500 pieces of legislation that touch on personal data, and for the NHS there are maybe a few hundred. You can’t just reduce that to two sides of A4. You need people who really understand it, who can pass on that knowledge through advice and training.”
Stone says the lack of IG capacity is showing up in several areas as the NHS prepares for the GDPR. Central bodies have struggled to issue guidance; and organisations that have been waiting for it are now finding themselves up against the 25 May deadline.
Smaller organisations, such as GP practices and dental surgeries, may not make it. “I have not seen any support for small practitioners, and that is going to be a problem,” Stone says.
“A GP has been fined for a data protection breach, and that has left GPs feeling vulnerable and under-supported. I think one of the biggest risks around this is lack of support for GPs.”
Two years to get ready – ends 25 May
When it comes to compliance, Stone’s big piece of advice is to get to grips with what the GDPR is trying to achieve. “When we talk to organisations, we always say: ‘this is not a technology project, or a compliance project, it is a cultural change project,” he says.
“The GDPR has been introduced because of a change in people’s expectations about how their personal data will be handled. It translates that into rules for the use of personal data. So, organisations that handle personal data need to understand that they are going to be doing it in a regulated environment, and that they need to comply with those regulations.”
Following on from this, his other piece of advice is to avoid the tick-box mindset. Organisations, he says, need to design systems that can be “embedded into the organisation” and “work with its culture.”
With time, pressing, he adds, this will be more important than trying to track down stores of personal information and worrying about what has been done with them in the past. “Looking at the terms of the GDPR, it is better to design new systems and to run your old stuff into them, than to start at the back.
“To repeat: the GDPR is risk based. Lots of trusts struggle to understand risk-based processes, but that is what they need to do; and then they need to embed that into practice.”
Finally, he adds, NHS organisations do need to act. “I’ve heard people saying: ‘There will be a grace period’. But this has been coming in for two years. The grace period ends on 25 May.”