As a business operating in the healthcare sector, you’re subject to a huge number of regulatory obligations. Wading through the legislation can be an onerous task, especially when providing exceptional patient care is what truly drives and motivates you.
Nevertheless, data protection legislation is a fact of life for almost all organisations, with regulation in place to define the rights of the data subject and ultimately protect the interests of us all as individuals. In this short blog series we want to help you focus in on the most pertinent legislative articles, and offer advice as to how the legislated obligations can be satisfied using both procedural and technical methods.
Let’s look in greater depth at the UK’s Health and Social Care Act 2008, with a view to exploring the implications for your data processing structures and your IT system.
Delving Deeper: Health and Social Care Act 2008
In our previous article we discussed the interplay between your obligations as a healthcare provider under the Health and Social Care Act 2008, and your broader obligations as a data handler under the scope of the GDPR and the Data Protection Act 2018. In this article we intend to focus solely on the former, paying particular attention to Regulation 17 of the Health and Social Care act and the implications of its constituent clauses on your data handling processes and the underlying IT on which these processes rest.
Regulation 17 (1)
Regulation 17 features clauses pertaining to the nature of data you are compelled to collect, process and store; the means by which that data is stored, utilized and accessed; and the persons permitted to handle it.
Your IT systems can play a crucial role in facilitating your compliance with Regulation 17, in addition to their obvious function as a data storage vessel and handling mechanism. Using automation technologies in the compliance monitoring process, you could help ensure deadlines are met and accountability/responsibility is upheld in respect of these regulations. Automation can also be helpful at minimising human error: a bonus for both your business and the patients you serve.
17.2.A
Key points:
This clause stresses that service improvements, monitoring and assessment capabilities should be facilitated by the systems and processes being implemented. ‘Assess’ and ‘monitor’ implicitly refer to the collection and review of service user experience data required to drive improvements.
What does this mean for data and IT?
To review and evaluate the experience of service users you will have to gather data from patients, store this data and then perform analyses. This requires consideration of the collection methods – perhaps manually or digitally – and giving thought to how that data should be treated after collection. Think about whether the data you collect contains ‘personally identifiable’ characteristics, in which case it should be processed and held in accordance with the relevant data protection legislation.
What does ‘personally identifiable’ mean?
Personally identifiable information is any data set containing items that enable it to be linked to an individual. Such items may include a name, national insurance number, address or contact phone number. Often one such item may not be sufficient to create an unequivocal link to an individual, but a combination of several items grouped together could be enough to identify someone.
17.2.C
Key points:
This clause stresses that service improvements, monitoring and assessment capabilities should be facilitated by the systems and processes being implemented. ‘Assess’ and ‘monitor’ implicitly refer to the collection and review of service user experience data required to drive improvements.
What does this mean for data and IT?
To review and evaluate the experience of service users you will have to gather data from patients, store this data and then perform analyses. This requires consideration of the collection methods – perhaps manually or digitally – and giving thought to how that data should be treated after collection. Think about whether the data you collect contains ‘personally identifiable’ characteristics, in which case it should be processed and held in accordance with the relevant data protection legislation.
What does ‘personally identifiable’ mean?
Personally identifiable information is any data set containing items that enable it to be linked to an individual. Such items may include a name, national insurance number, address or contact phone number. Often one such item may not be sufficient to create an unequivocal link to an individual, but a combination of several items grouped together could be enough to identify someone.
17.2.C
Key points:
This clause stresses that systems and processes must enable the maintenance of comprehensive patient records with respect to treatment and care provision, and decisions relating to that treatment and care.
What does this mean for data and IT?
Processing and storing data of this nature will need to be in full compliance with GDPR and the Data Protection Act, as such data sets would certainly contain ‘personally identifiable’ details. Additionally, particular data items required by these records would likely fall into the category of ‘special category data,’ and thus be subject to more stringent controls.
What is ‘special category data?’
The term ‘special category data’ defines items of information of a private, personal or intimate nature, which few individuals beyond the data subject are likely to be privy to. Collecting and processing such data can be done lawfully using ‘provision of healthcare’ as justification, provided the data being processed is relevent to the supported task and is only kept for as long as is necessary. The Data Protection Act (DPA) specifies additional controls for specific types of special category data, including the presence of supporting documentation setting out the justification for processing in some instances.
17.2.D
Key Points:
This clause stresses that systems and processes must permit recordkeeping of individuals employed to carry out healthcare services directly by, or on behalf of (as a contractor) your company. Records pertaining to management should also be kept. At least some of this data is likely to be highly sensitive in nature.
What does this mean for data and IT?
All personally identifiable data – whether pertaining to staff, patients or third-party personnel – is subject to the same regulatory controls as outlined in the GDPR. Information pertaining to management structures/activities within your organisation may not fall under the regulatory scope of legislation (assuming no personally identifiable information or direct quotes are present) but may be considered confidential in nature. Such data should be safeguarded using access controls, with only select privileged users permitted to view these files.
17.2.E
Key Points:
Systems and processes must permit the gathering and assessment of feedback in order to facilitate continual service improvements.
What does this mean for data and IT?
Inherent in the process of collecting and analysing end user (or staff) feedback data, is the possibility of creating further sets of sensitive data or duplicating personally identifiable information of the individuals who have submitted the feedback. In order to operate in accordance with the GDPR you must provide legitimate grounds for the processing of the data in question, or remove identifiable characteristics in order to make feedback subjects anonymous – this will reduce your regulatory burden with respect to this data set.
17.2.F
Key Points:
The systems and processes should enable the data processing activities cited in the previous clauses to be evaluated and improved.
What does this mean for data and IT?
In the context of the GDPR the term ‘processing’ is understood to refer to a number of individual activities, including data collection, storage, alterations, accessing, handling and deletion. It is essential to keep comprehensive records of the processes by which you ensure all data is processed in line with the GDPR and the 2018 DPA. Include details of the steps undertaken to ensure a lawful basis for processing, and give details of the data types stored, their respective storage locations, who has access to each, the mechanisms by which access is managed and the measures taken to secure the data held.
17.3
Key Points:
Upon receiving a request from the CQC, you have 28 days to submit a report detailing your compliance with the provisions of paragraph (2)(a) and (b), plus an account of any plans you have to improve the patient experience.
What does this mean for data and IT?
From a technical perspective, you must be able to demonstrate how you carry out your duties with respect to securely storing and evaluating the processing of healthcare records containing personally identifiable information and data of an even more sensitive nature. You should gain an understanding of data processing documentation activities required by 17.2.F, whereby you record the why, what, where and how of your data handling structures.
Why choose JMV solutions?
Since 2012, JMV Solutions has provided IT Support for a wide range of small and medium sized businesses throughout Devon and Cornwall. Our company is formed of a personable, friendly and expert team of IT and Security experts that have your best interests at heart. We protect your business, your valuable data, and help sustain your compliance requirements against a rapidly growing cyber threat. Contact us today to learn more.