What is Personal Data?
The definition in the Act reads: “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
It can be paper, photo, video, audio or electronic in nature or any combination of these. It includes clinical notes but could be just a paper note with a phone number and name on it!!
What is a Data Controller?
A data controller is the individual or the legal person who controls, and is responsible for, the collection, keeping and use of personal information on computers or in other ways / files.
What is a Data Processor?
A data Processor is the person who carries out any processing actions on personal data on behalf of the Data Controller
What is meant by Sensitive Personal Data?
Irish people consider Health related data as amongst their most sensitive data. Other sensitive data would include financial data and identification data for individuals.
Sensitive personal data is defined in the Data Protection Acts as any personal data as to –
(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union
(c) the physical or mental health or condition or sexual life of the data subject,
(d) the commission or alleged commission of any offence by the data subject, or
(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
In effect it is considered to be High Risk Data and the Data Protection Acts require additional conditions to be met for the processing of such data in order for it to be legitimate. Usually this will be that there is explicit consent from person about whom the data relates.
What is a Data Protection Impact assessment DPIA?
A Data Protection Impact Assessment in affect is a risk assessment carried out in advance of a proposed project or a significant change occurring in the way that Data is being controlled or processed in order to evaluate the likely impact that the changes will have and in order to allow for any such impact to be mitigated against as fully as possible. i.e. if you were considering moving to electronic clinical records from a paper based system then you need to look and see what, in practice, this means for both the new data and also for the old paper records still held. By carrying out this assessment you should be able to put an advance plan in place to manage ‘by design’ the new situation for data protection.
GDPR is introducing some additional things that physios in PP need to be aware of and be up to date with too. The Data Protection Commissioners have developed a 12 step checklist which may be helpful to consider and the remainder of this piece expands of them as necessary. The checklist is as follows
- Become Aware
- Become Accountable
- Communicating with Staff + Service Users
- Personal Privacy Rights of Data Subjects
- Access Rights of Data Subjects
- Legal Basis for Processing Data
- Using Consent as basis for processing
- Processing Children’s Data
- Reporting Data Breaches
- Data Protection Impact assessment – DP by Design + by Default
- Data Protection Officers – depends on size + organisation of the business. Many PPs won’t need one
- International Organisations + GDPR – N/A
Becoming Aware
Physiotherapists work with patients data which is considered to be ‘sensitive’ personal information’ and therefore they are considered to be working with ‘High Risk’ personal data. This attracts greater attention where GDPR are concerned and greater efforts to have safe and secure processes in place will be expected. The new GDPR will be active after May 2018 and all businesses will have to comply. You should now become familiar with the changes as they will apply to your practice in order to be able to remain compliant. Most Physiotherapy Private Practices will be able to comply with relative ease as they are small compact businesses that, despite handling sensitive data, are neither very large nor complex organisations. However there are a small few areas that are continuing to raise some concerns as detailed or definite guidance appears to be difficult to come by. Mostly PPs need to become aware of what enhanced rights the data subjects – most likely patients or employees for the most part – and obligations are now becoming placed on the Data Controller or owner of the practice. All physiotherapists / Private practitioners should be registered with the Data Protection Commissioners and to do so you will need to specify what data you process and (justify) why. The ISCP is producing an information handbook and toolkit, in collaboration with some other health professional bodies allied to medicine that will be useful for PPs. This will include all the information and policies that they will need for GDPR compliance i.e.
- Compliance checklist.
- Collection and retention of sensitive personal data.
- Storage Security.
- Third party service agreements.
- Retention of Records/ Information.
- Data access requests.
- Private Practice Websites.
- Taking or using images and photos.
- Private practices and direct marketing,
When these become available they will be uploaded to the ISCP website and linked in this document and on the CPPP microsite on the ISCP website
Becoming Accountable
Data includes all personal information that can be used to identify people – whether they are employees, patients or others – known as data subjects in GDPR. Thus any data on paper, photo, video, audio and electronic records are all considered the same – all personal, all sensitive, all high risk and all the responsibility of the physiotherapist or Data Controller. You cannot manage it (be responsible for it) until you know what you are dealing with.
The practice owner is the Data Controller. So long as anyone provides, processes or stores, transfers or does anything with personal data within their practice they will be held responsible. It does not matter who is working in their practice or what their employment status is. i.e. locum, self- employed contractor. A self-employed contractor may themselves have to register as a data controller but if they work within a practice then that practice is responsible too. This is where you have to carry out a Hazard ID and Risk Assessment as it relates to the what, when, where, how and who for data collection, processing, storing and sharing. ISCP Guidance on consent, accessing patient documentation, patient documentation, use of email and Standards of Practice already exist and cover some of these things so at least some of it should already be occurring. ISCP are preparing further guidance for members, including PPS which will have specific relevance to the GDPR.
Because the Practice Principal is the Data Controller for their practice they must register with the Data Protection Commissioner (see link above). This will require you to make some formal statements about what data you intend to work with and / control and how.
The new GDPR will introduce some changes into the current Data Protection landscape. Some are significant, some are mandatory and some expose the business and business owners to significant penalties for non-compliance. It is the potential financial exposure to these penalties that is causing much concern in some areas of business, such as liability insurance. At present an allegation of potential loss appears to be all that is required to justify a claim against a business and there appears to be no need to prove an actual loss in order for this to succeed. Therefore you need to become aware of what GDPR demands + expects of you. Physiotherapy Practices will mainly be in the SME sector and so are relatively small simple data businesses to manage.
As a first step to evaluating your current practice compliance with the GDPR you could start at the initial likely sources of contact with the patient by phone, email etc. and moving forward through the patient clinical pathway.
After initial contact what happens after they enter your premises, what environment do they enter into – what data issues are they meeting here if any – and what are circumstances of the reception / waiting area. Is there an open computer, have patient records been left lying around on desks? Are there notes with contact details visible or easily got at? Is there a DP statement of Policy? Does the receptionist occasionally leave the area unsupervised – do they secure the data on their desk?
Continue through to the treatment room and what are the physical circumstances there – is the screen easily visible to be read, is it ever left unsupervised, could it be tampered with by a patient left alone. What consent is gotten and how is it recorded. GDPR is very specific on consent requirements for DP purposes – data use consent is not clinical consent!
Once the record is completed what happens it then? Where is it stored, who has access, what can they do with the data, how long is it retained and what use is made of it? How and where is it stored? How often is your store of records reviewed? How secure is it? Do you know if has remained secure or not? And have old records no longer needed been purged? Where are the old records stored – in the attic? Garage? How far back do they go? Forever!? Are you computers password protected? Do they shut down on being unattended / used for more than a few minutes? Is there a system to bring them out of sleep mode securely? Are the screens visible? Are paper notes / files locked securely? Is access limited? Are they protected in the event of a break in at the premises?
Within the administration of the practice is data secure at all times? Can screens be read by patients or relatives; does the physio leave the room or the receptionist leave the waiting area with material left to be possibly accessed by others? Are filing cabinets located in corridors or basements, garages – are they supervised? Secured? Checked regularly? Is there twenty years of old notes in the attic in a box? Can you justify keeping them, not to mind keeping them there? Do staff speak about other people in front of patients?
Communicating with Staff and Patients
GDPR requires you to have a good reason for having the data and to be able to justify why you are using or keeping it.
It requires you to specify what arrangements / policies are in place for sharing it with other people i.e. doctors, solicitors, other physios, team managers etc. and how such sharing will take place. How do you currently inform the patient or staff member of all of the details of this? How do you intend to do it in the future to comply with GDPR?
GDPR makes it a responsibility for the data controller / practice owner to ensure that the staff or patients are made aware of the how, why, who, where and when mentioned above in relation to how their data may be processed.
Before gathering any personal data currently you must notify your patients of
- your identity
- your reasons for gathering the data
- the use(s) it will be put to
- who it will / may be disclosed to, and
- if it’s going to be transferred outside the EU (important issue for those using online web (cloud) based patient / clinic management systems).
Additionally under GDPR you are now also required to inform data subjects, in advance of processing, the
- legal basis for processing the data.
- retention periods.
- right of complaint where patients / staff are unhappy with your implementation of any of these criteria.
- Likelihood of their data being subject to automated decision making and
- Privacy rights they have under the GDPR.
- information above be provided in concise, easy to understand and clear language
There is already some existing guidance on communicating with patients under our standards of practice guidelines. Much of this can be communicated in your Data Protection Policy and Notices
Personal Privacy Rights +
Access Request Changes
Data Subjects (patients + staff) have existing rights under the current Data Protection Acts. These rights are reaffirmed and further enhanced by the GDPR. The rights of persons under GDPR include the right of a Data Subject to have access
- to have inaccuracies corrected
- to have information erased
- to object to direct marketing
- to restrict the processing of their information, including automated decision-making
- data portability – the person can ask you to provide their data so that they can transfer it to some / somewhere else
A practice owner needs to have policies in place to be able to ensure these rights can be acted on. How easy is it for the person to make a request for and to get a copy of their record and how do you require this to be done (ISCP already have guidance policy on some of this – see links above)? It is unlikely that you can charge for this or refuse to provide it on the basis that it is too difficult to do so. Do you have a formal policy for it? Can you comply with a request to delete information and how do you explain the issues to the patient / staff member? Who will do it? How long does it take or can you do it – who will decide on the actions to be taken on behalf of the practice? Can you provide the data for the person in a common format – maybe electronically? All responses to such requests must now be completed within 1 month. You will now have to ensure that people are informed of their right to have inaccurate data corrected and inform them how long you retain the data for. The retention period for Physiotherapy records is usually seven years so any retention beyond this period needs to be justified (i.e. child records are 7 years beyond maturity so potentially up to 25 years).
If you wish to refuse a request for actions relating to data your policies need to specifically set out the grounds under which you could do so. These will be quite limited – if the request is manifestly unfounded or excessive – but you will have to demonstrate why you believe this to be the case and have a clear Refusal Policy/.
Legal Basis
Physiotherapy Practices must have a legal basis for collecting and processing people personal data, particularly so as health related data is considered ‘sensitive’ and therefore ‘high risk’ data. It is still not entirely clear to what extent ‘consent’ to assessment and treatment infers consent to process this personal sensitive data. The guidance appears to suggest that separate consents are required for data processing and for other activities (see below).
Most physiotherapists are dependent on patient consent as the basis of their undertaking their work with patients and their initial processing of their information. There are then professional and other medico-legal reasons for retaining the records for up to 7 years and soon we will have CORU regulatory oversight of our professional practice too. ISCP is currently developing guidance on this. subject with particular relevance to GDPR
The Legal Basis for data processing as set out in GDPR is as follows
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual,
- Legal obligation: the processing is necessary for you to comply with the law.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Using ‘Consent’ as the basis for Processing
As Physiotherapy Practices we do use patient consent as a basis for recording patients’ personal health and demographic data. Consent must be
- freely given,
- specific,
- informed and
- Unambiguous.’
Your patients cannot be forced into consent, or be left unaware that they are consenting to processing of their personal data. Consent for data protection needs a positive indication of agreement – it cannot be inferred – from silence, pre-ticked boxes or inactivity. There are specific requirements for consents secured electronically or via computer based systems.
Your ‘consent policy’ for data processing must meet the standards required by the GDPR. Consent has to be verifiable and the right to withdraw consent must be explained in advance.
The GDPR is clear that controllers must be able to demonstrate that consent for data processing was given and be able to show that you have an effective audit trail.
The ISCP are preparing detailed information and guidance specifically for physiotherapists in this regard and it will be available by April 2018
Children’s Data
What arrangements are made with regard to children’s records, their storage, their collection and retention? GDPR requires age verification and requires suitable language for consenting to be age appropriate. Mostly GDPR relating to children’s data refers to the use of the data by internet based businesses but the requirements are still there. ISCP are producing guidance in relation to processing of data relating to children and the special arrangements that are required i.e. what is sufficient for age verification and does it need to be documented or just recorded how it was verified. In physio practices this is usually done in person (rather than online!) so is maybe not as major a difficulty but careful records should be kept as usual. The age of consent in Ireland for Data Collection was initially being set at 13 years of age and under this age there is a need for verification by guardians. It may be best policy to seek parental type verification for all under age children until clearer more specific guidance comes into force and your policies can reflect this.
Similarly the right to deletion of records and the period of retention of children’s records should be referenced in your policies.
Reporting Breaches
GDPR makes very specific demands in terms of detecting, investigating + reporting breaches of data protection within tight timeframes and requires someone to be identified as the person responsible for this. As in health + safety this is likely to be done by the practice principal but in larger practices it may be delegated to others.
GDPR will bring in mandatory breach notifications. All breaches must be reported to the Data Protection Commission within 72 hours. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Your policy will have to detail how you will do this. Failure to report a breach may leave you liable to a fine in itself, in addition to fine for the breach itself. This new mandatory requirement is very similar to the requirement to report Health and Safety incidents / accidents causing lost time or fatality at work to the HSA. Data Breaches are likely to be rare enough occurrences but you need to be aware of what to do if necessary.
Significant fines can accrue as a result of the data breach itself, not to mind the potential exposure to civil claims for both material and non-material losses, where it is currently understood that only an allegation of loss is needed for a successful claim – it is not necessary to prove an actual loss. This is making the insurers nervous and if it occurs may affect premiums significantly.
Data Protection Impact Assessments + Data Protection by Design / Default
Data Protection Impact Assessments (DPIAs) are required where high risk data processing activity is undertaken and where a new ‘project’ is being undertaken / planned. This is effectively a Risk Assessment to establish what the Data protection risks are in relation to the project and to establish how these risks can be fully mitigated – for instance if a practice were considering moving to online paperless notes they would have to show that they had considered the impact that this move would have on their data processing, what changes are envisaged and what changes are needed (impact) in their Data Protection Policies as a consequence. The project plan should include systems that, by design, will allow for full compliance with the GDPR. GDPR refers to large scale operations and larger organisation in this regard but It would seem that this may also include PPs (due to processing sensitive health data) but as our practices are relatively small non complicated organisations it should be easy to develop a plan to manage the risk completely. If it proves impossible to mitigate the risks fully then the practice would have to consult with the Data Protection Commissioner before rolling out the project.
Data Protection Officer (DPO)
It is unlikely that the majority of PPs will need to designate a DPO – even though they do process high risk health related personal sensitive information- as most are a small organisation or a sole practice. The Data Controller (Practice Owner) has the main responsibility but a DPO may be delegated responsibility for implementation of the policy – just like a Health + Safety Officer. Large group practices and franchise operations may need to consider if they need to designate someone as a DPO.
Conclusion
Keep an eye out over the next several weeks for further guidance from the society and read around the subject matter to become familiar with the terminology being used. Keep in context the size and type of business we are – generally small, simple organisations with few employees if any, with relatively straight forward data processing. The data we deal with is sensitive and high risk, but we already deal with it daily in a careful and mindful way – we are now simply being asked to explain to others how we are doing this and to demonstrate that it is safe, the procedures are robust and secure. We have to show who, why + how we will share it – which is fairly straightforward. We just have to write it down in a policy document so others can see it and we are transparent about it. We are already likely to comply with many of the legal requirements of documentation and will be able to provide people with copies of their record if asked to do so. We simply cannot now charge for the time spent doing so and must do in a shorter timeframe of 30 days. All that the new GDPR are doing is pulling it altogether into one big policy.
Useful Links
Data Protection Commissioner Website
GDPR and You PDF from DPC