The importance of GDPR in the Care sector

The GDPR is a regulation designed to protect people’s personal data; so, the more data you hold, or the more personal the data you hold is, the more you have to do to comply with its requirements. In the care industry, large amounts of very personal information are handled on a daily basis, so it’s crucial you know exactly how the GDPR applies to you and what you need to do.

Let’s start with some definitions:

Personal Data

This is any kind of information relating to an identified or identifiable living person. It includes things like names, ID numbers, or IP addresses, as well as information which if combined with other information could identify a person - physical, emotional, or mental characteristics, or cultural and social identity, for example.

Special Categories of Personal Data

This includes any kind of particularly sensitive personal data; things like a person’s racial or ethnic origin, their religious beliefs, their sexual orientation, and, most importantly for the care industry, their health data.

Under the GDPR, in order to process people’s personal data you need to have a lawful reason for doing so. There are 6 lawful reasons for processing data under the GDPR (Article 6(1)) which you can find here.

However, health data is not just any old personal data, it’s a special category of personal data which means that not only do you need to satisfy one of the 6 lawful reasons for processing data, you also have to satisfy one of 10 extra conditions for processing particularly sensitive data (Article 9(2)). You can find a full list here.

Consent

So, this brings us neatly to the concept of consent. One of the lawful conditions for using people’s data, and for using special categories of data, is that you have the data subject’s consent to do so. The GDPR has a very strict definition of what consent means and how you go about obtaining it. Consent must be “freely given, unambiguous, and explicit”.

We’ll come back to “freely given” in a second as this presents its own problems, but for consent to be considered “unambiguous and explicit” this requires two things. First, that the data subject fully understands what they’re consenting to and second, that their consent involves them actively opting-in. You can’t tacitly assume consent, they need to actively show their consent by signing a form, or ticking a box, for example. Explain to data subjects exactly what data you want, why you want it, what that means for them, how long you’ll use it, and make sure they understand their rights regarding it (that they can delete it, restrict your use of it, amend it, transfer it etc.).

Now back to those two little words that complicate everything: Freely Given. Imagine a scared patient, lying in a hospital bed, wearing nothing but a loosely fitting, slightly open hospital gown, being poked and prodded by professionals wearing important looking overcoats and speaking with an authoritative air. Can you truly say that the patient freely gave their data? With such a contrast in power between patient and professional, they may feel that they HAVE to give their data. And this is why, under the GDPR, it may not be appropriate to rely on consent as a lawful reason for processing data in a care setting.

Instead, you may need to rely on the condition that data is being processed in order to “protect the vital interests of the data subject” (Article 6 (1)(d)), or that it’s in “the public interest” (Article 6 (1)(e)).

With regards to special categories of personal data, if the data is being used for the medical benefit of the individual (Article 9(2)(h)), the medical benefit of the general public (Article 9(2)(i)), or if the data is necessary for scientific research (Article 9(2)(j)), then you won’t need consent either.

Data Protection Officers

Organisations which handle health data are at a higher risk of a breach, or at risk of a more serious breach if one occurs. To help mitigate this, any organisation which processes special categories of personal data on a large scale needs to appoint a Data Protection Officer (DPO). Their job is to make sure the organisation understands and is fulfilling its GDPR obligations and to act as a spokesperson between the organisation, the ICO, and, if necessary, the general public.

Subject Access Requests

Another aspect of the GDPR is the increased access it grants data subjects over their data. This, as it has always been, is done via a Subject Access Request. Where the GDPR differs is that to afford greater access to data, organisations can’t charge money for access. Unless, however, the person making the request has asked for an unusually large amount of data or for repeated access to the same data. Then you can charge a fee proportionate to the costs of collecting and sending them the data.

Organisations also have to respond to a Subject Access Request within a month but, if it may take some time to complete the request, they may take up to another month to get the data to the subject.

Accountability

Finally, Article 30 of the GDPR sets out the requirements for organisations to keep detailed records of all their processing activities; including why the processing took place, whose data was used, how long it was/ will be used for etc.

There is an exemption which allows organisations with fewer than 250 employees to forego record keeping, however, this doesn’t apply to data processing which has a high risk of causing harm to the rights and freedoms of data subjects, if the processing is not occasional, or if the processing deals with special categories of personal data. For an organisation in the care industry, all three very likely apply meaning you need to keep detailed records of all processing activities.

This is something which would be overseen by your DPO – either as they make and keep the records themselves, delegate the responsibility to another person or people, or as they implement processes which incorporate record keeping into everyone’s daily routines.

Penalties

These are just some of the ways the GDPR has a direct impact on the care industry and what you need to do to make sure you comply, but this does beg the question – Why?

Put simply: Big old fines is why. If you’re found to have failed in your duties under the GDPR you open yourself up to fines which range from £10-20 million or between 2- and 4% of global annual turnover.

But more than this, in the care sector, you’re handling very sensitive information which, if it was stolen, misplaced, lost, deleted, corrupted, or in any way made unusable, could cause a lot of damage. People’s private health data falling into the wrong hands could cause untold emotional damage and losing medication records and data could result in unsafe amounts of drugs being given to a patient – with potentially lethal outcomes.

All in all, the care sector has, and needs, a great deal of control and power over people’s personal data in order to offer the services people rely on every day. But, with that great power comes a great... responsibility.