GDPR compliance checklist for health and social care
The EU GDPR (General Data Protection Regulation) came into effect on 25 May 2018, extending the rights of individuals regarding the collection and processing of their personal data
Health and social care organisations are subject to stricter guidelines on the collection, processing and storage of individuals’ data. The penalty for non-compliance with the GDPR is significantly increased from the powers given to the ICO (Information Commissioner’s Office) under the DPA (Data Protection Act 1998).
GDPR requirements for healthcare
Under the GDPR healthcare providers need to ensure that they comply with the requirements of public authorities and demonstrate that they are adequately protecting patient information.
Industry organisations need to uphold the integrity of healthcare data, as well as ensuring cyber resilience and business continuity in the event of a data breach.
Healthcare providers and their supply chain must identify and test incident response management plans to protect their core business functions in the event of a cyber incident, thereby preserving critical infrastructure.
GDPR compliance checklist
A checklist has been provided for healthcare organisations in accordance with NHS Digital guidance that details the steps needed to achieve compliance and how organisations might look to implement these changes.
Organisations must establish a GDPR compliance programme and demonstrate compliance. There are six elements of accountability that must be implemented to achieve full GDPR compliance, making this the most comprehensive element to achieve.
This requires your organisation to:
- Understand who will be responsible for developing and implementing the programme;
- Conduct a gap analysis of its compliance posture and act on the results;
- Establish a timeline for implementation, audit and review;
- Raise awareness at board level. Ensure that your organisation’s leaders buy into and support the necessary changes required for GDPR compliance;
Raise awareness among staff of the changes imposed by the GDPR and their responsibility towards them.
Staff involved in collecting, processing or sharing personal and sensitive data will need to be aware of how the changes affect them and what they can do to maintain organisational compliance; and
Ensure your IG (information governance) frameworks are GDPR compliant. Revise IG policies and procedures to bring these in line with the GDPR’s requirements.
Health and social care organisations are likely to have a head start on this, as recording data prosing activities is a requirement of the DSP (Data Security and Protection) Toolkit.
Keep records of data processing activities
Organisations must understand and audit where personal and sensitive data is stored, processed and shared. All information assets should be linked to an information asset owner.
Data protection by design and by default and DPIAs (data protection impact assessments)
DPIAs help organisations identify, assess and mitigate or minimise privacy risks when a new data processing process, system or technology is being introduced.
DPIAs also support the accountability principle and demonstrate that appropriate measures have been taken to ensure compliance.
Organisations must identify who will be responsible for the DPIA, when they are likely to be needed and revise policies and procedures to support DPIA practices.
Appoint a DPO (data protection officer)
A DPO is mandatory for all public authorities and any organisation that carries out regular and systematic monitoring of data subjects or processing of special categories of data on a large scale.
Organisations need to identify an appropriate individual to act as their DPO and provide adequate resources for them to complete their obligations.
Public authorities may wish to appoint an external DPO, or one that can be shared by several organisations. This applies to smaller organisations, such as single-site care homes or GP services, as long as the DPO is easily accessible for every organisation that is sharing the service.
Identify the lawful basis for processing
Document a legal basis for each processing activity identified through a data audit and data flow mapping.
The most common lawful bases for processing in health and social care are likely to be:
- Article 6(1e) – Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Article 9(2h) – Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services.
Other legal bases include consent, the fulfilment of a contract and the legitimate interest of the data subject.
Detect, report and investigate data breaches
Review your breach notification policy and procedure to ensure specific data breaches are reported to the ICO within 72 hours of your organisation becoming aware of such a breach.
You also need to consider how you will communicate data breaches to the individuals affected where necessary.
Manage additional compliance requirements
Demonstrate compliance with consent requirements
Update internal and external communications material and internal processes to support getting verifiable consent that is freely given, specific, informed and unambiguous.
Consent obtained either manually or electronically must comply with the standards set out by the GDPR, and there must be clear instructions for data subjects to allow them to revoke consent.
Manage children’s rights
If you offer any paid-for online services directly to children, the child must be able to give informed consent and the privacy statement must reflect the intended audience’s age.
Organisations must implement processes to demonstrate that a child’s age has been verified, and that consent was freely given, specific, informed and unambiguous.
Comply with more stringent transparency requirements
The GDPR strengthens transparency requirements to support data subjects being properly informed of the use of their personal information and of their rights, before or at the time their information is collected.
Organisations must update their communications material and fair processing information to support this requirement.
Support individuals’ rights
Update communications material and internal processes to support data subjects’ rights. This includes the right to rectification, erasure, restriction, data portability and object to their information being processed.
Manage SARs (subject access requests)
Update your internal processes to provide individuals with access to their personal information.
Under the GDPR, SARs should be responded to within one month. The GDPR also requires most SARs to be satisfied free of charge, although a reasonable fee can be charged for administrative costs if the request is unfounded, excessive or repetitive.