New European rules on privacy in the digital age

Sarah Collen, senior policy manager at the NHS European Office, looks at why changes to data protection legislation are important for the NHS as well as the key changes on the horizon on data privacy

The use of data is essential to the NHS. The UK government’s recently published Life Sciences Strategy has underlined the importance both of the NHS and of making better use of data in delivering a flourishing life sciences sector in the UK post-Brexit. Reflecting on this, the chief executive of the NHS Confederation noted that ‘industry and the NHS must embrace the digital future – and that means linking data between the different parts of the healthcare system’. He went on to say that ‘the UK’s comprehensive healthcare system could capture data, measure outcomes and provide evidence that in turn could help industry market innovations across the world’.

The idea that the use of data by the NHS is important is by no means new. In 2016, the Wachter Review of the NHS made it clear that although there are many ways to transform service provision and care delivery, healthcare is mostly about information, and therefore managing data is a key to successful system transformation.

It said: “It is about the A&E doctor having an accurate medication list when she evaluates a delirious patient, the oncologist having access to the results of a new clinical trial, and the ward nurse being alerted quickly that a patient’s changing vital signs may represent early sepsis. An information-rich healthcare system is also about ensuring that all of the relevant carers have the information they need to transfer the care of a frail patient from hospital to home care or to hospice. Moreover, the increasing importance of genomics in healthcare, patient access to new information via the Internet and social media, and our deepening understanding of the potential from big data analytics all place a growing premium on information”.

The report goes on to state that it would be a costly mistake to try and pursue the aims of the NHS’s Five Year Forward View, to deliver better health, better care and lower cost, in a non-digital NHS. ‘Simply put, the NHS will be unable to achieve its goals without digitising effectively’.

Indeed, the use of data is critical not only for providing quality care to individuals, but also for the management of health and care systems, and making life-saving medical discoveries. Those working in hospitals and other health and care settings not only use data for direct care purposes but also to: better understand diseases and improve treatments; understand patterns and trends in public health and disease; plan services that make the best of limited resources; monitor the safety of drugs and treatments; and compare the quality of care provided in different areas.

Why all the fuss about data privacy?
As the majority of data collected by the NHS are personal and sensitive, it goes without saying that data privacy is a critical and necessary element of any data strategy. It is important to ensure the right balance is struck between safeguarding privacy and protecting the interests of individuals, while enabling health and care systems to collect and connect information to benefit us all.

Data sharing and the necessary protection of privacy associated with this are becoming increasingly important for health systems as they try to adapt and create new models of care delivery. One of the most significant challenges to creating person-centred networks of care is getting to grips with information governance. New models of care must understand not only the legal requirements on privacy, but also the information and communication channels at work in their networks, and the purposes for which the data are being shared, in order to understand the new frameworks and infrastructures that need to be put in place.

What changes in law are on the horizon?
As NHS organisations grapple to enable the best, safest and most effective ways of data sharing, the other side of the coin is managing data privacy. In this area, NHS organisations must start to prepare for changes in the law which will come into force in May 2018. The EU has revised its data protection legislation, to bring it up to date with advances in technology (the previous law was agreed before the rise of the internet, social media etc). This law will come into force before the UK leaves the EU, so the UK is planning to implement this in full. (for more information on this, see our data protection webpage) It is also important to maintain alignment with EU law on data so that the NHS can continue to con conduct collaborative research and clinical studies with partners in the EU in the future.

The top changes for NHS organisations will see organisations now being obliged to demonstrate that they comply with the new law. This is an important and significant shift change from passive to active compliance and one that data controllers in the health sector should take note of.

It is now mandatory for all public authorities, which will include all NHS organisations, to appoint a Data Protection Officer. Additionally, Data Protection Impact Assessments are required for high risk processing (a hospital processing health and genetic data will fall under this category of high risk). Data protection issues must be addressed in all information processes, while charges, in most cases, will be removed for providing copies of records to patients or staff who request them.

Additionally, there are specific requirements for transparency and fair processing, a legal requirement for security breach notification and organisations will be required to keep records of data processing activities. There are tighter rules where consent is the basis for processing (although there are alternatives to using consent as a basis for processing) and there could be significantly increased penalties for any breach of the new legislation – not just data breaches.

As the NHS prepares for these changes in the law, what is most important is to make use of this new opportunity to place information governance at the heart of activities, ensuring the most effective and efficient use of information, whilst protecting privacy. As the new legislation comes into place, our office is supporting NHS England’s data support unit, which is working with the Department of Health, the Information Commissioner’s Office (ICO) and all health and social care arms-length bodies (ALBs) to produce helpful guidance on the top changes the NHS and other health and care organisations should prepare for.