This month (May) is the first anniversary of the arrival of GDPR, the European Union’s General Data Protection Regulation. Dr Lucy Wright looks at how her occupational health firm, Optima Health, coped with the challenges brought about by this significant overhaul of how we need to keep, store, manage and protect data.
We’re now one year on from the introduction of the EU’s General Data Protection Regulation (GDPR). This article is going to look at what the last year has felt like for us at Optima Health, as an outsourced occupational health provider, in the snowstorm that hit us with GDPR coming into force. There is no doubt that the idea behind the GDPR is one that we wouldn’t want to argue with – who doesn’t want data about us to be managed correctly?
As you will no doubt recall, GDPR came in on 25 May last year, without a lot of guidance it has to be said. The guidance that there was predominantly related to financial services and marketing. There was very little even on general healthcare and nothing on occupational health, barring what Diana Kloss had done with the Faculty of Occupational Medicine. And the Information Commissioner’s Office (ICO) has no specific guidance for our sector.
About the author
Dr Lucy Wright is chief medical officer at Optima Health
In some ways, the run-up to GDPR felt like the run-up to the Y2K millennium bug, for those old enough to remember that, when we were all one minute past midnight on New Year’s Day not going to have any electricity, the hospitals were all going to stop and the planes were all going to fall out of the sky. It felt it was going to be like that. But of course the world did not end. Just like in 2000 we are all still here.
I would, however, say the world has changed. So, what did we do in our organisation?
Privacy and data management policies
First, we updated all our privacy policies – they’re the bit where it says “please read the terms and conditions” and we all just tick! But they are important.
We updated all our data management policies and procedures – and that was fairly complicated without guidance – but we did our best, again using the FOM guidance. We did lots and lots of training for our staff. We trained them under the previous Data Protection Act anyway, because they are healthcare workers and they have ethical confidentiality duties. So we just kept on training.
Subject access requests
Second, we revised our subject access request (SAR) process, which is when people want to see their records. Even before last May we were down to the one month that it is now, rather than the 40 days that it was pre-GDPR. A very useful phrase that, “one month”. How long is a month? Do they mean a calendar month or even 28 days? We work to 28 days because it is safer because of February, so all the time we are slightly under-hitting.
Third, we updated our breach reporting process. In all the years we have been working we have never needed to report a breach to the ICO, and suddenly the rules have changed. You had to “consider” before whether you reported – it was voluntary reporting – it is now compulsory reporting for certain types of breach. And you’ve got 72 hours to do it – if you are a controller, and I will come to that shortly.
Contracts with suppliers and customers
Fourth, we updated our contracts with our customers and our suppliers, and that is no small job when you are a decent-sized organisation as we are – we employ about 750 staff. That was a lot of work.
We received hundreds of questionnaires – actually it was probably more than that, it felt like a veritable snowstorm – from our customers, our suppliers; everyone it felt like. It got to the stage where we couldn’t reply individually to all of them; there were just too many.
So we wrote a position document for all our suppliers and customers and said “here you go, take this”. At one time I had six people plus a lawyer trying to answer all these questionnaires before we drew a line under it.
OH job opportunities on Personnel Today
Key issues and challenges
What have been the key issues and challenges for us? There have been seven main ones.
1) Controller versus processor. The big one that we’ve had has been are we the controller of our data for our customers? Or are they the controller and we’re the processor? Or are we joint controllers?
Our in-house lawyer has one view – and it is shared by Diana Kloss – because he knows about occupational health. We have two external sets of lawyers who disagree. We have probably 90% of our customers who agree with us, and we have 10% who don’t, who agree with the other lawyers.
Just for clarity, we believe we are the processor of the information. And that our customers are the controllers. However, that is not clear, and there is some very unhelpful guidance around healthcare, which lawyers who do not understand occupational health roll out to tell you that you are a controller.
This is important because the person who reports the breach is the controller. The person who the SAR goes to is the controller. So, if I am a controller, I have 28 days to respond to an SAR. If I am the processor the controller has 28 days to respond. That means I have less time to give them the information that I am holding on their behalf to hand back to the person who asks.
2) The fines. The question of the fines under GDPR is, naturally, an important one. We have had some corking contracts sent through to us by our customers.
My organisation specialises in large companies. We are 750 staff strong – that’s biggish. But we’re not big compared to, say, an international very well-known manufacturer which sent us a contract that said we were responsible for all their fines.
The maximum fine under GDPR for a breach is four percent of your global annual turnover. And quite frankly we laughed – we said “shall we just all go home now?”. We don’t make that in 40 years, let alone that we could pay that as a fine.
So it is really important, if you are running your own occupational health service, that you check what the contracts are saying now about who pays the fines. Because your annual turnover is very different, probably, to your customers’ annual turnover.
3) Role of consent. We got the issue of potential fines sorted, and that took a few months. We then moved on to “what do we mean by consent?”. There are various different criteria under GDPR about how you are allowed to process data.
One of them is explicit consent. Thankfully, the guidance was very swift from Diana along the lines of “don’t be stupid”. Because that means at any point people can revoke consent and you’ve got to stop handling and storing their data. It has to go to the minute they say. But if that were the case occupational health wouldn’t be able to function.
Then there is the basis of “by due contract”. So we have a contract with everybody that we provide the service to, and they have a contract with their staff. And occupational health falls under that and is also a basis for processing data so we don’t need to use explicit consent. We then had customers coming to us and saying, “when our staff refuse consent for a report to come out, because of GDPR don’t accept that and send the report any way”.
This confusion is still leading to numerous conversations with data protection officers that the requirement under the GMC and the NMC and other professional organisations is that as healthcare workers we work with explicit consent. I’d advise, if you have that problem, Google “Diana Kloss FOM GDPR”. she has a lovely article on it, which I now have saved on to the hard drive of my computer and I post it to off to them! They stop arguing at that point in my experience.
4) Increase in SARs. This has been absolutely massive; and it is becoming very onerous to deal with. It is costing us a lot of money but we cannot charge any more. And it is not just affecting occupational health. My husband is a GP, and it is now taking him 12 hours a week to read through SARs to make sure the data is correct before it goes out.
That is one GP now doing a day’s less work clinically because he is just doing SARs. When I talk to colleagues who run their own practices, it is really common. We’ve had to recruit extra staff to deal with the SARs that we are now getting.
5) Lack of case law around breach reporting. There are some guidelines out about what you need to report as a breach. However, there is no case law and the ICO has not prosecuted anyone. So we don’t know. Because we agree we are the Processor we don’t report any breach that we may cause; we report it to our controller and they make a decision as to whether they report the breach or not.
We have been advising them, because obviously we deal with healthcare records all the time and we know the type of issue. But most of them are acting I would say in a very risk-averse manner. To date we have had four breaches that our customers as controllers have decided to report – we’re not proud of them but you will all recognise them: reports going out accidentally without consent. It happens and has been a case of individual error each time and people are very apologetic. But to put that into perspective, my organisation does over 15,000 assessments a month.
Each time we have gone to our customers and have said “we don’t think this is reportable” and they have chosen to report the incident. And each time the ICO, thank goodness, has come back and said “thank you very much but we don’t think that is reportable”.
Therefore, just to let you know, you can make a judgement and decide not to report. But be sure whether you are the controller or the processor before you do that. Incidentally, we’ve had one or two that we have had to do over bank holidays weekends, because 72 hours does not take account of public holidays. I am happy to say that not only did we do a table-top test but we did an actual test and it works, so that is nice to know that (although I would have preferred not to find out for real).
6) Increase in employee complaints. We have received an increased number of employee complaints relating to data management. We all know the people who put in the SARs request can often the ones who are in conflict with their employers. Because most of us don’t care what our employer holds about us – good luck to them. It is going to be pretty dull. My appraisals for the last 20 years? You’re welcome to them. But I will only need them if I’m in argument with you.
Complaints about SARs are normally one more stick with which to beat us and the employing organisation. But, again, these are now coming more frequently. The complaints come in and they don’t like the practitioner manner and they don’t like the opinion that the practitioner gave and then it always finishes with “oh and… I don’t think you’re handling my data correctly. And I’m going to the ICO.”
We have many more ICO-reported complaints from patients than we have ever had before. Not one of these has been upheld. But you’ve still got to deal with them; you have still got to have an investigation; and unfortunately, they have still got to go on your ICO file.
7) Keeping and transferring medical records. Then there is the whole question about the keeping of medical records, as the transfer of medical records when contracts move now, has become quite complicated.
We’re still working under the premise that Diana has advised: that you work on the “exceptions” or “opt out” rule. You let everybody know that the records are going to move to a new provider, and they have the right to register an objection and opt out of that move. And if they don’t the records go. We are still doing that.
We are however now having problems with some data protection officers and some lawyers we are dealing with who are saying “no, no, no it is absolute consent”; it is opt-in.
And it can’t be. Because, if you got a note on a busy day when everything was kicking off at work that said “would you please write back saying you consent to your occupational health records being moved”, even we as OH professionals – who are interested in occupational health – probably wouldn’t sign that! There is not a chance that a tanker driver, or a school teacher or a police officer is going to sign that; they are just not.
The faculty guidance still says opt out, and that’s what we’re going with.
Where are things now?
So, what does it feel like now? Well, it is settling down. It is still a bit frenetic. We are still getting lots of contracts, lots of questionnaires. Some of them are so late that you think “were you awake last May?”. We are now out of the blizzard and into, I’d say, the pretty, delicate snow flurries.
I also have to say I don’t think the OH patient experience is any better for this at all. In fact, I think it is worse because there are a lot of organisations pushing their staff now by saying you do not need to give consent – we don’t need consent to refer you, we don’t need consent to get the nurse to see you, we don’t need consent to get the report to come to you. So I don’t think the patient experience is better at all.
GDPR has been expensive, and I am not talking about the threat of ICO fines, as most of us probably will never be on the receiving end of one of those.
But it is the fact the sheer volume of work that is required to comply with this legislation is so huge. And some of it is still ongoing. I’m not going to tell you that we have all our data mapping fully in place – we haven’t. We have some in places and have a big project on to do it, where does our data go, who holds it, where is it held? We are an organisation that delivers occupational health in almost any way that you could think of it. So our data is held in almost any way you could think of it. And it is a big job.
It is still really difficult to get solid advice on specialist issues. We’ve had conversations with three lawyers, not counting Diana. And the opinions tend to be divided 50/50.
One intriguing observation is that I have not had nearly as many requests for data deletion as I expected. I’ve had three, all of which I have turned down on the grounds that the GMC and NMC and the professional bodies say we have to keep a record of any consultation we hold. I’ve also so far not had any data portability requests, not one.
Finally, it’s all about the time this takes. I am the chief medical officer of my organisation. Yet now, post-GDPR, I probably spend 60% of my time doing the medicine and 40% of time doing data – and that can’t be a good use of professionals’ time.
But that is the way the world is at the moment.
Where to go for help on GDPR
Guide to the General Data Protection Regulation (GDPR), Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
Guidance on the General Data Protection Regulation, Faculty of Occupational Medicine, http://www.fom.ac.uk/professional-development/publications-policy-guidance-and-consultations/guidance/guidance-on-the-general-data-protection-regulation