GDPR in Healthcare: A data protection check-up

Published: 30-Sep-2020

Mark Harper of HSM UK provides insight into how healthcare professionals should approach data protection and, in particular, the destruction of paper documents

Our NHS treats over one million patients every 36 hours - a number that has certainly increased since COVID-19.

However, with the current strain on services, and the sheer number of patients they and private practices deal with; it’s fundamental that data protection procedures remain airtight.

Under GDPR, those in the sector are required to keep all special category data – both physical and digital – safe and secure.

And, although many have successfully implemented data protection regulations into their own practices; keeping compliant can be challenging, and an afterthought for some.

With patient confidentiality at the heart of the data protection regulations, healthcare professionals simply can’t afford to slip up

Yet, with the threat of major penalties, fines, and possible loss of licence, it’s clear that healthcare facilities can’t afford to let their standards slip.

Consequences of neglect

Despite the majority of patient records being held digitally, a large number of healthcare professionals are still relying on pen and paper.

For example, in 2018 it was reported that the NHS still used almost 9,000 fax machines across the country.

Furthermore, many doctors continue to write sensitive patient notes into already-full paper medical records, leaving a huge risk for this information to be misplaced or forgotten about.

From unsecured storage to unauthorised access, paper documentation presents a number of security risks.

And, given the sensitive nature of healthcare documents, security breaches can be extremely serious for every healthcare facility, regardless of size, type, or location.

Our own NHS has suffered investigations, fines and a public outcry after losing almost 10,000 patient records in 2017.

Most recently, patient records from a hospital in Northern Ireland were found discarded on a public road, leading to an investigation by the Information Commissioner's Office (ICO).

And, just last year, a London-based pharmacy was the first to be fined £275,000 by the ICO for failing to ensure the security of special category data after approximately 500,000 documents, which included names, address and medical information, were left in unlocked containers at the back of the premises.

But, rather than causing alarm, this should be a reminder as to why destroying physical documents, when no longer required, is crucial to remaining GDPR compliant.

How to avoid slip-ups

Having strict procedures in place is fundamental in ensuring that a patient’s privacy and confidentiality is not compromised – especially when disposing of physical data.

Still, paper is a constant factor that is landing organisations of all types in hot water.

To avoid potential ‘slip-ups’, it’s important for all organisations to upgrade their data protection procedures by investing in an in-house shredder system.

From there, education is key. Employees at all levels of the organisation must understand the correct procedures of dealing with confidential and sensitive information, including what security levels they must shred their documents at.

As stated in the NHS Destruction and Disposal of Sensitive Data Good Practice Guidelines, documents containing Personal Identifiable Data (PID) should be micro cross cut shredded to a level of at least P-4/P-5 prior to disposal.

In addition, under destruction methods, the guidelines refer to a 4x15mm shredding security as standard and something that’s employed by the CPNI for Government, MOD and security services.

Teams that follow these guidelines will ensure paper documents are destroyed to a point where reconstruction is near impossible – thus removing the risk of data misuse through loss or theft.

It’s key to invest in effective physical document protection systems paired with fully-educated healthcare personnel

Yet, back in November 2018, the CPNI removed approval for all mobile paper destruction service providers for all but the lowest ‘Official’ security classification. This means that any health establishment that is actively using an external onsite or offsite shredding contractor to dispose of sensitive information may be doing so outside of NHS and CPNI guidelines, exposing the organisation to potential financial penalties, media exposure, and reputational damage.

Healthcare facilities that choose to use the appropriate in-house shredding systems can further guarantee that they’re shredding to a secure level.

This is in comparison to external shredding services that leave too many unknowns, unnecessarily risking unauthorised access when entire documents sit for days or weeks in consoles.

Aside from this, data security best practices can also be followed. Removing files from desks once finished and implementing a ‘shred all’ policy can further remove the danger of unauthorised viewing and paper documents being stolen or misplaced.

Mark Harper

Mark Harper

Healthcare facilities, like others, can benefit from introducing a ‘shred little and often’ policy. Adding these policies to a data protection system can help ensure that individuals are doing everything they can to secure confidential information.

Designed to last

As the ICO illustrates, the neglect of physical data can not only have harmful consequences to reputation and business operations, but it can also lead to a loss of patient trust.

With patient confidentiality at the heart of the data protection regulations, healthcare professionals simply can’t afford to slip up.

To elevate that pressure, especially for the NHS, it’s key to invest in effective physical document protection systems paired with fully-educated healthcare personnel.

You may also like