By Lucy Pegler, partner, and Noel Hung, solicitor, at independent UK law firm Burges Salmon
In June 2023, the NHS launched the ‘Powered by Data’ campaign to demonstrate how use of health data delivers benefits for patients and society. The campaign draws on examples of how the responsible use of patient data can support innovation in the healthcare sector from developing new tools to support patients and helping to understand how to deliver better care.
Although framed in the context of public health services, the concept of ‘Powered by Data’ is applicable more widely to the healthcare sector. Public and private providers of healthcare whether in-person in healthcare settings or through increasingly innovative digital services, will collect data in every interaction with their patients or clients. The responsible and trustworthy use of patient data is fundamental to improve care and deliver better, safer treatment to patients.
What is health data?
The Data Protection Act 2018 (“DPA”) defines “data concerning health” as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.
Healthcare organisations that typically manage data concerning health have an additional obligation to also maintain “genetic data” and “biometric data” to a higher standard of protection than personal data generally.
If you process (e.g. collect, store and use) health data in the UK, UK data protection laws will apply. Broadly speaking, UK data protection law imposes a set of obligations in relation to your processing of health data. These include:
- demonstrating your lawful basis for processing health data – health data is considered special category personal data meaning that for the purposes of the UK General Data Protection Regulation, healthcare providers must demonstrate both an Article 6 and an Article 9 condition for processing data. Typically, for the processing of health data, one of the following three conditions for processing must apply:
- the data subject must have given “explicit consent”;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services; or
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices.
- transparency – being clear, open, and honest with data subjects about who you are, and how and why you use their personal data.
- data protection by design and default – considering data protection and privacy issues from the outset and integrating data protection into your processing activities and organisation-wide business practices.
- technical and organisational measures– taking appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed.
- data mapping – understanding how data is used and held in your organisation (including carrying out frequent information audits).
- use of data processors – only engaging another processor (a ‘sub-processor’) after receiving the controller’s prior specific or general written authorisation.
The NHS and the adult social care system have stated their commitment to upholding the public’s rights in law, including those enshrined in the DPA 2018 and the common law duty of confidentiality. These obligations extend to healthcare providers, whether NHS, local authority and private, whether through online, digital healthcare solutions or more traditional in-person settings.
The Caldicott principles
The Caldicott principles were first introduced in 1997 and have since expanded to become a set of good practice guidelines for using and keeping safe people’s health and care data.
There are eight principles that apply, and all NHS organisations and local authorities which provide social services must appoint a Caldicott guardian in place to support with keeping people’s information confidential and maintaining certain standards. Private and third sector organisations that do not deliver any publicly funded work do not need to appoint a Caldicott guardian.
However, the UK Caldicott Guardian Council (“UKCGC”) considers it best practice for any organisation that processes confidential patient information to have a Caldicott Guardian, irrespective of how they are funded.
The role of the Caldicott guardian includes ensuring that health and care information is used ethically, legally and appropriately. The principles also allow for the secure transfer of sensitive information across other agencies, for example the Social Services Education, Police and Judicial System. Further details of the principles can be found here.
The Common Law Duty of Confidentiality (“CLDC”)
Under the CLDC, information that has been obtained in confidence should not be used or disclosed further, unless the individual who originally confided such information is aware or subsequently provides their permission.
All NHS Bodies and those carrying out functions on behalf of the NHS have a duty of confidence to service users and a duty to support professional and ethical standards of confidentiality. This duty of confidence also extends to private and third-sector organisations providing healthcare services.
NHS-specific guidance
Providers who work under the NHS Standard Contract may also utilise the NHS Digital Data Security and Protection Toolkit to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use this toolkit to provide assurance that they are practising good data security and that personal information is handled appropriately.
Furthermore, the toolkit contains a breach assessment grid to support with deciding the severity of the breach using a risk score matrix to determine whether the breach needs to be reported, which supports with reporting security incidents to the ICO, the Department of Health and Social Care and NHS England.
Health and Care Act 2022
As integrated care systems continue to develop, the new Health and Care Act 2022 introduces significant reforms to the organisation and delivery of health and care services in England. In particular, the Act makes numerous changes to NHS England (which has now subsumed NHS Digital) to require data from private health care providers when it considers it necessary or expedient for it to have such data to comply with a direction from the Secretary of State to establish an information system.
The Act also allows the Secretary of State for Health and Social Care to mandate standards for processing of information to both private and public bodies that deliver health and adult social care, so that data flows through the system in a usable way, and that when it is accessed or provided (for whatever purpose) it is in a standard form, both readable by and consistently meaningful to the user or recipient.
Benefits of sharing personal data
Healthcare professionals have a legal duty to share information to support individual care (unless the individual objects). This is set out in the Health and Social Care Act 2012 and the Health and Social Care (Quality and Safety) Act 2015. The sharing of health and social data between NHS organisations and pharmacies could better transform the way healthcare services are provided as well as grant continuity between the various providers. Having a single point of contact with patients is what makes the healthcare system in the UK distinct from other systems around the world. In addition, patient information could be used for research purposes as well as in the development and deployment of data-driven technologies.
A note on cyber security
Given the sensitive nature of health data and patient information, healthcare providers are particularly susceptible to data breaches. In response to the UK government’s cyber security strategy to 2030, the Department of Health & Social Care published a policy paper entitled ‘A cyber resilient health and adult social care system in England: cyber security strategy to 2023’ in March 2023.
Cyber resilience is critical in the healthcare sector and providers must be able to prevent, mitigate and recover from cyber incidents. Strong cyber resilience dovetails with providers’ obligations under UK GDPR to maintain appropriate technical and organisational measure. For public providers and those providing into the public sector, a deep awareness of the DHSC’s Strategy is critical.
Consequences for failure to comply
Whilst there is a lot of focus on the maximum fines under UK GDPR of £17.5 million or 4% of the company’s total worldwide annual turnover (whichever is higher), in the context of the healthcare sector, there is also significant reputational risk in terms of both an organisation’s relationship with its patients and with its customers and supply chain. Organisations should also be aware of their potential liability resulting from claims from patients and potential contractual liability and consequences.
Photo by Irwan @blogcious on Unsplash