The NHS are guardians of special categories of personal healthcare data across the UK. Whilst patient data is vital for managing an individual's care, there is also a need for that data to be handled securely. Post introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, are the data guardians beyond reproach in the way they manage patient data?
The NHS holds extremely sensitive health data on the majority of the population. The large quantities of data held centrally are shared by NHS England, NHS Digital, the Department of Health, Regional Trusts, Primary Care, Clinical Commissioning Groups, Private Hospitals and outsourced administration functions. There are also differing privacy policies across multiple trusts, so could this place the healthcare sector at risk of failing to comply with GDPR?
In recent months, public confidence in data-sharing has been tested by several high-profile breaches of data security and confidentiality. Nevertheless, according to a recent study by Ipsos MORI and Royal Statistical Society, the public trust NHS organisations more than any other institution with their data. With the introduction of the national opt-out initiative in place, there has never been so much emphasis and pressure on the NHS to have total data management control.
The national data opt-out
Launched on the same date as GDPR, the national data opt-out allows patients and the public the opportunity to make an informed choice about whether they wish their confidential patient information to be used only for their individual care and treatment or also for research and planning purposes.
The opt-out has the following features; it is a single mechanism for recording opt-outs in a central database (rather than through GPs), or patients can register their opt-out online or over the phone.
So a key challenge for NHS organisations is ensuring that they have access to patient data and records in a format that facilitates the data-opt out process. Add into the mix the requirement of GDPR compliant processes - it's a challenging set of requirements.
In reality, GDPR should not change anything fundamental regarding how the NHS process patient data, but some elements are important to highlight. First, 'explicit consent' is harder to achieve under GDPR if patient records are held in a paper format. Using explicit consent as a legal basis for sharing data requires NHS organisations to be specific about the purpose for which it is being obtained and to document the consent. This may be possible for data in an electronic format, but it is unlikely to be possible for paper-based patient records.
Storage of documents
Under GDPR, the storage of patient records is a key issue too. Article 5 requires that documentation is only retained for the minimum time necessary. Keeping unnecessary duplications of patient data from, for example, old scans and x-rays could land the organisation in trouble with the ICO. Due to the vast quantity of data handled daily, the risks of data breach to the NHS and its partner organisations are huge.
For NHS organisations that process a large amount of data, there is a solution at hand through leveraging the technology of medical record scanning services. Restore Digital, a leading data and document management company, have come to the rescue and taken on the scanning and storage of sensitive data.
Restore Digital have worked in partnership with leading NHS Trusts to provide medical record scanning. As many hospitals manage over 1,000 requests for medical records per day, ensuring that the correct files are privacy protected and available for clinicians when patients arrive for appointments is paramount.
So in conclusion, are the NHS data guardians beyond reproach in the way they manage patient data? The answer is yes. The NHS are working with specialist data management organisations to ensure that patient and public data is secure and processed in a compliant manner. Using resources effectively to treat patients efficiently is always top priority for healthcare professionals and managers alike, and as you would expect, this has always been a strong public-sector ethic and not just led by GDPR compliance.