osborneclarke.com challenges and opportunities in the paperless … · 2016. 11. 14. ·...

osborneclarke.com

0

Challenges and Opportunities in the Paperless NHS and Beyond:A Data Protection PerspectiveEmily Jones, Partner

4 June 2014

Data protection compliance in contextosborneclarke.com

osborneclarke.com

2

ChallengesPrivate & Confidential

NHS is facing:1. Huge increase in volumes of sensitive data 2. Public perception issues3. Fines and enforcement action4. Political and public pressure to improve data handling

A paperless NHS will bring new challenges in these areas.

osborneclarke.com

3

Snapshot of recent health sector audit

19 audits carried out primarily with NHS Trusts by the ICO during 2013:

Private & Confidential

PasswordsLack of simple

password controls

Policies In place but

compliance not always effectively

monitored

Record tracking• Records tracked but

not all conduct audits for missing files

• Concerns regarding security of physical records

Fax machinesConcern regarding

use of fax machines for sending personal

information

Information governance

• Appropriate risk registers

• Risk assessments

• Regular review

osborneclarke.com

4

Impact on suppliers

Private & Confidential

• Demonstrating compliance is key• The Data Protection Act 1998 says:"Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage"• Competitive advantage for suppliers with a focussed approach to data protection using:

- Data retention practices- Good management of data storage and destruction- Careful and well managed use of sub-contractors- Robust security measures- Staff reliability processes- Barriers to overseas data transfers- Regular audits and disaster recovery

osborneclarke.com

5

Improving compliance and mitigating riskPrivate & Confidential

1. Assign responsibility to a DPO

2. Implement a training programme

3. Review and update policies

4. Review approach to hiring sub-contractors

5. Use of encryption

6. Security breach notification

7. Insurance

osborneclarke.com

6

Non-compliance – the "so what?" question It's not only about the fines and contract breaches

Private & Confidential

1. Negative impact on share value

2. Negative impact on current and future customers (private and public sector)

3. Breach of contract (liability)4. Diversion of time and

resources5. Staff trust

osborneclarke.com

7

Opportunities

Private & Confidential

Big data:• Commercial use and benefits vs. concerns about identification

Anonymisation:• Concern about "true anonymisation"

Mobile health/agile working:• Drives efficiencies

• Security and monitoring issues

Tracking access to records:• Improvements to audits

osborneclarke.com

8

Private & Confidential

Potential future data protection obligationsRestrictions on transfers outside the

EEA Keep data accurate & up-to-date

Retain data for an

appropriate period

Respond to data

subject requests

Annual notification obligation

Get opt in / out consent for email /

SMS marketing

Screen against

TPS/FPS "do not call"

lists

Get opt-in consent to

use cookies

Data must be relevant

and not excessive

Notify ICO of security

breaches (not yet

compulsory for all)

Knowledge/Consent

Data protection obligations

DPO requirement

Enhanced data subject rights: - right to be forgotten- data portability

24 / 72 hours to notify data / cyberbreaches

Fines to increase (>2% world-wide turnover or €1m)

Expanded definition of personal data

Data processor responsibility

Higher level of consent required

Increased use of Privacy Impact Assessments (PIAs) and emphasis on accountability

Processor BCRS

Annual notification scrapped

osborneclarke.com

9

Contact

Emily JonesPartnerT +44 (0) 117 917 3652M +44 (0) 7824 491 293emily.jones@osborneclarke.com

Paste end slide graphics over this grey box in slide deck