• ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

What does the GDPR mean for healthcare, social care and voluntary sector organisations?

14 Nov 2017

The European Union’s General Data Protection Regulation (GDPR) comes into force on 25th May 2018, regardless of Brexit. The legislation gives new rights and greater protection to data subjects. Given that health, social care and voluntary sector organisations utilise vast amounts of sensitive data, GDPR is an important development. Serious failures to comply with legislation can result in huge fines of up to 20 million euros or 4% of global annual revenue. Charities are not exempt from fines.

How is GDPR different to the current Data Protection Act (DPA)?

1. Mandatory Appointment of a Data Protection Officer (DPO)

It’s compulsory to appoint a dedicated Data Protection Officer (DPA) if you process ‘sensitive personal data’.

Sensitive personal data includes information about a person’s:

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • trade union activities
  • criminal offences
  • sexual life
  • physical or mental health (‘health data’).

It also includes:

  • genetic data
  • biometric data.

2. Explicit Consent

Under the GDPR consent must be freely given, unambiguous and explicit. There has to be a clear, positive action on the part of the data subject. Consent cannot be inferred from silence or pre-ticked boxes. There should be an active opt-in mechanism to prove that the data subject has confirmed consent. In addition, organisations need to provide simple ways for people to withdraw consent at any time.

However, in certain circumstances, health and social care organisations don’t have to gain consent to collect health data. The GDPR states that health data includes ‘all data pertaining to the health status of a data subject which reveals information relating to the past, current or future physical or mental health status of the data subject’. Consent may not be necessary if data is vital for the provision of health or social care treatment, under ‘medical care’ grounds, in the interests of public safety or for scientific research. For detailed information read the ICO’s Consent Guidance.

3. Access

The EU GDPR gives individuals more power to access personal information held by healthcare, social care, charity and voluntary organisations. Currently, Subject Access Request (SAR) allows organisations to charge £10 to supply information, but under GDPR access is free of charge. GDPR gives individuals the power to have their personal information erased in some circumstances such as when it’s no longer needed for the purpose it was collected. In addition, GDPR gives individuals more rights over the processing of the data held. ICO says that individuals ‘have the right not to be subject to a decision’ if it produces an effect on them. There are some exceptions, but in general people must be provided with an explanation of the decision.

4. Accountability

Healthcare, social care and voluntary sector organisations will be more accountable for protecting people’s personal information. The healthcare sector, for example, deals with an overwhelming amount of personal data relating to patients, their families, carers and members of staff. The sheer volume of data means that the number of breaches is very high. According to The Register there were 221 breaches between October and December 2016, with human error being the main cause: loss of paperwork – 24%; data sent by email to incorrect recipient – 9%, data faxed/posted to the wrong person – 19%; failure to redact data – 5%. The rigorous nature of the EU GDPR aims to combat this crisis.

Under the GDPR, it’s mandatory for UK organisations to report information security breaches to the ICO and to the individuals affected within 72 hours of identification. Organisations must also show that they regularly and systematically monitor all activities on personal data.

What happens if we can’t meet the EU GDPR requirements in-house?

A cost effective and flexible solution is to hire a GDPR consultant who can come and go as you need them.   As well as bringing expertise, a consultant can provide an independent perspective on how your organisation should address GDPR compliance. A consultant will conduct a gap analysis of your existing information security management systems and suggest amendments to existing frameworks, procedures and technologies. They will carry out a Data Protection Impact Assessment (DPIA) in order to analyse the current risk to data subjects’ rights and freedoms so that they can find ways to reduce or minimise these risks. They will also offer any relevant training for your employees, to help you develop a workforce that is competent to manage sensitive information securely.

A consultant can provide healthcare, social care, charity and voluntary sectors with on-going support by conducting regular and continuous reviews of EU GDPR compliance.

ISO 50001 audit tool

© Copyright All Rights Reserved, NDC Certification Services Ltd. 2020.