What can health and care organisations in the UK learn from enforcement activity across Europe?
The pandemic and the various ways Governments are developing and implementing contact tracing schemes has renewed the public’s attention on how their health data is being processed and the methods to ensure its security and confidentiality. Indeed, data protection professionals in health and care in the UK have always grappled with these issues – navigating data protection impact assessments, information asset registers, Section 251 applications as well as the various requirements imposed on NHS Trusts and GP practices resulting from the Data Security and Protection Toolkit. There is clearly lots to do.
A key issue is how health and care organisations engage their Boards on the importance of data protection. Particularly during a time where focus and awareness of how health data is being managed has been none greater. During the implementation of the GDPR in May 2018, the main tool of persuasion Information Governance Managers commonly used was the threat of fines as large as €20m or 4% of turnover. However, since then, enforcement activity in the health and care space has been somewhat limited in the UK and has thus weakened the case for convincing Boards on why continuous compliance is crucial. Of the ICO’s enforcement actions in this area since the GDPR came into force, a fine of £275,000 was imposed on a pharmaceutical dispensary service for failing to process sensitive data securely and providing an insufficient privacy notice to data subjects. In addition to this, in 2018, a former trainee secretary at a GP practice was fined after she admitted unlawfully reading the records of 231 patients in two years. And in January last year, an ex-social worker was prosecuted for passing the personal information of service users to a third-party provider for Local Authority young person placements. In these last two cases, the individuals implicated were fined less than £500 each.
Other than making sure you are not storing records in unlocked containers at the back of your premises or that you are not accessing or sharing personal data beyond what is strictly lawful and necessary – this level of enforcement activity does not provide a great deal of useful insight for health and care organisations to learn from and develop their existing practices to factor in real-world examples of noncompliance in the sector. Undeniably, enforcement activity in the rest of Europe far outweighs what is happening in the UK and can present some very useful examples of pitfalls to avoid when processing health and care information. Below is a summary of a few cases which are particularly interesting and that offer valuable lessons that organisations in the UK can learn from:
A hospital in Belgium requested an external expert to conduct an audit of its radiology services. The outcome of this audit resulted in the dismissal of the department’s Head of Radiology, citing severe misconduct. The dismissed employee then submitted a subject access request for a copy of the audit report – specifically the sections relating to them. The hospital denied the request stating that a number of exceptions applied including the fact that they did not consider themselves to be the data controller of the audit report (as it was prepared by an external expert) and that the report itself was confidential in nature and protected by copyright. The Belgian Data Protection Authority rejected the hospital’s use of these exceptions and ordered them to provide the former employee with the relevant sections of the audit report that related to and identified them.
The Estonian Data Protection Authority fined a police officer €48 for requesting information about his future spouse and his family from a healthcare provider, without any legal basis for doing so. The healthcare worker who provided the information was fined €56. This case serves as an important reminder that those in law enforcement do not have unrestricted access to confidential information – irrespective of the reason. Requests for information from the police should be assessed on a case-by-case basis and take into account necessity and proportionality.
The Icelandic Data Protection Authority fined the National Centre of Addiction Medicine €20,600 for a personal data breach caused by an ex-employee accidentally receiving boxes containing patient data including the health information of 252 former patients and records containing the names of approximately 3,000 people who had attended rehabilitation for alcohol and substance abuse. The Icelandic Data Protection Authority concluded that the breach was due to a lack of appropriate technical and organisational measures to protect the information in question. This case highlights the significance of effective records management and tracking processes.
The Integrated University Hospital of Verona were fined €30,000 for not processing personal data in a secure manner and being unable to prevent unauthorised access to confidential information. The Italian Data Protection Authority found that employees were accessing the health records of their colleagues for purely personal reasons rather than for the provision of care and that no technical measures were in place to prevent this unauthorised access.
The Haga hospital in The Hague were fined €460,000 for inadequate security of their patient records after it emerged that a celebrity’s health information had been accessed by over 190 employees, many of whom had no legitimate reason to access the information. The Dutch Data Protection Authority found that this was caused by the hospital lacking controls to authenticate users when accessing information on their system.
The Portuguese Data Protection Authority imposed a fine of €400,000 on a hospital after it found that employees had access to patient data through false profiles. 985 users were registered on the system under the ‘Physician’ category but the hospital only had 296 physicians working at the time. Doctors also had unrestricted access to all patient files, regardless of their role or specialism. The Portuguese Data Protection Authority concluded that the hospital did not put in place appropriate technical and organisational measures to limit access and protect patient data. This case reinforces the need for organisations to have robust HR processes so that staff who are no longer employees, cannot access information after they have left and that those profiles are closed with immediate effect. It is also important to make sure dummy profiles are not created simply for convenience or as a temporary measure to ensure someone has quick access to the system – particularly as the use of these profiles can be easily abused.
The Spanish Data Protection Authority is particularly active with its enforcement, having issued over 130 separate fines since the GDPR came into force nearly three years ago. In the health and care space, they recently fined a hospital group €48,000 for the processing of personal data without any legal basis. The patient involved in this case argued that at the moment of their admission in the hospital, they were asked to fill in a form which obtained their consent for sharing personal data with third parties through an ‘opt-out’ clause. The hospital stated that the sharing of information was necessary in order for the data subject’s insurance company to pay for the expenses incurred from the services that were provided. The Spanish Data Protection Authority held that consent must not rely on inaction but rather be an unambiguous indication of the data subject’s wishes (i.e. an opt-in rather than an opt-out). Of course, why the ‘public interest’ legal basis was not used instead is puzzling.
The Healthcare Committee in Region Örebro County accidentally published on their website sensitive personal data about a patient admitted to a forensic psychiatric clinic. An audit carried out by the Swedish Data Protection Authority found that the incident originated from a lack of written instructions being available as guidance for staff when publishing documents and personal data on the Committee’s website and therefore insufficient organisational measures to ensure that personal data was being processed securely. A fine of €11,200 was imposed as a result. This case serves as a useful reminder that not all controls are technical and that policies and procedures can also act your first line of defence against a potential data breach.
If you require advice and support on how to comply with the principles for processing personal data under the GDPR, please contact our Data Protection Team at Xcina Consulting. We provide practical and effective solutions to meet your needs and help you to achieve a robust and defensible position. For more information, please contact our team by clicking on the ‘Get in touch with us’ button below.