Let's face it, data protection breaches in healthcare are nothing new.
And healthcare continues to be the worst sector, the ICO's 2019/20 statistics show it represents 20% of all personal data breaches, although this is partly due to mandatory reporting.
Recent high profile healthcare data protection breaches
Back in 2017, there were 9 data protection breaches involving Ipswich Hospital referred to the ICO over a 3-year period, with 5 instances of staff unlawfully accessing personal information.
At least 4 members of staff were dismissed, with 3 facing disciplinary action. Other breaches included a letter being sent to the wrong patient, theft and a loss of records, and patient handover sheets being taken outside the hospital.
But the hospital didn't seem to learn from this with two more staff disciplined in an even more high profile data breach involving Ed Sheeran in 2018.
More recently, the Covid pandemic meant a bigger need than ever to collect and transfer large volumes of personal data relating to health. But lessons have not been learned.
Public Health Wales (PHW) mistakenly published the details of more than 18,000 people who tested positive for Covid-19 in August 2020. They said it was an 'individual human error', yet many would think that they would have reviewed their procedures after sending 13,000 shielding letters to the wrong addresses in April 2020.
Not to be outdone, in September 2020, Public Health England (PHE) managed to do the opposite. Rather than make data public, they made it disappear! By using outdated (and arguably inappropriate) software they failed to report 16,000 coronavirus cases. You might think, well that's not a GDPR issue? Maybe not, but it highlights a significant risk - and remember lives may be at stake. Imagine if the data had related to cancer screenings?
How to strengthen existing health data GDPR controls
- Raise awareness of what is covered - make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under GDPR). The definition is broad under GDPR and includes past, present and future physical or mental health, information from testing or examination of a body part or bodily substance, genetic and biological samples, information on diseases or risk, disability, medical history, clinical treatment, and so on.
- Remind everyone of the need for privacy - personal information cannot be shared or accessed by anyone for any reason.
- Conduct a Data Protection or Privacy Impact Assessment - as we are all obliged to do whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need processing to be sanctioned by the data protection authority where risks are high.
- Only share information on a 'need to know' basis - if access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.
- Take extra care when sharing health data with third parties - make appropriate disclosures and get explicit consent in advance so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.
- Ensure special categories of data are always adequately protected - use extra security measures (such as encryption) when sending information electronically.
- Use the right tools for the job - you can't expect employees to stay compliant without providing the right tools to do so. So ensure that your IT controls are up to scratch, not just at a network level but on individual devices. And hold data in an appropriate way such as a secure database. And remember that does not mean Excel or worse, Word...
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!