Data protection in occupational health: a guide

The growth of internet and mobile technology has made it all the more important to understand rules on data protection in OH. Lucy Wright, chief medical officer of OH Assist, offers guidance.

Data protection is a major issue in OH. The work we do depends on our patients trusting us and being comfortable that we are managing their data properly. Furthermore, the EU General Data Protection Regulation will replace the Data Protection Act (DPA) in 2018, introducing further legal requirements.

Society in general is becoming more data aware and that means that our patients are more inclined to be concerned how their records are being stored and the information that exists about their health conditions.

As a practitioner who has had to develop an interest in data protection, I was used to considering medical confidentiality. But the DPA covers more than medical confidentiality and it is important that all those of us who work in OH have an awareness of data protection regulation.

Any piece of data that could be used to identify someone (could be used, not is used) is considered as personal data – for example, name, date of birth, address, postcode, employee number, the identification number you may use in your records; all of these may be personal data.

The name John Smith on its own may not be personal data because there are a lot of John Smiths in the UK. But a more unusual name is likely to be unique and so allows that individual to be identified – hence it is personal data.

However, even if you can’t access or use it, if you hold other data anywhere else in your organisation that could be used to identify the specific John Smith, then even that common name will become personal data.

Medical and health information is classified as “sensitive personal data” and has to be held even more securely. There is a list of sensitive data in the DPA, but other data that OH may hold that is covered is also trade union membership, religion and sexuality.

It is important that you only give out personal or sensitive data to those who have a right to know it, so you should consider having processes to check who you are giving the information to and make sure they have a right to know it.

The law and sensitive data

The relevant legislation in the UK is the DPA. In OH, we are used to legislation that uses phrases such as: “reasonably practicable” and allows for a cost benefit assessment of implementation or action.

This is not the case with the DPA, as there is no allowance made for cost or difficulty in the legislation. Breach of the legislation is a criminal offence and we can be prosecuted as individuals (it isn’t common but it has happened).

The DPA is regulated by the Information Commissioner’s Office (ICO), which has the following powers and obligations:

  • to investigate any complaint;
  • issue on-the-spot fines of up to £500,000 (you have 28 days to pay);
  • hand out enforcement notices (which they publish on their website);
  • prosecute in court, where the fines are unlimited; and
  • prosecute individuals or companies.

The DPA requires every data controller (for example, organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt.

There are eight data protection principles and it is helpful to understand them. I have paraphrased to make them simpler:

Personal data:

  1. shall be processed lawfully (don’t forget there are laws other than the DPA that you also have to consider);
  2. will only be obtained for one or more specified and lawful purposes and won’t be further processed in any manner incompatible for that purpose (meaning only use the data for the reason you obtained it);
  3. has to be adequate, relevant and not excessive (do you ask for more information on a health questionnaire than you really need for the purpose of the questionnaire? When you ask for a medical report from a GP and they send you a copy, do you really need all that information?);
  4. should be accurate and kept up to date;
  5. must not be kept longer than is necessary (we have some guidance in relation to statutory medical assessment results, but we also need to consider the rest of the medical records and how long is reasonable for us to keep those – as the DPA doesn’t give us the answer we have to decide how long is right for the work we do);
  6. will be processed according to the rights of the data subject (this will be covered below in respect of their right to access their data);
  7. must be kept secure – not only from theft but from accidental loss and destruction; and
  8. should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedom of the data subject (do you know where your IT servers are based and are you sure your emails are stored in the approved countries?).

In relation to the DPA, the ICO gives a list of when processing personal data is lawful and a further list of when you are allowed to process sensitive data.

You need to understand these and to check that you are always working correctly – don’t forget, the DPA does not just cover patients.

If you employ staff, it also covers their information, and the data of everyone that you hold for work purposes as long as you keep it in an IT system or a filing system where it can be easily retrieved.

Subject access requests

Individuals have the right to know if you are processing information about them and to see the data you hold on them; this is called a subject access request (SAR).

They have to ask in writing, but the way their SAR is delivered to you isn’t specified, so consider requests from email, Twitter or smartphone text.

Once requested, you must provide the data they have requested in 40 calendar days, so don’t delay. You have to give the data, not the actual documents, so consider if you want to transcribe it. But be careful, you must not leave any data out if it is covered.

Also be careful that you only give the right data, and not personal or sensitive data that belongs to another individual. Don’t forget that the data may not just be in your medical records –  consider recorded calls, emails and any other way you may be storing data.

The information required to be given in a SAR is laid out in the DPA and should be provided in an accessible form, so remember people with disabilities who may need it in a format other than the written word.

Incorrect SAR requests are the biggest cause of complaint to the ICO. Healthcare organisations are over-represented in the list of ICO monetary penalties, and even small organisations get fined.

A nursing home in County Antrim was fined £15,000 for not looking after sensitive data, and a GP surgery was fined £40,000 for accidently releasing confidential details of a child’s mother to her ex-partner when he used a SAR to access his child’s health records.

So what does this mean for us as practitioners?

  • Understand that the quality of your data protection is only as strong as the weakest link in your practice.
  • Take care with laptops and make sure they are password protected and encrypted.
  • Take care at home and make sure your records are confidential.
  • Be careful with paper records.
  • Track post.
  • Don’t use your own home laptops for any personal/sensitive data.
  • Only record relevant information – data held must not be excessive.
  • Only use personal data for the purpose for which it was obtained.
  • Anonymise data when possible.
  • Only access what you need to do your job.
  • If in doubt ask for advice (if you can, use a data protection officer or a lawyer).
  • Have processes in place to respond to a SAR.
  • If you run your own business, be sure your contracts with your customers and suppliers are clear about who controls the data and whether or not you are acting as a controller or a processor.

The future

In May 2018, the EU General Data Protection Regulation will replace the DPA, and despite Brexit negotiations it will apply to the UK. The GDPR will have a significant impact, so it is important to begin preparing now.

Please note, this article should not be construed as legal advice and is for awareness raising only. For full information about the DPA, you should visit the ICO website and use its guidance.

Dr Lucy Wright BMedSci BMBS FFOM PC.dp. is chief medical officer, company director and data protection officer at OH Assist.

ICO key documents

Key definitions of the Data Protection Act

Register (notify) under the Data Protection Act

Data protection principles

Data protection – Frequently asked questions about relevant filing systems

Data protection enforcement

Anonymisation: managing data protection risks code of conduct

One Response to Data protection in occupational health: a guide

  1. Avatar
    Norleen 20 Jul 2018 at 10:38 am #

    What is the new GDPR saying about OH reports and tests if a subject requests it to be withdrawn on leaving the employer who referred them to OH?

Leave a Reply