Challenges and opportunities in the paperless NHS & beyond - A data protection perspective


Published on

Published in: Technology, Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Challenges and opportunities in the paperless NHS & beyond - A data protection perspective

  1. 1. 0 Challenges and Opportunities in the Paperless NHS and Beyond: A Data Protection Perspective Emily Jones, Partner 4 June 2014
  2. 2. Data protection compliance in context
  3. 3. 2 Challenges Private & Confidential NHS is facing: 1. Huge increase in volumes of sensitive data 2. Public perception issues 3. Fines and enforcement action 4. Political and public pressure to improve data handling A paperless NHS will bring new challenges in these areas.
  4. 4. 3 Snapshot of recent health sector audit 19 audits carried out primarily with NHS Trusts by the ICO during 2013: Private & Confidential Passwords Lack of simple password controls Policies In place but compliance not always effectively monitored Record tracking • Records tracked but not all conduct audits for missing files • Concerns regarding security of physical records Fax machines Concern regarding use of fax machines for sending personal information Information governance • Appropriate risk registers • Risk assessments • Regular review
  5. 5. 4 Impact on suppliers Private & Confidential • Demonstrating compliance is key • The Data Protection Act 1998 says: "Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage" • Competitive advantage for suppliers with a focussed approach to data protection using: - Data retention practices - Good management of data storage and destruction - Careful and well managed use of sub-contractors - Robust security measures - Staff reliability processes - Barriers to overseas data transfers - Regular audits and disaster recovery
  6. 6. 5 Improving compliance and mitigating risk Private & Confidential 1. Assign responsibility to a DPO 2. Implement a training programme 3. Review and update policies 4. Review approach to hiring sub-contractors 5. Use of encryption 6. Security breach notification 7. Insurance
  7. 7. 6 Non-compliance – the "so what?" question It's not only about the fines and contract breaches Private & Confidential 1. Negative impact on share value 2. Negative impact on current and future customers (private and public sector) 3. Breach of contract (liability) 4. Diversion of time and resources 5. Staff trust
  8. 8. 7 Opportunities Private & Confidential Big data: • Commercial use and benefits vs. concerns about identification Anonymisation: • Concern about "true anonymisation" Mobile health/agile working: • Drives efficiencies • Security and monitoring issues Tracking access to records: • Improvements to audits
  9. 9. 8 Private & Confidential Potential future data protection obligations Restrictions on transfers outside the EEA Keep data accurate & up-to-date Retain data for an appropriate period Respond to data subject requests Annual notification obligation Get opt in / out consent for email / SMS marketing Screen against TPS/FPS "do not call" lists Get opt-in consent to use cookies Data must be relevant and not excessive Notify ICO of security breaches (not yet compulsory for all) Knowledge/ Consent Data protection obligations DPO requirement Enhanced data subject rights: - right to be forgotten - data portability 24 / 72 hours to notify data / cyber breaches Fines to increase (>2% world- wide turnover or €1m) Expanded definition of personal data Data processor responsibility Higher level of consent required Increased use of Privacy Impact Assessments (PIAs) and emphasis on accountability Processor BCRS Annual notification scrapped
  10. 10. 9 Contact Emily Jones Partner T +44 (0) 117 917 3652 M +44 (0) 7824 491 293
  11. 11. Paste end slide graphics over this grey box in slide deck