Adam Bernstein BSc (Hons) writes:
Data protection law has been with us for some time and was last updated nearly 20 years ago. However, over the last few years Europe has become more aware of a need for an update to the legal position and, finally, in May 2016, it adopted the General Data Protection Regulation1 (GDPR).
As a piece of legislation, the GDPR represents the biggest shake-up in data protection law for years. Interestingly, and surprisingly for some considering the vote in June 2016, this European regulation will come into effect on 25 May 2018 and will be directly effective within the UK. Nothing, not even Brexit, will save a practice from having to comply.
Data protection is naturally a serious issue for those in the medical professions. In terms of optometry, the General Optical Council (GOC), in its Standards of Practice for Optometrists and Dispensing Opticians2, makes clear reference to the need for maintaining patients’ confidentiality and respecting their privacy. With vast amounts of personal data, some of it relating to children, practices clearly need to recognise that the GDPR is heading their way and that they have just months to understand the rules and make the necessary changes.
The GDPR replaces the current Data Protection Act 19983 (DPA) and it builds on and upgrades its requirements; it imposes much stricter obligations on businesses and organisations alike and brings in a whole new set of legal requirements relating to the protection of personal information – with sky-high fines for non-compliance.
In simple terms, the main driver behind the GDPR was: the need to bring data protection law up to speed with technological advances and current usage, which had outstripped the limits of the current legislation; to rebalance the relationship between individuals and those using their details, returning power and control to those individuals; and to deliver a more harmonised approach to data protection requirements across the EU member states.
As noted, the GDPR will come into force on 25 May 2018, 10 months prior to the UK’s planned exit of the EU. The Information Commissioner’s Office 4 (ICO) has made it clear that the UK should continue to prepare for GDPR and the government has also confirmed that GDPR will continue to apply.
Following any departure from the EU, some limited changes may be made to the GDPR as it is adopted into UK law, but it is unlikely that any significant changes will be made. Even so, practices should not expect the GDPR requirements to be watered down in the UK, nor that the ICO will overlook breaches of those obligations. Those wanting to steal a march can see the government’s line of thinking in the Data Protection Bill5 that it intends to introduce into parliament.
While more likely to affect optical manufacturers than practices within the UK, it’s still worth noting that those businesses outside the EU may have to comply with the GDPR if they are monitoring the behaviour of individuals in the EU, or targeting sales of goods and services at them.
Being outside of Europe introduces more data protection problems for British businesses and organisations. Brexit means that the UK may no longer automatically be recognised as being a ‘safe place for personal data’, meaning that additional steps – such as using EU approved model clause data transfer agreement – may need to be taken to ensure flows of personal data from the EEA to the UK are lawful and can continue to be made. This may be an issue where, for example, products are made to order for UK customers by European manufacturers with personal data attached to the order.
A new penalties regime
A key change brought in by the GDPR is a much tougher line on enforcement. Regulators across the EU will have the ability to fine businesses in breach of the regulation up to the higher of €20m (£18.2m at the time of writing), or four per cent annual global turnover, which may be calculated on group-level turnover. This is a radical step up from the maximum £500,000 that the ICO can levy at present.
Considering the new in-bound penalty regime, it is interesting to contemplate how past instances of Data Protection Act breaches by the medical profession would have been treated had the GDPR been in force. Take, for example, the warning given to Optical Express (Westfield) Limited6 by the ICO in January 2015 after 4,600 individuals registered concerns about the company in just seven months. They reported unsolicited messages to the mobile phone networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing.
In October 2015, Pharmacy2U Ltd7 sold details of more than 20,000 customers to marketing companies and was subsequently fined £130,000 by the ICO. Pharmacy 2U had offered the customer names and addresses for sale through an online marketing list company. And in February 2017, the ICO fined a private health company, HCA International Ltd8, £200,000 for failing to keep fertility patients’ personal information secure.
The new fines regime is understandably designed to enforce the importance of new obligations on those holding and processing data. They will need to be aware that the GDPR concerns itself with the provision of privacy notices to individuals, or clauses to be included in agreements with service providers.
In addition, there are many new obligations which will be unfamiliar in the UK, including use of mandatory data protection officers and legal obligations to report security breaches. There are many material changes to data protection law.
Data controllers and data processors
Presently under the DPA, obligations fall on a data controller – here, the business or organisation deciding what personal data to collect and what to use it for – say a practice collecting patient data. It does not affect service providers (a data processor) when handling personal data on behalf of their clients, say the business running the payroll on behalf of the practice.
GDPR changes this approach entirely and imposes certain new legal obligations directly on data processors. It also exposes data processors to enforcement action from regulators like the ICO, including the possibility of fines, and exposes them to the risk of individual compensation claims from affected individuals.
Data controllers, ie. practices, must vet data processors to ensure they are capable of meeting the requirements of the GDPR, particularly in relation to security. It will be important for them to know who is being contracted with, any proposed sub-contracting and where providers and sub-contractors are based and will provide their services from.
Practice contracts with data processors must contain a detailed list of provisions to comply with the GDPR. These obligations are not limited to data security but also include co-operation to facilitate individuals (staff or patients) exercising their GDPR rights and also undergoing audits. The mandatory contract terms also need to be passed down in their entirety to sub-contractors. It will be challenging for practices to comply, for example, with the GDPR when dealing with cloud providers who hold practice data offsite.
Current contracts, which continue post May 2018, must be reviewed and upgraded to ensure compliance with the new requirements, and all new contracts should take account of the GDPR’s requirements, including the mandatory obligation to ensure privacy by design and default.
Mandatory security breach notification
The GDPR creates a new legal requirement for the mandatory reporting of any personal data security breaches if there is any risk to the rights and freedoms of individuals whose personal information is involved in the breach (such as employees or patients).
A security breach is where there is unauthorised or unlawful access to, or loss of (including deletion), personal information. This could be down to something as simple as accidently typing in the wrong email address and so sending out patient reminders to the wrong addressee, losing a laptop containing personal data, or criminal theft of data following a hacking.
Indeed, criminal access of data will not absolve a practice from the risk of penalty. Back in June 2017, the ICO issued a £60,000 fine to Boomerang Video Ltd 9 after it suffered a cyber-attack. The fine followed an investigation by the ICO, which found that the Berkshire-based company had failed to take basic steps to stop its website being attacked.
The requirement to notify the ICO (or relevant supervisory authority dependant on the details of the breach) must be made within 72 hours of knowledge of the breach. Importantly, if the breach comes to attention on a Friday afternoon, that means working through the weekend to be able to comply. It is absolutely vital that practices have the necessary security measures in place, procedures to spot a security breach, and the correct staff training.
Currently, based on records on the ICO website, security breaches present the biggest risk area for fines and enforcement action. It is important for practices to have clear policies and procedures in place to help quickly assess the situation and report when necessary.
Fair notice requirements
Individuals will be accustomed to being told that their details are being used and which details are being kept and why; but they are unlikely to have been provided much more detail. Under the GDPR, prescriptive details are mandatory. Not only must practices explain why they use the personal details but the legal basis for such use – say to keep a medical history up-to-date, or to comply with legal obligations to report on staff payments to HMRC.
It’s important to know and explain whether the personal details will be transferred outside the EEA and on what legal basis (if, for example, payroll processing is carried out overseas or if a US-based cloud provider is being used to hold patient records). The recipients, or categories of recipients, with whom those firms may share the personal data must be noted. The retention period during which details will be kept, or the criteria for determining that period, must also be explained to individuals too.
In addition, practices need to spell out the various individual rights which apply under the GDPR and explain how those rights can be exercised – as well as providing information about the right to lodge a complaint with the supervisory authority (here, the ICO). This means that practices need to be clear on what they collect, why it is collected, what is done with that information, including who it is shared with, where it is sent and how long it is kept for.
Under the DPA, use of personal data requires businesses to meet at least one lawful ground to do so. In the past, they have often relied upon consent. The GDPR continues that requirement for a lawful basis of use but makes it more important, as the legal basis selected must be explained to individuals. In addition, reliance on consent, especially in a patient context – even more so where children are involved – becomes far more challenging.
In essence, under the GDPR consent cannot be implied. Consent is now something that comes with a warning label and should be avoided where possible. Individuals can withdraw their consent at any time (and also have enhanced rights under the GDPR when consent has been given and is being relied upon). Any consent given must be clear, unambiguous, freely given and informed. Consent also cannot be bundled with other matters (ie. within an employment contract or a monthly contact lens contract) and records of consent must be kept. It is therefore key to look to other lawful grounds for processing personal data such as, for example, where the processing is necessary to look after a patient.
An area of concern for all is that draft guidance from at least one of the supervisory authorities regulating this area, including the ICO10, has said that if consent obtained prior to GDPR does not meet the requirements of the GDPR, it cannot be relied upon after 25 May 2018. Practices, in other words, need to revisit their past documentation.
It has taken 20 years for businesses and organisation to get used to the DPA. Adjusting to the GDPR will not be an immediate single project but a long-term programme of awareness and change. While there may be some who consider the GDPR relatively unimportant compared to running their practice, as they will find, should there be a breach or complaint, the authorities will have some particularly potent penalties with which to punish non-compliance.
Liz Fitzsimons, a partner in the privacy, cyber and information team at Eversheds Sutherland (International) LLP, says that: “The GDPR will have a significant impact within the UK, so practices should make sure the key individuals and stakeholders within their business are aware of the GDPR and its implications”.
Liz considers that the start of the GDPR journey for each practice should involve the taking stock of their data position. “Practices should seriously look at what personal information is held, why it is held and whether or not there are still lawful reasons to retain and use it. Many businesses are currently completing audits to help them assess what they have, what they really need and what they should no longer hold.”
From this position, explains Liz, the process can be assessed to allow decisions to be made on what basis relevant details “can be lawfully used and how long the details can be retained for.” The point she makes here is that decisions on those issues will help with any review and amendment of privacy notices and policies that are issued to individuals. “In parallel, privacy information should be separated from contract terms wherever possible and if consent is still to be requested, a suitable GDPR form of consent must be prepared and obtained.”
Her advice also extends to examining contracts with third party suppliers and service providers. “These should be reviewed to see if they extend beyond May 2018. It is unlikely that these contracts are GDPR compliant, so their terms need to be adjusted and a new contract template prepared for new terms being negotiated.”
Lastly, Liz advises practices to check the procedures that are in place for any security breach handling and reporting. “It may be that there are none or that the process needs revising. Even so, it is vital that the correct measures are in place and staff are aware of how to recognise a security breach and who to inform.”
The ICO has published a nine-page document, Preparing for the General Data Protection Regulation: 12 steps to take now11, which offers guidance to those needing to comply with the GDPR. While it takes a broad-brush approach to the subject, it is a useful in that it provides a structure for considering the position of data protection within a practice. It covers matters such as information held, communicating privacy information, individual’s rights, subject access rights, processing data, consent, children, handling data breaches, and the need to appoint data protection officers.
A data protection self-assessment toolkit12 is also available from the ICO. Even with the guidance from the ICO, practices should still consider what help and outside advice they need and seek it accordingly.
Adam Bernstein is a freelance business writer and writer’s agent based in Oxfordshire. He holds a degree in government, politics and modern history and has 30 years’ experience in running a small business that serves the business-to-business magazine sector.
Download Preparing for Changes to Data Protection Law Initial Guidance here.