With the introduction of Primary Care Networks, the scope of data share has expanded. This increased scope widens the cyber-security threat landscape, while on the other side, the expectations on data security has heightened. NHS England identifies “Keeping General Practice Safe”, as one of the key challenges. General Practices have a critical operational dependence on digital systems to operate on a daily basis.  A strong emphasis has been placed on security and safety of digital technologies used in General Practice.  Practices are at risk from:

(i)          Significant system failure – This may severely disrupt or close down essential Practice operations with almost immediate effect. Workarounds may be limited, depending on the nature and the extent of system failure.

(ii)        The loss of (access to) patient records – This may arise from failure of digital systems or any other policy breaches. Consequently, it will present high-impact risks to the Practice in:

              (a) operational continuity,

              (b) clinical safety,

              (c) corporate criminal liabilities and

              (d) potential regulatory actions from the ICO, including fines.

(iii)       Errors, faults or algorithmic-based outputs – This may arise from embedded logic and knowledge bases in software that processes patient information, and may lead to clinically unsafe recommendations.

Our data protection service minimises the legal and regulatory risks relevant to data protection, information governance and cyber security, through specialist support and advice that will form the foundation of risk mitigation.

As a “public authority”, the GP Practices are expected to review and verify the accuracy of the PCN data share agreement that has been circulated. If you are satisfied with the content, please duly sign and return it. If there are any concerns, please revert to your DPO straightaway.

Subject Access Requests (SAR)s

While there has been a surge of SARs in some Practices, some of the requirements set-out in the GP IT operating model v4 by NHS England, when implemented in April 2020, will ease this pressure. These measures include Practices providing all patients with online access to correspondence, as the system moves to digital by default (with patients requiring to opt-out rather than opt-in). All patients will have online access to their full record.

Following a court ruling by Court of Justice of the European Union (CJEU), the ICO updated their guidance to change the timescale for response. The timescale has now changed to reflect the day of receipt as ‘day one’, as opposed to the day after receipt; but retaining the 30-day period for response. For example, a SAR received on 3^rd of September should be responded by 3^rd of October, rather than by 4^th of October, as was the case earlier.

Freedom of Information Act (FOI)

ICO is now a formally accepted member of the International Conference of Information Commissioners (ICIC). Year 2020 marks fifteen years since the Freedom of Information Act 2000 came into full effect. Gill Bull, the ICO’s Director of Freedom of Information Complaints and Compliance, notes this as an achievement of another milestone in the FOI arena. This ICIC group brings together global countries to share best practice, improve, defend, promote, protect and develop access rights.

Some GP Practices continue to receive FOI requests. If you require assistance with any FOI request, please contact the named DPO we provided you for advice.

Recent Breaches

On 20^th of December 2019, ICO fined Doorstep Dispensaree Ltd., a pharmacy company, £275,000 for failing to ensure the security of patient data.

On 9^th of January 2020, DSG Retail Ltd. was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.

How do we safeguard ourselves?

– Ensure that all records are safe by securely locking physical premises and filing cabinets.

– As part of induction kit, ensure that all staff are trained on data handling.

– Vet third-party suppliers. Contact your DPO to carry out a full impact assessment prior to engaging any new supplier.

– Do not place too much of dependency on a single resource. Always have backup plans.

– In the unfortunate event of an incident, ensure that you contact the named DPO we provided you. Our DPO service offers you you with 24-hrs cover, all 7 days a week (including holidays). So, kindly ensure that you do not delay the incident reporting.

If you would like more information on Data Privacy laws or require DPO services, please reach out to info@Bivika.com.