July 2016 has been a busy month for personal data in the healthcare sector, with the publication of the National Data Guardian for Health and Care’s (“NDG”) “Review of Data Security, Consent and Opt-Outs” (available here) and the related (but separate) “Safe data, safe care: Report into how data is safely and securely managed in the NHS” published by the Care Quality Commission (“CQC”) (available here).
The NDG report
The NDG review was chaired by Dame Fiona Caldicott, and follows two previous reviews (in 1997 and 2013) together which led to the establishment of the “Caldicott Principles” for the protection of personal confidentiality in the healthcare sector. The 2016 version is a direct response to what the NDG regards as a lack of positive change in data protection in the healthcare sector since the 2013 report. The NDG considers that strong leadership is core to data security, and identifies new data security standards which sit under specific leadership obligations for healthcare organisations in respect of the interaction between personal confidential data (as defined in the report) and people, process and technology. These principles are as follows:
Aside from the principles above, the NDG review also proposes that people should be able to opt-out from personal confidential data being used beyond their own direct care, and that this should apply unless there is a mandatory legal requirement or an overriding public interest. However, the review recommended that the opt-out model should be put to a consultation to establish whether people would prefer to have more than one opt-out choice and to develop the wording of the opt-out question. It remains to be seen how this will develop over time, however it is likely that individuals will have the opportunity to better understand how their personal data will be used in the healthcare setting, albeit balanced with the need for clinicians to have access to sufficient data for treatment and training purposes.
The CQC review was, in its own words, conducted to establish whether personal health and care information is being used safely and is appropriately protected in the NHS. Its purpose was to: (i) review the effectiveness of current approaches to data security by NHS organisations when it comes to handling personal confidential data, and make recommendations on how current arrangements for ensuring NHS providers protect personal data could be improved; and (ii) make recommendations about how the new NDG guidelines can be assured through CQC inspections, NHS England commissioning processes and any other potential mechanisms. The results of the review are summarised in the report, however it is worth noting that CQC intends to act as the body through which the NDG data security standards are assessed, and it is hoped that this will provide the framework through which progress can be made.
New best practice?
The healthcare sector has by its nature always been a comparatively ‘high-risk’ sector in respect of the use of personal data, and this is reflected legally in the treatment of personal health data as ‘sensitive personal data’ for the purposes of the Data Protection Act 1998. The NDG report uses the definition of ‘personal confidential data’ which is wider than the ‘sensitive personal data’ definition, and this definition is adapted to include information about dead as well as living people, as well as other personal information in respect of which a duty of confidence is owed. Whether this has an impact remains to be seen, but it is worth noting the holistic approach taken by both the NDG and CQC to personal data of all types in the healthcare sector (i.e. all personal data and not just information relating to personal health), with a view to effecting systemic change for the better across organisations which should be at the forefront of best practice in a data privacy context. This is likely to continue as the data protection regime evolves under the General Data Protection Regulation and means that, as ever, the law in such a sensitive sector should be viewed in conjunction with guidance and wider market trends to ensure compliance.
If you would like any further information on any of the points noted above or in relation to your data protection requirements more generally, then please contact Beverley Flynn on +44 (0) 1483 734264, Charles Maurice on +44 (0) 1483 406791 or your usual Stevens & Bolton contact.