Do you know how to protect data?

Private healthcare organisations need to understand their data protection obligations and protect patients’ personal information. Rachel Clarke, of the Information Commissioner’s Office (ICO), shares practical advice.

To provide vital services, all health organisations must process personal information. This can be anything from someone’s contact details to their medical records. 

Anyone who processes personal information has a responsibility to protect it under data protection law. This includes keeping it secure, ensuring it is accurate and being transparent with people about how you plan to use it.  

The health sector routinely handles sensitive information about the most intimate aspects of someone’s health, which is provided in confidence to trusted practitioners. 

When accessing healthcare and other services, people need to trust that their medical information is in safe hands, only available to authorised staff and only used for a specified purpose. 

As the UK’s data protection regulator, we want to remind private practitioners of the importance of prioritising data protection and ensuring all patients receive the privacy they are entitled to. 

This is especially important in the wake of the recent data breach at the London Clinic where medical records were allegedly accessed unlawfully.  

Our own data shows that over 1,500 incidents are reported by the health sector each year, ranging from cyber-attacks to human errors such as emailing personal information to the wrong person. 

By highlighting new guidance and practical steps below, we want to support all organisations, including private doctors, clinics and hospitals, to handle personal information responsibly and lawfully. 

Keeping patient data secure

Prioritising basic steps, such as staff training, double-checking records and restricting access can help to prevent personal data breaches before they happen, reducing the risk of harm for patients. 

Healthcare organisations should ensure the following:

Staff are thoroughly trained 

Organisations should ensure that all staff are properly trained so that they are aware of their organisation’s data protection obligations. 

Any data protection training should be role-specific, tailored and relevant to the tasks being completed. 

All staff should feel confident in handling people’s personal information safely and securely. It must be clear to staff about what records they are allowed to
access.  

Appropriate technical measures are in place 

Appropriate security measures, such as passwords, multi-factor authentication and access controls, should be in place to ensure personal information can be seen only by people who need to use it.

Any data sharing is compliant 

There are situations where it may be necessary to share personal information about patients with third parties and you should have an appropriate system in place. 

Our data-sharing code of practice provides guidance, alongside practical tools, to help organisations be confident they can share data within the law. It guides practitioners through the practical steps they need to take to share data while protecting people’s privacy. 

Staff are clear on the data breach reporting process 

An organisation must report misuse of personal data to the ICO if there is a risk to people’s rights and freedoms, which is often the case with sensitive medical information. 

This must be reported within 72 hours of becoming aware of the breach. If your organisation suffers a data breach because of a cyber-attack, you should report this to the ICO within 72 hours of becoming aware of it. The sooner you contact us with detailed information the better. 

Accessing someone’s medical records without cause or consent can be a criminal offence. Working in private healthcare, your role may grant you access to other people’s personal information, but this does not mean you have the legal right to look at it for your own purposes. 

If we find evidence that medical records were accessed illegally by a member of staff, we can take action which includes prosecuting the person responsible in court.

For example, last year the ICO fined a medical secretary who accessed over 150 people’s records without a business reason to do so. We also fined a former 111 call centre adviser for illegally accessing the medical records of a child and his family.

Be transparent with people about their personal information 

Under data protection law, people also have a right to know what is happening to their personal information. Patients must be informed about what information about them is being collected and understand the purposes for which this might be used. 

Being transparent is essential to building public trust in health services. If people understand how and why their personal information is being used, they are likely to feel empowered to share their health information to both access your services and support other important initiatives such as medical research.  

We have recently published new guidance to help heath organisations ensure they are being transparent with people about how their personal information is being used.

With this bespoke guidance, we want to improve their understanding of effective transparency, ensuring that they are clear, open and honest with everyone whose personal information is being used. 

See https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/transparency-in-health-and-social-care/

Rachel Clarke (right) is senior policy officer at the Information Commis­sioner’s Office (ICO)