Category: NHs

Transparency in Health and Social Care: New ICO Guidance 

Within the health and social care sector, new technologies that use large amounts of personal data are being used to support both direct care and secondary purposes, such as planning and research. An example is the the use of AI to provide automated diagnoses based on medical imaging data from patients. 

Transparency is a key principle of UK Data Protection legislation. Compliance with the first data protection principle and Article 13 and 14 of the UK GDPR ensures that data subjects are aware of how their personal data is used, allowing them to make informed choices about who they disclose their data to and how to exercise their data rights. 

On Monday the Information Commissioner’s Office (ICO) published new guidance to assist health and social care organisations to comply with their transparency obligations under the UK GDPR. It supplements existing ICO guidance on the principle of transparency and the right to be informed

The guidance is aimed at all organisations, including from the private and third sector, who deliver health and social care services or process health and social care information. This includes local authorities, suppliers to the health and social care sector, universities using health information for research purposes and others (e.g. fire service, police and education) that use health information for their own purposes. The guidance will help them to understand the definition of transparency and assess appropriate levels of transparency, as well as providing practical steps to developing effective transparency information. 

This and other data protection developments will be discussed by Robert Bateman in our forthcoming GDPR Update workshop. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.   

ICO Reprimand for NHS Patient Data Breach

In a concerning revelation of data security lapses, NHS Fife has been formally reprimanded by the Information Commissioner’s Office (ICO) following an incident where an unauthorised individual accessed sensitive patient information. The breach occurred in a hospital ward and highlights key learnings for all organisations regarding security protocols for personal data.

Incident Overview

The case came to light after the ICO, discovered that the personal information of 14 patients was compromised. The incident, which took place in February 2023, involved an individual who was able to access secure documents and participate in administering care to a patient, highlighting a lack of identity verification checks at the hospital.

ICO Investigation Findings

The ICO’s investigation unveiled several deficiencies in NHS Fife’s approach to data protection. Notably, staff training on safeguarding personal information was found to be inadequate. The ICO found training rates across the hospital were at only 42% although on the ward it was at 82%. This low rate was attributed to the Covid-19 Pandemic and a three-year training cycle. Additionally, the ICO pointed out that the hospital’s CCTV system had been mistakenly turned off by a staff member before the incident as part of wider energy-saving measures being implemented across the hospital. Although this would not have prevented the incident, it further complicated the recovery of the missing documents as the individual was not able to be identified.

Natasha Longson, ICO Head of Investigations, stressed the importance of stringent data security in healthcare. “Patient data is highly sensitive and needs the highest level of security. Trust in data security is pivotal when accessing healthcare services,” she remarked. 

Echoes of NHS Lanarkshire Incident

This is not the first instance of such a breach within the NHS system. Months earlier, NHS Lanarkshire faced a similar reprimand for unauthorised staff use of WhatsApp to share patient data over the course of two years, leading to data access by a non-staff member.

In the Lanarkshire incident, between April 2020 and April 2022, 26 staff at NHS Lanarkshire had access to a WhatsApp group where patient data was entered on more than 500 occasions, including names, phone numbers and addresses. Images, videos and screenshots, which included clinical information, were also shared. While it was made available for communicating basic information only at the start of the pandemic, WhatsApp was not approved by NHS Lanarkshire for processing patient data and was adopted by these staff without the organisation’s knowledge. A non-staff member was also added to the WhatsApp group in error, resulting in the inappropriate disclosure of personal information to an unauthorised individual. Additionally, it is worth bearing in mind, public sector organisations face the added risk of WhatsApp communications being disclosed to court proceedings after the High Court ruling in July of this year. The product of that ruling is currently being played out for us now

Corrective Measures and Recommendations

In response to this incident, NHS Fife has introduced new procedures, including stringent sign-in and out systems for documents containing patient data and updated ID verification processes. The ICO has also recommended that NHS Fife enhance its data protection strategies by conducting more frequent training for staff and providing clear written security guidelines as well as updating policies and procedures whilst clearly highlighting archived policies. The ICO also requested to be updated on these measures in a six-month follow up. 

Organisations can use these findings to ensure that all the recommendations mentioned above are being implemented within their organisations. The ICO added:

“Every healthcare organisation should look at this case as a lesson learned and consider their own policies when it comes to security checks and authorised access. We are pleased to see that NHS Fife has introduced new measures to prevent similar incidents from occurring in the future.”

Learn more about data breaches with our UK GDPR Practitioner Certificate. Dive into the issues discussed in this blog and secure your spot before spaces run out.

The NHS-Palantir Deal: A Pandora’s Box for Patient Privacy? 

The National Health Service (NHS) of England’s recent move to sign a £330 million deal with Palantir Technologies Inc. has set off alarm bells in the realm of patient privacy and data protection. Palantir, a data analytics company with roots in the U.S. intelligence and military sectors, is now at the helm of creating a mammoth NHS data platform. This raises critical questions: Is patient privacy the price of progress? 

The Controversial Contractor 

Palantir’s pedigree of working closely with entities like the CIA and its contribution to the UK Ministry of Defence has painted a target on the back of the NHS’s decision. This association, coupled with its founder’s contentious remarks about the NHS, casts a long shadow over the appointment. Critics highlight Palantir’s controversial history, notably its involvement in supporting the US immigration enforcement’s stringent policies under the Trump administration. The ethical ramifications of such affiliations are profound, given the sensitive nature of health data. Accenture, PwC, NECS and Carnall Farrar will all support Palantir, NHS England said on Tuesday. 

Data Security vs. Data Exploitation 

NHS England assures that the new “federated data platform” (FDP) will be a secure, privacy-enhancing technology that will revolutionise care delivery. The promise is a streamlined, efficient service with live data at clinicians’ fingertips. However, the concern of the potential for data exploitation looms large. Can a firm, with a not-so-distant history of aiding in surveillance, be trusted with the most intimate details of our lives—our health records? 

The Right to Opt-Out: A Right Denied? 

The debate intensifies around the right—or the apparent lack thereof—for patients to opt out of this data sharing. With the NHS stating that all data will be anonymised and used solely for “direct patient care,” they argue that an opt-out is not necessary. Yet, this has not quelled the concerns of privacy advocates and civil liberty groups who foresee a slippery slope towards a panopticon oversight of personal health information. 

Skepticism is further fuelled by the NHS’s troubled history with data projects, where previous attempts to centralise patient data have collapsed under public opposition. The fear that history might repeat itself is palpable, and the NHS’s ability to sway public opinion in favour of the platform remains a significant hurdle. 

Conclusion 

As we venture further into an age where data is king, the NHS-Palantir partnership is a litmus test for the delicate balance between innovation and privacy. The NHS’s venture is indeed ambitious, but it must not be deaf to the cacophony of concerns surrounding patient privacy. Transparency, robust data governance, and the right to opt out must not be side-lined in the pursuit of technological advancement. After all, when it comes to our personal health data, should we not have the final say in who holds the keys to our digital lives? 

Take a look at our highly popular Data Ethics Course. Places fill up fast so if you would like learn more in this fascinating area, book your place now. 

The Coronavirus and Information Sharing: What are “vital interests” under GDPR?

Neon Heart beat pulse in green illustration

During the current coronavirus pandemic, the health and social care sector as well as the emergency services are all providing an amazing service to those who are in need of urgent medical treatment. This will almost always require the sharing of personal data between organisations.

Even during a pandemic, it is important to note that GDPR still applies to ensure individuals’ privacy is protected whilst vital services are provided. On 19th March 2020 the European Data Protection Board has issued a statement on the processing of personal data in the context of the COVID 19 in which it emphasised this point:

“Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations and therefore, should be supported in the best possible way.
It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects.”

Lawful Processing

The first data protection principle in Article 5 (1) requires Data Controllers to process  personal information “lawfully, fairly and in a transparent manner”. Processing personal data is only lawful if one or more of the six lawful bases listed in Article 6 (1) applies.
If a Data Controller processes personal data about a person’s health (which is a class of Special Category Data) then they must additionally identify one of the ten lawful bases set out in Article 9 (2). These are more detailed than those in Article 6, and are fleshed out further in Schedule 1 of the Data Protection Act 2018. However, there are some overlaps. For example ‘consent’ is a lawful basis in Article 6 (1)(a) and ‘explicit consent’ appears in Article 9(2)(a). Similarly ‘vital interests’ appears in both Articles 6 and 9, however there are differences between the two which we explore below.

Article 6 (1) (d) provides that the processing of personal data is lawful if the processing is necessary to protect the vital interests of the data subject or of another natural person. This raises three points for discussion.

  1. What are vital interests?
  1. When will processing be ‘necessary’?
  1. When can it be used to protect the vital interests of ‘another natural person’?

Vital Interests

GDPR Recital 46, specifically refers to processing for the monitoring of epidemics and it seems this lawful basis is intended to be used in situations such as the current pandemic. But what about other interests? Are they vital?

During a recent GDPR workshop one delegate asked whether a person’s financial interests could be classed as a ‘vital interest’ (after all, we all need money to live). The answer is no because the word ‘vital’ is interpreted very narrowly. Recital 46 refers to processing that is “necessary to protect an interest which is essential for the life of the data subject or that of another natural person”. The ICO’s interpretation of this is that this generally only applies where it is necessary to protect someone’s life.

Our Example. Sam becomes acutely ill at work and his employer phones the ambulance service. The employer gives the paramedics Sam’s name and address. The employer can rely on the vital interest’s lawful basis to share this information. If the paramedics need access to Sam’s health records, then the GP will be able to share them for the same reason but will additionally require an Article 9 lawful basis (see below).

However, in our view vital interests can also include situations where there is a risk of significant harm to life. Therefore if an elderly person is forced to self-isolate and depends upon a group of volunteers collecting their essential prescription medicines, then sharing that person’s name and address is arguably necessary to protect their vital interests.

Necessary 

The processing must be “necessary” in order to protect a person’s vital interests. The key question is whether a Data Controller can reasonably protect a person’s vital interests without the processing (sharing their personal data). If they can then the processing will not be necessary. If they cannot then it will be lawful. In the above example, if the employers refused to give the paramedics Sam’s name and address then this could potentially threaten their ability to offer him life-saving treatment. Therefore the sharing of Sam’s personal data is necessary to protect Sam’s vital interests. 

Protecting the Vital Interests of Other Persons

Those familiar with the Data Protection Act 1998 will know that the lawful basis in Article 6 (1)(d) is very similar to the one listed in paragraph 4 of Schedule 2 of the 1998 Act. Unlike the old DPA, the  GDPR extends this lawful basis to processing that is necessary to protect the vital interests of “another natural person. However, Recital 46 cautions that “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis”.

Back to our example. When the paramedics take Sam away in the ambulance, they ask for the names of any employees she may have come into contact with because they are concerned for their health. Can the employer rely on Article 6 (1) (d) to share their names? The answer is no if the employer can find an alternative lawful basis such as consent. 

Consequently, as the ICO notes, the processing of one individual’s personal data to protect the vital interests of another is likely to happen only rarely. The ICO gives an example of the processing of a parent’s personal data to protect the vital interests of their child.

What about processing of personal data to save the lives of many others, for instance in a pandemic situation? Recital 46 suggest that this lawful basis may be used to process personal data for this purpose. But it also states that this basis should only be used where processing cannot be based on another legal basis. This could include “legal obligation” or “official authority”.

Special Category Data

A Data Controller sharing health information (or any other Special Category Data) also needs to identify a lawful basis under Article 9 of GDPR. This allows processing if is “is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.”

This basis is more rigorous than its counterpart in Article 6. It permits the processing of Special Category Data if the processing is necessary to protect the vital interest of the data subject or of another natural person but only “where the data subject is physically or legal incapable of giving consent. This clearly allows medical practitioners to share health data in emergency medical situations where a patient is unable to consent to it.
If a patient is fit and able (physically and mentally) of giving consent, then a Data Controller cannot rely on Article 9 (2)(c).

Example, a volunteer group has compiled a database of the names and addresses of residents who need their prescriptions collecting. They share these names and addresses with volunteers. The group has asked volunteers to log details of any residents who have COVID 19 symptoms in order that they can take steps to protect the lives of the volunteers. The group can only process this information if the person with symptoms explicitly consents to their information being shared (and they understand exactly why their information is being shared). If they are physically able to consent (or refuse to give consent) then the group cannot rely on the vital interests condition.  

Although the temptation may be to assume that sharing health data is permissible in the circumstances, the vital interests’ condition in Article 9 (2) (c) has its limits.
Volunteer groups may need to take steps to obtain consent from data subjects and be prepared to explain exactly why they want this information. Article 9 does provide further lawful conditions which may be relevant (Articles 9 (2) (h) and (I)). We will consider the use of these in a future blog post.

Many established charities and recently formed volunteer groups are also now providing essential support services for those members of the community who are at risk, or vulnerable or in need. In order to do this these services may need to share personal data about such people, and often about their health. Whilst this is laudable, they too must be mindful of the GDPR implications. Our recent blog post about Covid 19 volunteer groups goes into more detail.

This and other GDPR developments will be covered in our new online GDPR update workshop. Our  next online   GDPR Practitioner Certificate  course is  fully booked. We have  1 place left   on the course starting on 11th  June. 

online-gdpr-banner