GDPR: A Practical Perspective
In the past few months, we’ve seen a significant increase in the number of questions about GDPR (General Data Protection Regulation) so we thought it might be useful to discuss our take on it.
As you might expect/hope GDPR has been on our radar for some time and our view on it remains unerringly positive. Back in July we wrote the article below:
However, this article is intended to be more practical in nature and aims to discuss some of the common questions that we have heard recently. I hope it’s helpful, but please keep in mind that this does not constitute formal advice. If you’re unsure about anything in relation to GDPR you should seek assistance from your local lead authority in the first instance or seek a professional opinion from a data protection specialist.
Roles – Shared Responsibility
In many of our discussions about GDPR, the starting point tends to be “what are YOU doing about GDPR”?
It’s a fair question and one which we’re always happy to answer but I think it’s important to be clear that GDPR is a collective responsibility shared between the data controller (the clinician/practice) and the data processor (us, if you’re using WriteUpp for your client records). Jointly, we are responsible for protecting the rights of the data subject (your client) in accordance with the regulation. You can find a full copy of the regulation text here.
As the name suggests, you as the controller determine what you do with the personal data that you collect and how it is processed. If you use a cloud-based practice management system, like WriteUpp, we are your processor and our responsibility is to protect the data and provide the processing required by you, as the controller. Keep in mind that you may have other processors (over and above your practice management system provider) and you will need to ensure that you have a Data Processing Agreement (DPA) in place with them by May 2018.
Rights – How would you like to be treated?
Sure, GDPR means some extra work for us all but updated data protection legislation is long overdue and in our humble opinion GDPR is a common sense revision to rights and protections that all of us would want for ourselves and our families. The key rights that will be protected by GDPR are as follows:
- to be informed (Article 13) – you (amongst other things) need to tell clients who you are, why you need their personal data, how you will use it within your practice, how they can modify it, how they can access it, how they can retract consent to hold and process their records and how they can raise a complaint, should they wish to do so.
- to access (Article 15) – you will need to provide your clients with access to their personal data if they request it and explain in clear, non-technical terms how you are processing their data.
- to rectification (Article 16) – you will need to give your clients the ability to amend/change inaccurate or incomplete information that you hold about them. Moreover, if you have shared their information with another organisation you will need to notify them of the amendments.
- to erasure (Article 17) – in relation to healthcare records the “right to be forgotten” is a tricky judgement call and my suggestion would be to either seek a legal opinion, talk to HCPC (if you’re in the UK and regulated by them) or your professional body. I suspect that it may be something that needs to be considered on a case by case basis as I can envisage many situations where this might not be in the best interest of the client but I can also think of others where a client might want to be able to exercise this right.
- to restrict processing (Article 23) – you will need, in certain circumstances, to prevent any further processing/use of the client’s record going forwards or until they re-grant you the right to process their data.
- to data portability (Article 20) – you will need to permit your clients to be able to move their personal data from one system to another in structured and commonly used format. In essence, this means that you will need to be able to securely provide your clients with all of their data electronically should they wish to switch to another practitioner, for example.
- to object (Article 21) – you will need to let your clients know that they have the right to object to their data being used/processed. This includes direct marketing and research so keep in mind that if an objection arises you will need stop processing immediately. To manage consents in relation to direct marketing we would always recommend using a product like Mailchimp (free for less than 1000 contacts) so that you can manage opt-in and opt-outs in accordance with GDPR, although in truth you should be doing this already.
- not be subject automated decision making (Article 22) – I don’t foresee this impacting many of our clients although it may if you provide certain types of data to health insurers for example. If you do, your clients have the right not to have judgements made about them based on algorithmic decision-making.
A Word on “Compliance”
One of the most frequent questions we get asked is:
“Is WriteUpp GDPR compliant?”
This is a question that we feel we need to answer carefully. First, let me be 100% clear – we will comply with GDPR when it takes effect in May 2018. However, “compliant” implies a level of ratification that doesn’t exist. Before (or after) May 2018 no one is going to be certified against GDPR. Whether you’re a data controller or data processor it is your responsibility to comply with the regulation based on:
- your interpretation of the regulations
- the applicability of the regulations to your specific business
- your assessment of the risks associated with recording and processing personal data
We’re not for one second suggesting that you should be complacent in any way, however, I think it’s important to make it clear that there isn’t a box you can tick anywhere and say “yes” we are compliant.
If you (as a data controller) want some kind of assurance about your data processor we would recommend taking a look at the relevant international standards. There are a number that touch on or relate to GDPR but your starting point should probably be ISO27001: Information technology — Security techniques — Information security management systems — Requirements
Here’s the official definition from the ISO (International Standards Organisation):
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Given the standard’s scope and the fact that it requires ongoing auditing and certification we feel it provides you (as a data controller) with a good measure of a processor’s ability to protect the integrity of your data. For this reason, it’s probably the closest you will get to a tick in a box, but do keep in mind that ISO27001 and GDPR are not the same thing.
Here at WriteUpp, we have chosen to seek ISO27001 accreditation to give extra peace of mind to our clients as we move towards the GDPR deadline. We have engaged with QMS International to assist us in the certification process and expect to be certified against ISO27001 shortly before GDPR takes effect.
Step by Step Guide
Both ICO (Information Commissioner’s Office) and the Data Protection Commissioner (Ireland) have produced step by step guides to help you prepare for GDPR. The guides are an excellent starting point and something that has helped us in our journey towards GDPR.
At this point, I should be clear that we are not GDPR specialists and by that I mean we don’t have all the answers and we are not the organisation you should look to for formal advice. However, we have spent a significant amount of time (since mid 2016) investing and preparing for GDPR. During this time we:
- have migrated our entire infrastructure to Microsoft’s world-class Azure platform to ensure we fulfil our obligations as your data controller (if you’re using WriteUpp)
- have and continue to roll out measures and features to protect the integrity of the data that we hold, including two-factor authentication (due by end Dec 2017)
- have mapped out the key features that we think most clinicians (data controllers) will need in a practice management system to comply with GDPR. Many exist already in WriteUpp by virtue of our NHS heritage but some don’t and these are being rolled out between now and May 2018
Given this practical experience, I thought it would useful to reference the 12-step process mapped out by ICO & DPC with some commentary based on our own learnings and approach over the past 18 months. Again, this is not a professional opinion but hopefully sharing our experiences will be useful.
Step 1 – Awareness
If you’ve not started already you should (as a matter of urgency):
- Make sure your team is aware of GDPR and the broad principles involved
- Maintain a steady flow of GDPR information to your team so that it remains “top of mind” in the run-up to May 2018 and beyond
- Commit resources and budget to your preparations. Take it from me, it will need both and will include:
- time for understanding the regulation and documentation (of risks/processes)
- time for training/education/awareness if you have multiple team members- generally speaking, we humans are the weakest link in any security system
Step 2 – Accountable
Some aspects of this step may be very straightforward whilst others may be more challenging.
The bottom line is that you need to know:
- what personal data you hold;
- where it came from; and
- who you’ve shared it with
If you’ve previously made the decision to put your client-related data into a cloud-based practice management system then it should be pretty easy to identify what personal information you hold. Why? Because when your data is in the cloud you don’t have any data stored locally or on different computers or different systems. Everything is in one place.
However, if you’ve taken a more “fragmented” approach you will likely find this step pretty challenging. A fragmented approach might be something like: an Excel spreadsheet with client details stored on Dropbox; Word documents stored locally on your hard drive with Notes on them and perhaps some paper records of assessments or even a hand-written list of client-related tasks.
As well as knowing what information you hold you’ll need to identify where it came from and going forward you will need to capture the source of each record that you add to the system. Something along the lines of Walk-In, Web Enquiry, Clinical Referral should be suitable along with a date/time stamp confirming when the record was created.
For many, this could be the biggest challenge as you will need to keep a record of what and who you have shared data with. Again, in a system like WriteUpp, this is pretty straightforward as all outbound communications via email/SMS reside in a tab in the patient summary:
Maintaining this log will service a couple of purposes, amongst others:
- it allows you to keep track of where you have sent your client’s data
- it allows you to notify the relevant parties (that you have shared data with) if your client asks for a change to the record
Step 3 – Communication
This is really a preparatory step but it’s about ensuring that you’ve done the necessary house-keeping and you have a plan in place to get your privacy statement updated to reflect the requirements of GDPR. The simple things that you should be able to resolve asap include making sure that your clients are aware of key information like:
- The name of your company (as registered with Companies House or your local equivalent)
- The registered address of your practice
- Where they can raise a complaint if they wish to do so. This will be the relevant lead authority in your geographical area. For example, in the UK it will be ICO (Information Commissioner’s Office) and in Ireland, it will be the Data Protection Commissioner.
Other matters (covered in later steps), like your legal basis to record a patient’s personal data and retention periods, may require legal advice and you need to put a plan in place to get these sorted ahead of May 2018.
Step 4 – Personal Privacy Rights
As I mentioned earlier in this article GDPR introduces a fundamental set of rights that you should review and thoroughly understand. Then, I would suggest you attempt to put together an action plan to ensure you comply with each specific right. Doing it this way should make the job less daunting and help to avoid any omissions.
Below I’ve tried to pinpoint those areas where:
- a process change may be required
- a legal change may be required
- WriteUpp should help you comply
If you’re using a different practice management system I’d suggest contacting your provider to see if you can get a similar breakdown of how they propose to address these rights.
the right to be informed (Article 13)
This will most likely require a legal change – check with your lawyer.
the right of access (Article 15)
In an upcoming release, WriteUpp will provide an Access Request tool.
the right to rectification (Article 16)
You will be able to handle this in WriteUpp but we will also be adding extra logging to identify the change as a “privacy/rights” request.
the right to erasure (Article 17)
This feature already exists in WriteUpp.
the right to restrict processing (Article 23)
WriteUpp already provides the ability to tag/mark records and this could be used to comply with a request to restrict processing but we may make further changes during 2018.
the right to data portability (Article 20)
WriteUpp will provide you with the ability to export a single client’s record so that (if they wish to do so) they can hold their own data or provide it to another healthcare professional.
the right to object (Article 21)
You should have the processes in place to allow a client to suppress processing of their data. In all probability for a healthcare professional, this is less likely to impact the processing of personal data for treatment purposes but may impact on things like direct marketing activities. If you undertake direct marketing you should ensure that you have the appropriate opt-in/opt-out measures in place.
the right not to be subject to automated decision-making including profiling (Article 22)
Seek professional guidance on this, however, this isn’t something that WriteUpp does or plans to do at any point in the future.
Step 5 – Access Requests
In the event that you receive an access request, you will need to have the internal processes in place to:
- Ensure your staff recognise it and act upon it immediately
- Record the access request with a time/date stamp in your practice management system or log
- Securely provide the information to your client free of charge within 30 days
In WriteUpp this will be a one-click process and will generate an output in a few seconds along with an entry in the client’s privacy log.
Step 6 – Legal Basis
Depending on where you are with your GDPR readiness this should be a priority pretty soon!
You might be able to cobble together an acceptable privacy statement that covers the key aspects of GDPR but my very strong advice would be to talk to your friendly lawyer (or better still a lawyer that specialises in Data Protection) and get professional assistance.
Depending on when you last reviewed your privacy statement it will likely need amending to include, amongst other things:
- Your legal basis for processing your client’s personal information.
- Details on how long you will keep their data for. In WriteUpp we will be providing a data hygiene tool that will allow you to see the retention periods of your records and manage them accordingly.
Step 7 – Consent
Just to avoid any confusion many clinicians are familiar with the concept of clinical consent, however, consent in the context of GDPR relates to gaining your client’s agreement for you to store and process their personal information.
When you gain consent you will need to do two things:
- Keep a record of when and how you got consent from the individual
- Keep a record of exactly what your client was told when they granted consent
In WriteUpp you have the ability to create a consent form both for adults and for children but we will be giving this greater prominence and enhancing its capabilities early in 2018.
Step 8 – Children
As part of any initial assessment, most clinicians dealing with children will record the child’s age. There are provisions in GDPR that require a child’s age to be verified but these appear to relate specifically to commercial internet services, such as social media. Under GDPR a child is any individual under the age of 16 and as such consent to capture and process personal information must be granted by an adult who must be identified as part of the consent process along with their relationship to the child.
WriteUpp will handle consent for children, as per Step 7.
Step 9 – Reporting Breaches
GDPR places multiple responsibilities on both data controller and processor in relation to data breaches. These include:
- measures to detect possible breaches
- reporting a breach to the relevant supervisory authority and/or the individual impacted, depending on the nature of the breach
- investigating the cause of any breach
In our capacity as data processor, we have measures in place to detect system-based data breaches and you will be notified in accordance with our contractual obligations if a breach occurs. From your perspective breaches are potentially more likely to occur as a result of human intervention. To mitigate this and aid detection there are some simple measures that can but put in place such as ensuring that all users have unique logins and enabling two-factor authentication. Both of these measures should ensure that any malicious actions will leave an audit trail that can be used to help with detection, reporting and investigation.
You may also want to take a look at insurance. Again, this isn’t an endorsement but something along the lines of the Hiscox Cyber-attack and data breach policy may well be appropriate.
Step 10 – Data Protection by Design
When GDPR comes into effect you (and we) will be legally required to “design-in” privacy. Whilst this might sound slightly daunting it makes absolute sense in the context of the rest of the regulation. GDPR shouldn’t be thought of as a one-time thing where you tick the box and forget about it.
Our take on this is that every future action/initiative/project which impinges on personal data should be carefully considered with a clear eye on privacy. Where a significant risk is identified you/we will need to go through a formal process and conduct a DPIA (Data Protection Impact Assessment). ICO has produced some very helpful guidance on this which you can take a look at here.
Step 11 – Data Protection Officer
In our humble opinion, the job title here is less important than the actions that you/we undertake. Someone in a position of authority needs to:
- have the requisite knowledge (now and going forwards) about GDPR
- champion GDPR within your organisation
- be responsible for complying with GDPR
- ensure that data protection is “designed in” to your business planning/processes changes
- evolving, maturing and improving how you comply with GDPR
Step 12 – International (Lead Authority)
If your organisation operates in multiple countries you should map out where your organisation makes its most significant decisions about its processing activities. This should help you to determine your ‘main establishment’ and therefore your lead supervisory authority. For example, if you primarily operate in the UK your lead supervisory authority would be ICO and this where your clients would go if the wanted to lodge a complaint or if you needed to report a data breach.
GDPR may sound daunting but in our experience if you:
- apply some effort to research and understand the regulation – yes, I know this might sound blindingly obvious but you need to allocate some time to understand it in your own terms and from your own perspective even if you plan on seeking external advice
- apply some common sense
- think of the regulation in terms of the protections that you would want and expect for yourself and your family
Lastly, keep in mind that data is personal if it can be related to an individual. We have found that there are a number of situations where client names/addresses need not be referenced and the same will be true in your practice. Whilst its “nice & friendly” to include someone’s name in a confirmation/reminder email/SMS it’s not necessary and as soon as you remove it you eradicate any issues about patient identifiability (to use NHS parlance). Similarly, in documentation, you might elect to use a universal identifier like the NHS number instead of referring to clients by name.
I hope this article has been useful and worth the read. As I mentioned at the outset it’s not intended to contain answers to how you might comply with GDPR but in sharing some of our experiences I hope it has been helpful.