Summary and implications
2012 saw data – and health data, in particular – taking front and centre stage in policy and legal developments. These developments will have major implications for everyone involved across the health and care sectors in the year ahead – from hospital trusts to care homes.
The Power of Information
The key health data policy development in 2012 was the release of the Department of Health’s strategy, “The Power of Information: putting all of us in control of the health and care information we need”.
The strategy calls for a transformation in the way information is used and accessed throughout the health and care sectors – and sets out a timetable for this transformation. At its heart is a vision of data being accessed and input by health and care professionals – and shared with patients – online and on hand-held devices. In particular, it calls for:
- a move to electronic health and care records – which can be readily shared and accessed across organisations and across devices;
- information to be recorded once, electronically, at first contact, with patients identified by their NHS number – so that information does not have to be repeated;
- patients and carers to be able to access health and care services – including records, test results, assessments and care plans – online; and
- a new culture of data transparency with “no decision about me without me”.
As the report notes, many parts of the health and care sectors still rely on paper records – or static electronic records that are not shared with other organisations. This stands in stark contrast to many other sectors, such as financial services, where there is an increasingly sophisticated use of and online access to confidential data. A move towards electronic health and care records would not only drive significant cost and service efficiencies but also transform patient safety. The strategy cites the example of barcode medication systems in care homes which improve medication accuracy and reduce waste.
In terms of timing, the strategy calls for:
- patients to be able to view online which GP practices offer online access records this year (2013);
- the Department of Health and NHS Commissioning Board to incentivise the use of barcode medication administration in care homes by September 2014;
- all NHS patients to have secure online access to their GP records by 2015 (including email repeat prescriptions); and
- all patient data (in publicly funded health and social care) to be identified by the NHS number as the primary identifier by 2015.
Who will be responsible for implementation (and the costs of implementation)? Although the Department of Health sets out its vision in this strategy, the Department of Health envisages that this will be “driven at the local level”. The strategy mentions that a central capital fund is being developed to help support this. However, we suggest that, in the meantime, all health and care organisations should carefully consider what actions they may need to take to implement the strategy.
Health data protection enforcement
The key health sector data protection development in 2012 was the levying of the first fine on a health organisation by the Information Commissioner’s Office (ICO). This was levied in April 2012 on the Aneurin Bevan Health Board for sending a health report to the wrong person. This was swiftly followed by a fine in May 2012 levied on the Central London Community Healthcare Trust for patient data being faxed to the wrong recipient. The highest ICO fine in the health sector last year was levied on Brighton and West Sussex University Hospitals NHS Trust (Brighton NHS Trust) in June 2012. Brighton NHS Trust was fined £325,000 for a serious data breach concerning the insecure disposal of IT hardware containing patient data.
The ICO has made clear that it is focusing on data protection practices in the health sector and is starting to look at the care sector. In November 2012 Plymouth City Council was fined for sending a child care report to the wrong person. We expect this focus to continue throughout 2013. We strongly recommend that all health and care organisations keep their data protection policies and practices under review.
ICO Codes of Practice and guidance developments
Last year saw a number of other legal developments in data protection. We have summarised the three key developments here:
- Firstly, the ICO issued a new Code of Practice on the anonymisation of data. This is particularly important for health organisations that wish to anonymise personal data for clinical research purposes.
- Secondly, the ICO also issued guidance on managing the data protection risks associated with cloud services. If any health or care organisation is considering cloud services for managing some of its personal data, we strongly recommend that this guidance is reviewed beforehand.
- Thirdly, the ICO has issued a consultation on a new Code of Practice on subject access requests. The closing date for this consultation is 21 February 2013. We encourage all health and care organisations to review the consultation document. Going forward, we also encourage health and care sector organisations to review the Code of Practice, once finalised, to ensure that their subject access policies are compliant with the new Code of Practice. During the last financial year the ICO handled over 6,000 subject access complaints. We expect the number of complaints to rise over the coming year as individuals become more protective of their personal data – and aware of their rights.
EU developments: the draft General Data Protection Regulation
Finally, 2012 saw the publication of the European Commission’s draft legislative package to replace the Data Protection Directive (95/46/EC) (the Directive). The UK Data Protection Act 1998 implements the Directive. In brief, it is proposed that the Directive is repealed and replaced by a new legislative package which has, as its centrepiece, a new General Data Protection Regulation (the Draft Regulation). The Draft Regulation, which is over 100 pages in length with accompanying notes, proposes a much stricter data protection regime with:
- substantially higher fines for non-compliance (of up to two per cent of annual worldwide turnover);
- much more protective data subject rights (including a controversial “right to be forgotten”); and
- mandatory data breach notification.
As a Regulation, its provisions will apply directly and will not need to be implemented separately in each of the Member States. In January 2013, the European Parliament rapporteurs issued amendments to the Draft Regulation for consideration. The European Commission’s current timetable is very ambitious – it seeks to reach political agreement on the Draft Regulation by the end of the Irish Presidency (end of June 2013). Nabarro will be keeping a watching brief on these important developments and what they mean for the health and care sectors.