Dr Sally Old
Storing information on a data cloud? Dr Sally Old advises on what independent practitioners need to consider.
Can I put patient data on ‘cloud’?
QI am a consultant gynaecologist and am thinking of updating my IT systems so that, moving forwards, patient data will be stored on a data cloud system. What issues do I need to consider when using cloud computing services?
AA data cloud or a cloud computing service enables data to be stored on a virtual, off-site server run by a third party.
One of the main benefits of this is that you and your team can, providing there is a legitimate reason to do so, access the data from any computer with an internet connection.
For example, the Information Commissioners Office’s (ICO’s) guidance on cloud computing advises that anyone planning to use cloud computing to store patient data should consider whether the ‘processing of certain types of personal data could have a greater impact on individuals’ privacy’.
Before using the cloud as a data storage method, the ICO recommends considering the following points:
Will data be encrypted when in transit?
What are the deletion and retention time-scales and will the data be deleted securely if you withdraw from the cloud?
What audit trails are in place so you can monitor who is accessing the data?
In which countries does the provider process data? The UK General Data Protection Regulation restricts the transfer of personal data outside the UK.
Will there be a digital contract in place that includes confidentiality clauses?
Data controllers also need to review all personal data that they process and decide whether there is any data that shouldn’t be put in the cloud. This might be the case if specific assurances were given when the data was collected.
Even though you are a private practitioner, it is worth adhering to the same levels of security as those implemented by the NHS. In England, NHS Digital’s good practice guide to cloud security suggests a four-step process to using cloud services:
- Understand the data you’re dealing with;
- Assess the associated risks with the data;
- Implement appropriate controls;
- Monitor the implementation and ongoing risks.
The Scottish Government has produced public-sector cloud computing guidance here, which contains advice on security considerations and suggested risk assessment considerations and questions.
The NHS Wales Shared Services Partnership has also published guidance on cloud-based platforms, including specialist advice on cyber security.
There is currently no guidance on using cloud-based platforms in Northern Ireland, but the ICO retains oversight.
If you do decide to use a cloud computing service, it is vital that you take appropriate steps to inform your patients of the arrangements and to be as open and transparent as possible.
Data protection law requires that personal data should only be handled in ways people would reasonably expect.
It’s unlikely patients would expect their sensitive medical information to be held in an off-site storage facility not under the direct control of their doctor.
Consequently, it’s advisable to seek patient consent if you or your organisation is storing patients’ personal data in this way, making them aware of any risks involved and, as far as possible, in which countries the data will be stored.
Dr Sally Old is a medico-legal adviser with the Medical Defence Union (MDU)
Is it right for me to sign this LPA?
Dr Kathryn Leask
A consultant seeks guidance after being asked to be a certificate provider for Lasting Power of Attorney. Dr Kathryn Leask gives her response.
Should I sign LPA certificate?
QI am a private cardiologist and have been asked by one of my patient’s daughters to be a certificate provider for a Lasting Power of Attorney (LPA) for health and welfare.
The patient has been under my care for some time and has now been admitted very unwell. I am aware that they were discussing setting up an LPA, but they hadn’t got round to completing all the forms.
The patient had signed the form and this has been witnessed by a neighbour. The daughter has assured me that her mother wanted her to be an attorney, as evidenced from the forms, and has asked me to be a certificate provider.
I understand that this carries more responsibility than simply witnessing the signatures. Would it be appropriate for me to do this?
AThe certificate provider is an independent person whose role it is to confirm or certify that the donor, in this case the patient, is making the LPA of their own free will and without any pressure from anyone else.
To do this, the certificate provider must discuss the LPA with the donor to ensure that they understand the implications of it and that they have the mental capacity to make this decision.
This should involve talking to the donor in private, away from the attorney(s). The certificate is not valid if an attorney is present during the discussion.
The certificate provider role provides one of the main safeguards in the LPA process. If anyone were to object to the LPA when it is being registered, the certificate provider may need to justify their decision-making and explain the reasons why they felt the donor had the capacity to create the LPA.
This could be some time in the future, so it can be helpful to make a record of the reasons for your decisions.
In this case, you are not able to speak privately with the donor, and you cannot, therefore, fulfil your role as a certificate provider.
If the patient recovers sufficiently for you to be satisfied that she has capacity to create the LPA, you could have a private discussion with her then.
Dr Kathryn Leask is a medico-legal adviser at the Medical Defence Union