Data Protection for small healthcare organisations. (*re-edited March 2018)


hello I’m Robert Parker and I’d like to
welcome you to today’s webinar from the ICO which is entitled data protection
now and in the future an introduction for small organizations in the
healthcare sector you’ll be hearing from Lauren Earith and Liz McKay who from the
ICO’s assurance department they’ll be taking you through the slides and
including questions we expect the session to run for around 40 minutes.
The slides and the notes from this webinar will be available on our website
from tomorrow. Now if you’re not able to stay with us
throughout a recording of today’s webinar will be available on the
website by close at play tomorrow. Regarding questions please
would you submit your questions as they occur to you throughout the presentation
and I’ll put the most frequently asked to Lauren and Liz so I’d like to now
hand over to Lauren. Thank you Robert and welcome to our webinar today. The
webinar is going to cover the following key objectives we’re going to help you
understand the work that’s done at the ICO, give you a basic understanding of
the principles of data protection,give you a basic introduction to the general
data protection regulation or gdpr and we’re going to highlight some of the
key risks to privacy compliance for health sector organizations . Firstly just
a bit about the work of the ICO . Hopefully you’ll be aware of us already and that
we are the regulator of the Data Protection Act and the upcoming general
data protection regulation or GDPR from May 2018 amongst other things but just
to give you some background information. We have approximately 400 staff overall
including some small regional offices, our main office is based in Wilmslow in
Cheshire and as I mentioned Liz and I are from the assurance department. We carry out audits of larger organizations such as
NHS trusts, police forces and local councils and we also conduct one-day
advisory visits to charities and smaller organizations as well as carrying out
information risk reviews which are a more detailed review data protection
processes as well as all this we occasionally conduct one-day workshops
to try to focus on data protection related issues in order to help raise
an awareness of compliance. the ICO’s role is to encourage good practice, assess
eligible complaints ,advise individuals and organizations and take appropriate
action where legislation has not been complied with . Really the role of the
ICO is twofold, it’s to educate data controllers on their obligations and
protect the rights of individuals. As well as promoting good practice and
providing advice the ICO carries out enforcement work which is more the
punitive side of the ICO’s role as a regulator. Reported breaches are
investigated and appropriate enforcement action is taken. The specific actions
that our enforcement team can take following investigation of an
information security breach include issuing a civil monetary penalty
notices which could lead to a fine ranging up to five hundred thousand
pounds, issuing an enforcement notice which is a formal notice requiring an
organization or individual to take the actions specified in the notice in order
to bring about complaints for the acts and related laws. Failure to comply with
this is a criminal offence and finally to request an
undertaking with the organization a formal undertaking can be given by an
organization to the ICO committing the organization to a particular course of
action or otherwise achieving compliance The requirements under the GDPR for
breach reporting by data controllers and processes have been strengthened and
introduces a duty on all organizations to report certain type
of data breaches to the ICO within a 72 hour time frame, in addition there will
be a two-tier sanctioned regime introduced and fines will be
significantly enhanced for more serious breaches.Finally the ICO also provides
advice on a case-by-case basis via our helpline as well as investigating written
complaints from the public about organizations. Before we go into
the finer details of data protection law are to fight to pause and reflect on the
possible impact of personal data breaches. The slide on display depicts a
real case example from 2013 an insecure yahoo email account was used
by a doctor’s surgery for communicating with patients about smear test
appointments and results. the email account was hacked put yourself in this
position how would you feel if you were one of the patients affected if it was
your organization – the email was hacked How will it affect your practice how will
this affect your patients this is just one example from many demonstrating why
data protection is important for everyone. The basis of data protection
centres around personal data but what is personal data? The data protection act or
DPA defines personal data as data which relates to a living individual who
can be identified from that data or from those data and other information
which is in the possession of or likely to come into the possession of the
data controller. Like the DPA the gdpr applies to personal data however,
the GDPRs definition is more detailed and makes it clear that
information such as an online identifier for example an IP address can be
personal data. This definition provides for a wide range of personal identifiers
to constitute personal data reflecting changes in technology and the way
organization now collect information about people. in
addition personal data that has been sadhanamised can fall within the scope
of the GDPR What about sensitive personal data what kind of data would be
classed a sensitive personal data under data protection legislation. Under the DPA sensitive personal data is data concerned with racial or ethnic origin,
political opinions , religious beliefs or other beliefs of a similar nature,
membership of the trade union, physical or mental health or condition
sexual life , the commission or alleged commission of any offences for any court
proceedings or sentence relating to any offence committed or alleged to have
been collected to have been committed. interestingly financial information is
not defined in the act as sensitive personal data, however in this day and
age many people would class it as such Under GDPR sensitive personal data
is known as special categories of data, these categories are broadly the same
but there are some minor changes for example the special categories
specifically include genetic data and biometric data where they are processed
to uniquely identify an individual. Personal data relating to criminal
convictions and offenses are not included but similar safeguards apply to
its processing. So how does data protection relate to you ? Protecting people’s information rights and personal data is a frontline service,
taking a positive approach to your responsibilities will benefit
your organization as well as helping you to comply with data protection
legislation. Therefore it’s important to understand the benefits of getting it
right and the implications of getting it wrong. For your organization benefits of
doing it right include it will help your organization to comply with its legal
obligation under information rights law. It will
save your organization time effort and money. information is a key business
asset how many get properly it will help your organization to achieve its
business objectives. Good data protection practice build up good relations and
trust people you deal with and the public as a whole, The impacts of doing it
wrong could include financial and reputational cost a data breach can be
expensive to put right and will reduce public and customer confidence in your
organization and you may receive a monetary penalty from the ICO. Data
protection legislation also gives an individual rights concerning their
personal data on the processing such data . Although we won’t be going into
this aspect in any great detail today it’s important to understand that the
legislation does include these rights for individuals as well as requirements
for organizations it’s important to make sure everyone in your organization
understands the importance of information rights and their own
responsibility delivering them. now this might seem an obvious statement however
for clarity data protection legislation applies to a particular activity
protesting personal data rather than to particular people or organizations so if
you protest personal data then you must comply and in particular you must handle
personal data in accordance with the data protection principles broadly if
you collect or hold information about my dentist’s liable living individual or if
you disclose use retain or destroy that information you are likely to be
protesting personal data the scope of both the current Data Protection Act and
the upcoming gdpr and data protection bill are therefore
very wide as they apply to justify everything you might do with individuals
personal details we are now going to move on to talk in more detail about the
principles of data protection the Data Protection Act of 1998 has eight
principles principle one personal information must be fairly and
the walkthrough process principle – personal information with the professed
religious purposes principle three personal information must be adequate
relevant and not excessive principle for personal information must be accurate
and up-to-date principle five personal information must not be kept for longer
than is necessary principle six personal information must be processed in line
with data subject rights principle seven personal data must be secured and
principle eight personal information must not be transferred to other
countries without adequate protection this slide shows you the new gdpr
principles personal data should be processed
lawfully fairly and in the transparent manner it should be collectives of
specific explicit and legitimate purposes it should be adequate relevant
limited to what is necessary it should be accurate and when necessary kept up
to date it should be kept in the form which permits identification of data
subjects that no longer than is necessary for the purposes for which
those data are processed and processed in a moment that ensures appropriate
security of the personal data as you can see there are obvious similarities with
the existing GPA principles we’ve just talked about however there is a new
requirement for all data controllers to be able to demonstrate their compliance
with the new principles this is centered around accountability
basically the gdpr requires you to show how you will comply with the principles
for example by documenting the decisions you take apart a processing activity so
moving back to the principles under the Data Protection Act we’re going to go
through them in other to more detail starting with principle 1 total
information must be fairly and lawfully processed now we can break this
principle down into two parts firstly let’s think about fair
processing must be fair you should legitimate reasons for collecting and
using the data you should be transparent about how you’ll use the data handle the
data in a way that will be reasonably expected and not use it in ways which
would have an adverse effect sundean on the individual this can be achieved
through the provision of fair processing information also known as privacy
notices which identify the data controller the purpose of processing and
any other relevant information personal information must also be lawfully
processed so a processing must be done in line with requirements within a
legislation plus any other sectoral legal or regulatory requirements and
your contractual requirements and any duty of confidentiality so the often
neglected second principle this principle is closely linked to the first
principle and that it also aims to ensure all the organization’s are open
about their reasons for obtaining personal data and that what they do with
the information is in line with the reasonable expectations of the
individuals concerned if an organization intends to use the data we hold for
purposes other than what it was collected for they should inform the
individuals concerned to give an example if a GP disclosed to facialist to his
wife who runs a travel agency so that she can offer special holiday deals to
patients needing recuperation disclosing the information for this surface would
be incompatible with the purposes for which it was obtained we’re now going to
look at the next few principles in a little more depth together known as the
information standards or data standards principle they seek to regulate the
amount of data collected about a person by an organization the quality of that
data and how long it is kept for our view is that organization should be
striving to do this in any event as if you’re guided by these principles you
can increase efficiency and reduced cost the next principle States personal
information must be adequate relevant and not excessive in relation to the
purpose or postitive switch now processed under gdpr this is very
similar in that personal data should be adequate relevant and limited what is
necessary think of this as the Goldilocks principle the data collected
should be just right too much risks and invasion of privacy too little risks
ill-informed or poor decisions made which can affect that individual this
process is also referred to as data minimization so if we break this
principle down into its constituent parts and we’ll carry on with the three
bears analogy firstly personal information must be adequate this is
about having enough information to fulfill your business need so to give an
example one of the purposes for which you might collect personal information
is for treatment for a bad fact if an individual has now or has in the past
had a manual labor intensive job then you’ll need to know their career history
however if you were treating a patient for an ingrown toenail then you may not
require a record of their full career history to carry out the treatment
personal information must be relevant this depends on the individual case the
example of information collected could include a home telephone number a star
sign political affiliation religious beliefs how about if a family members
information is collected at the next-of-kin
think about your justification for collecting information on a case-by-case
basis and information must not be excessive distillates back to the point
I made earlier about data minimization so if your office or medical center has
visited first calls in place that require the capture of personal data
relating to those visitors such as biometric fingerprints consideration
should be given to the type of data collected how much data is held and how
long data is being retained for so to recap on the third principle the data
collected should be just enough to fulfill the purpose for which you’ve
collected it you should be able to justify why you need to have all the
separate pieces of personal data about each person an information shouldn’t be
held just in case it might be useful at some point in the future now there are
clear best business benefits to this principle by minimizing the data you
hold you make it easier to locate relevant information and cut down on the
need to store data as well as reducing the burdens of responding to a subject
access request moving on to the fourth principle this is possibly the most
complicated is the ones we’re going to look at but it’s so short it doesn’t
seem like it at farthest in fact this principle in both the Data Protection
Act and the gdpr is the same personal data shall be accurate and where
necessary kept up to date so let’s break this principle down personal data has to
be accurate so what do we mean by this the term accuracy is not defined in the
app but it does say that data would be deemed inaccurate if it is incorrect or
misleading as to any muster effect and what does it app the app can mean by a
master of facts this will be something you can demonstrate to be true as
opposed to someone’s opinion or belief so for example a date of birth or an
address so give an example here if a patient moved house within their local
area and the record at the health center says they still live at the old address
then that record would be inaccurate as a muster of folks however if the record
says they used to live with at the old address then it will be up to its I
would know here that there is an expectation on the individual to ensure
that their personal information is kept up-to-date so the juice
for the organization to take reasonable steps to verify the accuracy of the
information will depend on the importance of the information and the
impacts that getting it wrong would have for example an HR department processing
a job application for external candidates would need verification that
any candidates had actually held the required essential job qualifications
they listed on our application form well they would have less needed to check
whether the details about the summer job held twenty years ago a correct data
must also be kept up to date however it may become inaccurate over time for
example if a patient selected care moves address or changes their contact number
organizations are expected to carry out periodic checks to ensure that data is
up-to-date although clearly as I said earlier there is some expectation on
individuals to inform organizations where personal data has changed an
information must only be kept up to date when necessary so where it’s necessary
for information to be up to date for example if the patient subsequently
migrates abroad it may then no longer be necessary to continue to update that
information there are some situations where it locates the hold information
which is no longer correct an example here could be if a mistake was made so
if a member of staff was disciplined for incidents they later turned out they
didn’t commit this would still be an accurate record of the events that took
place and they need to be retained however the notes should make clear that
the discipline was an error and as an organisation what should you do as
accuracy is challenged firstly you should investigate and if you agree
correct the information or market on the record as a mistake it’s always good
practice to ask evidence if possible and carry out checks to verify at this stage
under current legislation there is no right for an individual to require you
to delete information they believe is inaccurate but it can apply for a court
to do so then if you disagree with the initial challenge
it’s good practice to record the facts that has been disputed now moving on to
look at opinions under principle for opinions about individuals our personal
data however generally opinions cannot be challenged under the fourth principle
for example if a patient doesn’t agree with the comments of a health
professional in the medical record concerning their condition or diagnosis
the patient is unlikely to be able to challenge the accuracy of the data under
the fourth principle the disputed data will be the view of the health
professional who took the notes and is therefore an opinion about the patient’s
medical condition or diagnosis professionals opinions are often an area
of contention sometimes an individual may ask for an opinion or diagnosis to
be deleted because they believe it’s been up to it
however if the record accurately reflects that professionals opinion then
it will remain accurate an example of this may be if the patient’s medical
records from their doctor say they have depression but they don’t agree so they
write said doctors to challenge this however this was the doctor’s opinion at
that particular time and the records actually accurately reflect this the
doctor can simply put a note on the patient’s record to say they don’t agree
as we’ve already said according to the legislation the data is inaccurate
only if incorrect or misleading as to any matter of facts now going to look at
the fifth principle the fifth principle states that personalisation protest for
any purpose or purposes shall not be kept for any longer than is necessary
for that purpose or those purposes now the law doesn’t provide any
interpretation of principle 5 nor does it set out any maximum or minimum
retention period there are however certain considerations that
organizations must take into account when setting retention periods first of all any judgment about
retention of data should consider any statutory requirement to retain the
information any industry guidelines or standards the value of that information
the risks of retaining the information and the need to keep the information
accurate and up-to-date the potential risk of retaining the information too
long could include if it goes out of date the wrong information could be used
in error the more time passes the more difficult it may be to ensure the
accuracy of the information and it could mean more work in responding to a
subject access request information that’s kept for longer than necessary is
also likely to be excessive or irrelevant and may be inaccurate as well
so the may be issues with principles 3 & 4 – however you must take care not to
delete the data too soon as it may risk reaching principle 3 personal data must
be adequate the 5th Prince applies there to prevent you from retaining personal
data without good reason any personal information that has become redundant
should be deleted but any deletion needs to be done securely for example you
can’t just book anchor it within it needs to be shredded and this links into
the principle of information security some organizations have automatic
systems set up to delete types of electronic personal data after set
period information that’s kept the historical statistics or research
purposes can be kept indefinitely this is now under current legislation as the
section 33 exemption it can be kept for these purposes as long as it isn’t used
in connection with decisions about an individual or in a way that is likely to
cause damage or distress however if the information is no longer needed for the
purposes then the exemption won’t apply and it should be deleted the sixth
principle relates specifically to the rights of individuals namely the right
to know who will see and use the personal baster
the right to know why their data has been collected and what it will be
useful the right to have copies of all their personal data that has been
processed to health and the right to have any codes or jargons within
provided copies of their personal data explains them the first two rights can
be fulfilled by organizations through the implementation of controls such as
their processing notices and privacy policies and the second to relate to
subject access requests of valve under GDP are individual rights including
project access are not covered within the principle in GDP are instead they
are covered under separate articles the main rights to individuals under the GDP
are will be subjects access to have inaccuracies corrected to have
information erased to prevent direct marketing to prevent automated
decision-making and profiling and based a portability on the whole the rights
individuals will enjoy under the GDP are are the same as those under the data
section up with some significance and hunters if you’re geared up to give
individuals their rights now then the transition to the GDP are should be
relatively easy one of the key rights to individuals under both the discotheques
nuts and the GDP are is the right to access their personal data an
organization of holes about them this is called a subject access request or as
are the requirements under the current law for dates controllers are as follows
you have 40 calendar days to respond to a saw even if nothing is held if you do
not have clear effective procedures in place with responsibilities assigned it
will be challenging for you to meet the deadlines you must provide copies of the
information in permanent form however you do not necessarily need to provide
the originals and you must provide all copies held at the time of the request
regardless of whether they’re scheduled for deletion
the subjects access requests process itself put certain requirements on the
requester – namely requests must be in writing
however the request itself doesn’t have to specify or name the data section at
specifically requesters should provide proof of identity so that the data
controller can verify who is making the request requesters could be required to
pay an administration fee this is normally 10 pounds and can be up to 50
pounds for manual health records and the data controller can ask for
clarification of a request more information or the fee if this has not
been provided initially this stops the clock in terms of time for the data
controller to respond the rules for dealing the subjects access requests
will change into the gdpr however the main change is that in most
cases an organisation will not be able to charge for complain with a request
and under normal circumstances an organisation will have just a month to
comply rather than the current 40 days moving on now to the segment’s data
protection principle this principle focuses on information security
it states that personal information must be secured organizations should have
appropriate technical and organizational measures in place to protect personal
data that they handle so why does information security matter getting
information security wrong can have both financial and reputational implications
to the success of any organization it can also cause damage or distress to an
organization service users patients or customers also seen in the recent wanna
cry ransomware virus incidents that hit many NHS organisations it is extremely
important to apply the correct resources checks and balances in this area to
avoid the reputational and financial risks that were realized in this recent
attack I supplied state some examples of the home that could be cool
by the law for abuse of personal data could include lost or miss files patient
test results by follow-up medication have been prescribed but we’ve never
delivered which could presents a threat to life or well-being patient records
related to sensitive issues being disclosed with possible serious
implications or the lack of availability of vital patient data in an emergency
situation not all breaches are serious as this but
many can still cause embarrassment and inconvenience and people are entitled to
protection from that as well advances in technology make the procession of
personal data in bulk much easier but also increase the potential harm that
can arise from mistakes for example thousands of Records can be
stored on a single memory stick which is small portable and therefore easy to
lose in the past it wouldn’t have been physically impossible for an employee to
carry that much personal data around with them we would like to draw your
attention to a particular case where the ico
issued a similar monetary penalty with the risk report information security
controls were highlighted this breach occurred in March 2012 when the website
of the British pregnancy advisory service or be passed with attacks the
attack using automated tool to identify website owner abilities
these tools are widely available on the internet and Target well known
vulnerabilities and poor website coding practices the Akash’s website enabled
users to request a callback for advice by completing a webform with contact
details unknown to be passed the website retained a copy of the callback details
unnecessarily and this was available to the attacker
after he gained access to the websites content management system fortunately
the attacker was not able to publish this information which was recovered by
police the press have now removed the callback details from the website and
taken substantial remedial action to ensure that this security breach will
not be repeated this incident was deemed to be a breach of the seventh principle
in particularly pass/fail to take appropriate technical
and organizational organizational measures against the unauthorized
processing of personal data stored on the website in addition the breach was
of the kind likely to cause substantial damage or substantial distress users of
the website could have been caused distress simply by knowing that their
personal data had been accessed by the attacker and by the concern that the
data may have been further describes how would you feel if this was your day to
us how would you feel if you have been responsible for the breach how would
this affect your organization how will this affect your clients or service
users it’s important to be aware the data protection principles interconnect
this means that failure to comply with one of the principles can release the
problems for the others for example failing to keep information up to date
when circumstances change may cause information that was originally adequate
to become inadequate keeping information longer than
necessary may mean that the information becomes irrelevant or excessive all
these can have an effect on the principle which relates to the security
of data without maintaining the quality of data process you are not only likely
to breach one of these principles but in addition your organization will be run
less efficiently you’ll be wasting money and calling and causing reputational
damage some key questions to ask yourself when you start any new process
or are reviewing an old 100y the information was collected in the first
place have you defined the purpose for which you are collecting it what
information do you need it also will fill that purpose or your collection
just the right amount how long has it been or needs to be held for how will
you ensure that the information is maintained and is up to date you should
regularly check the quality of the personal dirty homes
correcting any inaccurate records removing irrelevant ones and updating
out-of-date ones it may not always be practical to check the quality of every
record you hold but it should at least a possible
check a sample okay well thanks very much got a few questions and thanks very
much for everyone who’s submitted one just in case anyone missed the beginning
of the recording it will be available on our website
along with the slides and the speaker notes as tomorrow anyway back to the
questions there’s a few we can go through now so here we go will small
individual dental practices for example need a Data Protection Officer it’s not
a formal requirement of the gdpr for small organizations but they should
ensure that responsibility for data section is being assigned to a suitable
person within that organization okay thank you very much another one how does
the right to be forgotten with gdpr and health care information in relation
to health care information if it’s required to be held under a statutory or
legal requirement it can’t be deleted so only under certain conditions can
information be deleted there is a lot more information about the right to be
forgotten available on our website and we are going to be covering gdpr in more
detail on our workshops and I can give you a lot more information about there
as at the end of the session so there will be more information about the
workshops and one of the questions actually did ask for a recommendation
and ico recommendation on a training provider and unfortunately as rep as as
regulator we can’t offer a recommendation but we are doing these
sessions ourselves and our website too will be regularly updated with more
information so I’m afraid that’s the best I can do in terms of a direct
sphere for a training provider but we know there are plenty and many of them
are excellent a couple more questions just physical or mental health include
all records of a medical nature that’s a short answer that’s a yes okay good and
we have the the what side businesses must comply slightly longer question I
work in schools as a speech and language therapist I’d like some guidance on how
long I should retain case notes students that I’ve discharged
is it reasonable did is to destroy discharged case notes after two years or
when they leave school whichever happens sooner so we’ve touched on this point
briefly earlier when we talk about the fifth principle and the data section it
doesn’t provide any interpretation it doesn’t set any maximum or minimum
retention period we would say that it’s a judgment and in relation to attention
and that judgment should consider statutory requirement to retain that
information any industry guidelines or standards the value of that information
and the needs to keep it accurate and up to date up to date okay that’s enough
questions for now hopefully there’ll be a few more before we finish but I’ll
hand back to Lauren Alice thank you so moving on to talk a little bit more
about the general data section regulations it might be reassuring
people to know that many of the definitions and the principles in the GD
P are are broadly the same as those in the DPA if you’re currently subject to
the DPA it’s highly likely you’ll be subject to the GD P R however there are
some notable changes particularly in relation to an organization’s
obligations as their data processor as data processors now have certs and data
protection obligations under the GD P R as discussed previously the broad
definition of what clusters personal data remains the same however the
definition under GD P R is more detailed and sensitive personal data is referred
to as special categories of personal data for the classify the same as the
data protection acts with the addition of genetic and biometric data that
process to uniquely identify an individual now moving on to key risks
for you as small medium-sized enterprises in the health sector and
some of the main compliance areas within the legislation these risks have been
identified using the work that our assurance team carried out over the past
few years within the health sector with various types and sizes of organization so thinking about the information
security risks to an organization system access is one of the key risks that are
izes and within the work of assurance so thinking about if employees leave your
organization they’re not removed from a system they could potentially still have
access to personal data and disgruntled ex-employees are a common security
threat thinking about clear desk policies so if paper records are left
out on a desk that could lead to the risk of unauthorized individuals
obtaining knowledge and the first woman’s medical condition or other
personal information if server feud is a local to the area you could be
responsible for someone overseeing that information which could lead directly
through a serious complaint encryption is an absolute must
without this is no excuse if a breach were to happen the stolen laptop is
relatively inexpensive what people sensitive data can be accessed on it you
may be facing a hefty fine and if your service users come to your parameters
for treatment you need to ensure that they are unable to obtain anyone else’s
information so thinking about the physical security protocols are in place
in your premises how would you know for example if a file was removed from the
premises by a member of the public it’s essential to ensure you have password
security procedures in place and another key risk we’ve identified as a lack of
effective security instant monitoring or reporting so think about how you or your
staff would know how to identify and report the security incidents sorry
about that so here’s a very recent example of a
data breach to highlight some of the key risks we’ve just discussed this was a
bucco data breach which affected 500,000 insurance customers and was reported
last month in July Ripa disclosed a data breach whereby an employee
inappropriately copied and removed information relating to five hundred and
forty seven thousand international health insurance plan customers customers with domestic health insurance
will not impacted what UK customers may have been hosted if they purchase fund
for youth plans for youths while aboard stolen
included names dates vers nationalities and some contacts administrative
information for not only financial or medical data there are obvious questions
to be asked in this case around the appropriateness for the access controls
that were in place the use of any removable media and any proactive
security monitoring that was taking place manual records posed a particular
risk but it is very easy to paper files to be misplaced lost or removed without
a systems in place for logging and tracking manual records these records
could be lost while being moved from one area of an organization to another it
some instances organizations have not known when a record has gone missing or
even if they had it in the first place without secure storage areas for records
there is a risk of records being offed damaged inappropriately disclosed or
even stolen we’ve seen premises where archived records were kept in an
unlocked dump tower data in manual records should be kept accurate and
up-to-date if an address of a file is wrong for instance if a client has moved
and the dress has not been updated this could lead to medical information being
sent to the wrong address and either be lost
or read by the wrong person organizations must be aware of the risks
involved if staff are not trained in records management
even if permanent staff are trained what about the risks involved with volunteers
work experience students or templates that house in is training a range for
new starters it only takes one person to make a mistake there can be significant
consequences to an organization if records should be lost another area of
risk relates to subject access requests many concerns about how subject access
requests have been handled are brought to the Nico every year by members of the
public problems can be due to staff not being fully aware of what
access request is and how to deal with one for instance stuff may not know that
a subject access request does not have to say explicitly that it is one and the
valid request could there will be missed we have received concerns where the
subject access requests was included within the complaint letter the studied
not notice this and the press was not passed on to the appropriate area subject access requests responsive
sometimes subject to reductions or exemptions the work that is done while
processing a response should be logged a reported otherwise if there’s a
complaint about the response or the request is repeated the organization
would not have any record about their previous response and this mistakes may
be made for work repeated unnecessarily a subject access request must be
responded to promptly and in any event by 40 calendar days after it was
submitted a response to the subject access request is later than this is a
breach of the GPA okay I’ll pick up a few more questions now if I may and very
quick one I think who actually is the data control is it the organization or
is it the boss and in this case it would be the organization that would access
the data controller okay thank you as a healthcare provider many of us have
reviewed our organization through completion of the NHS IG information
governance toolkit does this provide us a basis in preparing for the gt-r
absolutely so we’ve touched previously on the fact that their data section X
and the GD P are are very similar so in completing the IG toolkit you will have
a very strong basis for ensuring compliance with the GD P are going
forward ok very detail well how about sending documents by emails to clients
that include their personal information do the documents need to be password
protected they absolutely should be password protected where they contain
personal information ok is there a special recommendations for clinical
health psychologists and therapists know no specific recommendations it’s
everyone that needs to comply in every one that needs to and handle personal
information in the same way okay thanks very much I’ll hand back to Lauren now
just what a bit of a plug for our the actually has a free helpline number
because unfortunately not going to get to it for these questions but just to
give you that number that’s available office hours Monday to Friday and so
it’s it’s a free service oh three oh three one two three triple triple one
three four any inquiries or questions that you’ve got thank you okay so before
we conclude our session today we hope we’ve highlighted some of the key risks
that smaller organizations working in the health sector safe some of you may
already be aware of some that may be news to you but either way we at the
ICAO would like to offer practical advice on how to address the managed
news risk to ensure that your data protection compliance and prepared for
the introduction of the GDP are so as I mentioned earlier we’re going to be
holding a series of workshops which we’d like to invite you to apply to attend
the workshops are free of charge and our unique opportunity to discuss the
challenges you face and how to deal with them with experts advice from the ico at
hand to help advise the workshops will be held over three days the 11th of
October at a venue in London 7 to November Avenue and Birmingham and 9th
of November at a venue in Manchester the main topics of the day will be
information security so thinking in light of the recent cyber attack from
your nature you can learn how to get the basics right
we’ll cover gdpr and you can learn how to start preparing for the changes to
the legislation will touch on records management discussing the lifecycle of a
record and how to ensure your organization has the tools to get it
right and we’ll cover subjects access requests how to avoid complaints and
keep your service users happy further information about the times and venues
and how to apply can be found on our so under about the ico and news and
events and we’ll just move on to the last section which shows you a little
bit more information about the live chat and you can find the link to our website
there as well okay well thanks again for joining us today we’ll close the webinar
now no recording as I’ve said a couple times the recording will be available on
our web site from tomorrow news about future webinars going to our monthly
e-newsletter which is got over 120,000 subscribers and so if you’re not signed
up to that then it might be a good idea if you did to keep across when the
webinars and any other updates that we that we make we’re also on Twitter
ICO news and I’ll put the free health line once again oh three oh three one
two three trouble one three so thank you again for your participation and goodbye

Leave a Reply

Your email address will not be published. Required fields are marked *