With the EU’s General Data Protection Regulation coming in next month, occupational health practitioners need to be reviewing how they collect, manage, process, store and protect their data. GDPR is complex and preparing for it may be a headache, but it is something you must not ignore, advises Sue Carty.
Whether you are a self-employed occupational health practitioner, run your own occupational health company or are employed by an OH provider or in-house service you need to be ready for the European Union’s General Data Protection Regulation (GDPR), which comes in on 25 May.
This is something more and more occupational practitioners are waking up to. As lawyer Steve Marc Rhodes highlighted in the March 2018 edition of Occupational Health & Wellbeing (“Is your technology ready for GDPR?”, March 2018, vol 70 no 3), this new regulation is set to have a significant effect all on providers and users of health and wellbeing technology.
But what about individual practitioners, what do you need to be worrying about and doing between now May 25?
I recently attended the Health at Work Partnership’s “OH legal and professional update” workshop and, as part of her introduction, Diana Kloss emphasised the good news is that, if you are compliant with the Data Protection Act 1998, then you are likely to be compliant with General Data Protection Regulation (GDPR). However, she also advised everyone to review their existing policies, and procedures in line with GDPR and the UK Data Protection Bill.
But where do you start? The Information Commissioner’s Office (ICO) is an excellent source of information and its The Guide to the GDPR explains the provisions of the GDPR to help organisations and individuals comply with its requirements. The ICO describes its guide as a “living” document because it is working to expand it in key areas.
The guide includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s “Article 29” working party. This working party includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative. When the UK Data Protection Bill has finished going through Parliament and becomes an Act, ICO will provide additional guidance, where required.
Alongside The Guide to the GDPR, ICO has produced a number of tools to help organisations to prepare for GDPR, and I am using its “controller’s checklist” as the basis for this article.
What sort of data entity are you?
Whether you are a large occupational health provider, an in-house service or have your own company the best place to start is, again, the ICO’s website, in particular its two Getting ready for the GDPR checklists. One of these is for “data controllers” and the other is for “data processors”.
But what do these terms mean? It is complicated but, in essence, it comes down to whether you simply possess, or also control, personal data. Generally speaking, a data controller is a person (or organisation) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone (or any organisation) that simply processes that personal data on behalf of the data controller. You can go on to the ICO website to check which you are.
A data processor will be subject to far fewer obligations under GDPR, but will still come under the remit of the regulation. For example, a data processor will be required to maintain records of personal data and processing activities, and will have legal liability if found to be responsible for a breach. Bear in mind, it is possible to be both a controller and processor at the same time.
At a practical level, if you work within a health and social care organisation, then it is likely the Caldicott Guardian is the controller, although some occupational health services are joint controllers.
GDPR follows a “risk-based approach” to data security, a process that we within OH will be very familiar with, for example assessing risks and ensuring that the controls are in place. Here, then, are some steps you should take.
Carry out a data audit
You can only gauge how well (or not) you are prepared for GDPR unless you know how you well you manage, process and store data currently. So the ICO strongly recommends that you carry out an information audit to map your data flow.
The graphic (figures 1 and 2) show examples of two data-flow maps one for “Software as a Service” and one for human resource information as an example of the sort of things you need to consider. In essence, you need to consider what data comes in and comes out of your organisation, how it is stored and kept secure, how easy it is to access, retrieve and delete, and to what extent (if at all) consent has been given for this data to be managed in this way. Just as for the Data Protection Act, an information register is also required which would record the actual data types, data storage, reasons for processing and so on, and ICO again provides guidance on this
Consent is one of the most important parts of ensuring compliance with the GDPR. In comparison to the Data Protection Directive, GDPR sets out stricter requirements for obtaining valid consent, especially consent for processing of special categories of personal data. In fact, as stated by Rhodes consent is one of the most important parts of ensuring compliance with the GDPR. Article 4, clause 11 of GDPR stipulates that the “consent” of the data subject means:
- freely given;
- informed; and is an
- unambiguous indication of the data subject’s wishes
Bear in mind, consent in this context must mean the data subject is offered a genuine right to refuse, and that there will be no repercussions for refusing consent. Diana Kloss in the workshop recommended all occupational health professionals check the ICO’s guidelines on consent. These will be based on what are known as the EU’s “Article 29” working party Guidelines on Consent under Regulation 2016/679. Diana further advised these guidelines state that consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. The Article 29 committee is suggesting that consent is not a suitable form of defence for data processing where there is a clear imbalance of power between the employee (data subject) and the employer (controller).
However, as occupational health professionals our duty of confidentiality still applies, so we need to continue our current processes in relation to consent, but modify them to include advice on how to withdraw consent and the process to follow to do so. The GMC is revising its ethical guidance on consent and draft guidance will be released for comment in early 2018.
In practice therefore, as Diana Kloss again argued, to process sensitive health data, occupational health practitioners will have to show either that we have explicit consent and, that our: “processing is necessary for the purpose of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems or pursuant to contract with a health professional and subject to the conditions and safeguards in paragraph”. Alternatively, another option would be if we can show that “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
One area where you may need to tighten up on is if you send out marketing information, perhaps a newsletter for clients or promotions or notifications. Under GDPR, you have to make sure people have actively consented to receive this information, including by the specific communication channel.
To that end, you will need to create and disseminate a consent form (and the ICO again has examples of these on its website) that people can fill in and return. These will normally take the form of a digital form, often an email, in which recipients click relevant boxes (and they must not be pre-ticked) and submit back to you. If a recipient does not return a consent from, they have not consented, and therefore you will need to stop sending them this information.
Register with the ICO
This is an area that has caused some debate: do you need to register with the ICO? To try to find out, I rang the ICO helpline and was advised that, under the Data Protection Act, individuals and organisations that process personal information are required to register with the Information Commissioner’s Office (ICO), unless they are exempt.
Anyone who is unsure should complete the ICO’s online registration questionnaire to decide if they need to register, either as an individual or on behalf of their business or organisation.
Be aware of privacy
An individual’s right to privacy and “right to be forgotten” are other important elements of GDPR, although privacy rights are, of course, also a key element of the Data Protection Act 1998. As stated earlier, if you’re compliant with the DPA, you should already be ticking these boxes. But the ICO suggests that nevertheless you should check the following:
- Right of access. You will (or should) already have a process in place to respond to an individual’s requests to access their data. The law under GDPR will be very similar to Data Protection Act with the main difference being that a data controller will only have a month to disclose data held, and can no longer charge a fee (a fee can only be charged for additional copies).
- Right to rectification and quality. This, in effect, means you will need to review your processes to ensure you have a process or system in place to ensure personal data remains accurate and up to date. For example, do you receive regular “starter, leaver and changes” so that you can archive records and keep names and addresses up to date?
- Right to erasure, including retention and disposal. Under this right, a data subject has the right to have data erased where:
(a) personal data is no longer necessary in relation to the purposes for which they were collected
(b) the data subject has withdrawn consent and there is no other legitimate ground for processing
(d) data has been unlawfully processed
There are, of course, exceptions, some of which will be very relevant to OH. For example, we have a right to refuse to erase data where it is in the public interest, for example where a person is carrying a blood-borne virus or if has an illness that is a threat to others. Even more important for us is this in the context of the establishment, exercise or defence of legal claims.
For example, if as an OH doctor or nurse, we have made a misdiagnosis and the individual asks for it to be erased, we have the right to refuse on the basis that there is no explanation of the consequences of that diagnosis. It needs to be kept to defend your actions. The record does require a statement that the diagnosis is incorrect.
Retention of occupational health clinical records
According to recent advice from Information Government Alliance (Department of Health) (2016), occupational health records should be kept throughout employment and for six years after an employee leaves, or their 75th birthday, whichever is the sooner. If needed to defend a legal or possible legal claim, you may be justified in keeping records for longer than that.
If, under the duty of health and safety laws, you have a duty of statutory health surveillance then the record of the test is a health record. Some health records have to be retained for 40 years (and for ionising regulations it is 50 years). Diana Kloss states that these health records should not be kept within the OH records and should be kept within the personnel record because they are not confidential.
In this context, Diana Kloss advised that you prepare a schedule with a review date. Then, if the data is no longer needed, it may be securely destroyed. It should be noted that records can be kept for longer for research. GDPR also encourages the pseudonymisation of archived records.
Accountability of data and governance
Under GDPR, you are required to have in place a data protection policy, to audit your compliance and to review the effectiveness of your data handling and security controls.
There is also a new requirement to have a written data processing agreement within your contract with your data processors, for example if you have an occupational health software system. GDPR’s Article 28 sets out what needs to be included in this contract and, it is hoped that in time standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes.
However, at the moment no standard clauses have been drafted. Controllers are liable for their compliance with GDPR and must only appoint processors who can provide “sufficient guarantees” that the requirements of GDPR will be met and the rights of data subjects protected.
In practice, using a processor that adheres to an approved code of conduct or certification scheme (for example ISO 27001 or Cyber Essentials GDPR) may help to show that a controller has satisfied this requirement. Processors must only act on the documented instructions of a controller. Processors do have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they do not comply.
Toughen up on security
Data security, international transfers and breaches are a critical part of GDPR and one question you need to ask yourself is do you have data security policy in place. For example, if you have a laptop, is it encrypted? How is your data backed-up? If you back-up to flash drives, are these too encrypted?
Do you or your business have effective processes to identify, report, manage and resolve any personal data breaches? ICO can again provide help here, but it is by no means the only source of information.
For example, I recently read a question on the closed Association of Occupational Health Nurse Practitioners’ Facebook group about what type of container should be used to transport OH records in the car or on foot. The questioner was referred to the Faculty of Occupational Medicine’s Ethics for OH Practice, which provides practical guidance for the transportation of records in secure notes carrier .
GDPR is complex and everyone’s requirements will be different. To that end, it is important to stress that this article is not a legal opinion and nor should it be considered definitive. If in doubt, go to the ICO or get professional advice and support from a GDPR specialist.
YOUR GDPR CHECKLIST
- Go to the Information Commissioner Office’s website (ICO) and download its resources, including it’s the Guide to GDPR
- Gauge whether you are a data controller or data processor
- Carry out an extensive data audit, including assessing what data you have coming in and from where, what data you hold and retain, how it is stored and how securely, and what data goes out
- Check with the ICO whether you need to register with it
- Tighten up your consent, security and privacy protocols
Sue Carty is an occupational health specialist with Cohort Software
Preview 2018: OH Legal & Professional Update. Thursday 8 February 2018 The @Work Partnership
UK Caldicott Guardian Council, ‘A Manual for Caldicott Guardians’ 2017
“Is your technology ready for GDPR?”, Occupational Health & Wellbeing, March 2018, vol 70 no 3