Yesterday through a live webinar, Michael Abtar, CEO of IG Smart Ltd delivered an insightful presentation focusing on lawful and secure patient data sharing.
IG Smart is a data protection and privacy consultancy with extensive experience of working with healthcare and healthcare technology clients. Their services include helping clients with GDPR, DPO and Cyber Security.
Watch a recording of the webinar here or read our overview below.
Unprecedented times
Speaking of the times we find ourselves living in, Michael said:
“The whole population is at risk with unprecedented demand for services and restraints on resources.”
“There is an ageing population with a growing number of people with complex comorbidities.”
“There is a need for better access to accurate patient information to save lives, improve outcomes and reduce costs.”
“Increasingly malicious and constantly evolving threats, with enhanced regulatory scrutiny.”
“But, it is not all necessarily doom and gloom.”
“There are opportunities to leverage patient data and healthcare technology for research, innovation and new ways of working.”
When is it lawful to share data?
Michael talked about when it is lawful to share data.
“In times of need, where it is absolutely within the patient’s vital interest or in the public interest.”
“Such as preventing the spread of coronavirus, it is ultimately a legal duty to share information.”
“However, the sharing must be proportionate; you must keep a record of processing activity.”
“The Information Commissioner has been clear that they understand that resources are restrained, we may not be able to work at optimum levels; they have signalled that ultimately, if data is being used and shared for the purposes of direct care, they’re not going to be penalising organisations that have to prioritise other areas and adapt ways of working.”
“Pragmatism saves lives – sharing out of necessity where you should always put vital patient & public interests first.”
Michael went on to talk about what you may need to do, what you may not have time to do, and what you must find time to do in respect of data sharing:
What you may need to do
“Cut red tape, outsource to partners and 3rd parties, share across organisational and geographical boundaries, work remotely.”
What you may not have time to do
“Conducting a detailed DPIA, getting all partners to understand and sign a data sharing agreement, time to go through detailed information governance approvals process.”
What you must do
“Use a minimum amount of confidential information required, keep a record of processing activities, keep data secure, maintain data quality.”
NHS Act 2006
Michael talked about the basis for sharing based on the NHS Act 2006 section 251 and setting the common law duty of confidence aside.
“Opportunities for ground-breaking research, need for identifiable sensitive data, not reasonably practicable to obtain consent for example critical care, sharing across organisational and sectorial boundaries and highly complex data sets and work streams.”
Unlawful data sharing
Here, Michael talked about the unlawful methods of data sharing.
“When there is a risk of harm or safeguarding concerns;
“When patients’ object and there is no clear lawful basis to proceed with data sharing;
“When there is excessive processing;
“When 3rd party confidentiality is breached;
“When the Gender Recognition Act 2004 is breached and when there is a risk to patient’s rights and fundamental freedoms cannot be appropriately controlled.”
How do we protect boundaries we cannot see?
Michael talked more about the threats we face with the development and ever-increasing use of digital technology; how do we protect ourselves with systems that are becoming more open.
“The threat landscape has grown in recent times. As well as the rate in digital adoption.”
Common cyber threats
“With the internet of things and APIs, people are not aware of the risks – they need proper management and secure gateways.”
“If access is not controlled and governed by policy, data may not be secured.”
“Sometimes, people are not keeping data encrypted when at rest or in transit.”
“DMARC & SPF settings should be checked to stop phishing attacks.”
Appropriate controls:
Clear and consistent communications
Here, Michael talked about the need for clear communication at all times in order for data sharing to be kept lawful.
“Lawful data sharing requires all forms of sharing to have clear communications whatever the basis.”
“Engage with patients at their level – make it accessible, target to your cohort of patients, they need to understand what you are doing with their information.”
“Be clear about risks as well as rewards.”
“Keep it nice and simple – seek advice from inception.”