The GDPR (General Data Protection Regulation) comes into effect in May 2018 – and with it comes a whole new set of challenges for healthcare organisations.
Data protection is crucial in healthcare. Confidentiality is the bedrock of a patient-healthcare provider relationship (and it’s something the NHS has wrestled with for two decades!).
If a patient doesn’t feel their data is being looked after properly, they may be unwilling to disclose other, more important, information; and this could result in harm to the patient or the wider community. Information sharing is also the key to successful and efficient solutions.
But NHS data protection obligations, though intended to protect the individual, also pose a range of challenges; particularly in the context of GDPR:
1. The need for justification
The more personal the information, the greater the justification for disclosure needs to be. Under the GDPR, healthcare providers need to inform the patient of the need to disclose information and seek explicit consent. The need to obtain explicit consent each time data is used could pose issues for efficiency and flexibility.
2. Minimum information
Under the GDPR, the minimum amount of information necessary must be obtained. This could have a huge impact on epidemiology and research which relies on routinely collected data (although the GDPR does make allowances for organisations processing personal data for research purposes). The patient also now has the right to be forgotten. This could have huge implications for healthcare provision if the data deletion isn’t in the patient’s best interest.
3. Supply chain disruptions
Under the GDPR, the data controller is required to ensure that everyone with whom they share patient data meets NHS data protection guidelines embodied in GDPR. Therefore any supplier or service provider could have their contract halted if they can’t prove compliance. This could impact service delivery (and cost).
4. Increased staff pressure
The GDPR states that organisations should appoint a data protection officer (DPO) to ensure compliance. However, all healthcare staff will face increased pressure to be up to speed on patient data security. Few organisations rely on data shared with a staff cohort of such varying IT knowledge as the NHS. Increased education and training is undoubtedly necessary.
5. System updates
In order to ensure GDPR compliance, NHS IT systems need to be carefully audited. This inevitably means increased cost until and unless systems are up to date.
Prepare your organisation and your workers for the GDPR and data protection changes with our range of online data protection learning courses.