3. osborneclarke.com
2
Challenges
Private & Confidential
NHS is facing:
1. Huge increase in volumes of sensitive data
2. Public perception issues
3. Fines and enforcement action
4. Political and public pressure to improve data handling
A paperless NHS will bring new challenges in these areas.
4. osborneclarke.com
3
Snapshot of recent health sector audit
19 audits carried out primarily with NHS Trusts by the ICO during 2013:
Private & Confidential
Passwords
Lack of simple
password
controls
Policies
In place but
compliance not
always effectively
monitored
Record tracking
• Records tracked but
not all conduct audits
for missing files
• Concerns regarding
security of physical
records
Fax machines
Concern regarding
use of fax machines
for sending
personal
information
Information
governance
• Appropriate risk
registers
• Risk assessments
• Regular review
5. osborneclarke.com
4
Impact on suppliers
Private & Confidential
• Demonstrating compliance is key
• The Data Protection Act 1998 says:
"Appropriate technical and organisational measures must be taken against unauthorised or
unlawful processing of personal data and against accidental loss, destruction or damage"
• Competitive advantage for suppliers with a focussed approach to data protection using:
- Data retention practices
- Good management of data storage and destruction
- Careful and well managed use of sub-contractors
- Robust security measures
- Staff reliability processes
- Barriers to overseas data transfers
- Regular audits and disaster recovery
6. osborneclarke.com
5
Improving compliance and mitigating risk
Private & Confidential
1. Assign responsibility to a DPO
2. Implement a training programme
3. Review and update policies
4. Review approach to hiring sub-contractors
5. Use of encryption
6. Security breach notification
7. Insurance
7. osborneclarke.com
6
Non-compliance – the "so what?" question
It's not only about the fines and contract breaches
Private & Confidential
1. Negative impact on share
value
2. Negative impact on current
and future customers (private
and public sector)
3. Breach of contract (liability)
4. Diversion of time and
resources
5. Staff trust
8. osborneclarke.com
7
Opportunities
Private & Confidential
Big data:
• Commercial use and benefits vs. concerns about identification
Anonymisation:
• Concern about "true anonymisation"
Mobile health/agile working:
• Drives efficiencies
• Security and monitoring issues
Tracking access to records:
• Improvements to audits
9. osborneclarke.com
8
Private & Confidential
Potential future data protection obligations
Restrictions
on transfers
outside the
EEA Keep data
accurate &
up-to-date
Retain data
for an
appropriate
period
Respond to
data
subject
requests
Annual
notification
obligation
Get opt in /
out consent
for email /
SMS
marketing
Screen
against
TPS/FPS
"do not call"
lists
Get opt-in
consent to
use cookies
Data must
be relevant
and not
excessive
Notify ICO of
security
breaches
(not yet
compulsory for
all)
Knowledge/
Consent
Data
protection
obligations
DPO requirement
Enhanced data
subject rights:
- right to be forgotten
- data portability
24 / 72 hours to
notify data / cyber
breaches
Fines to increase (>2% world-
wide turnover or €1m)
Expanded
definition of
personal data
Data
processor
responsibility
Higher level of
consent
required
Increased use of
Privacy Impact
Assessments (PIAs)
and emphasis on
accountability
Processor BCRS
Annual notification
scrapped