The impact of GDPR on Health and Social Care providers

19 Feb The impact of GDPR on Health and Social Care providers

The amended data protection laws come into force on 25 May 2018 in the form of the GDPR (General Data Protection Regulation).

Health and social care employers process more data and data of a highly sensitive nature than many other sectors.  Consequently, you’ll need to be up to date with the legislation and have the correct systems and processes in place before the 25th of May 2018.

If not, you will expose your business to risks of substantial fines and claims, the maximum fine for non-compliance with GDPR is now £500,000 to c. £17,000,000.

What about Brexit, will this mean GDPR will no longer apply? 

In our view, whilst possible, it highly unlikely and the GDPR will most certainly come into play before Brexit takes effect in any event based on current progress with Brexit negotiations.

Why should I do my audits now?

Employers will need to audit all data handling now and where necessary revise procedures ready for compliance – under the new regime employer’s will be placed under a much greater obligation to demonstrate a justification for processing data – whilst at the same time the rights to enforce the new regulations are even greater too – a simple general consent in the contract of employment won’t be enough.

But we already have clauses for processing of data in our contracts!

Standard consent clauses aren’t enough – you must demonstrate compliance Previously standard data processing consent clauses in contracts of employment were perhaps enough, however, the onus will now be on the employer/Data Controller in demonstrating either specific consent for each type of data and/or that it can justify processing any data specifically under the grounds to do so under the new regime.

Consequently, an awareness of how consent is obtained and furthermore, what data can be processed and in what way under the new regime will be the cornerstones of compliance, requiring a much greater understanding of the obligations placed upon employers.

This means you’ll need to look at what you process and why and assess if you are justified in doing so or not and for any such processing to be lawful one of the six ground for processing must be relied upon.

Depending on the grounds for processing employees can object to the processing of their data too.
In summary, the six grounds for processing include:

  • consent is given;
  • it is necessary for the performance of the contract;
  • it is necessary to comply with a legal obligation;
  • it is necessary to protect the subject’s or others vital interests;
  • for the performance of a task in the public interests;
  • necessary for the data processors (for our purposes ‘the employer’s’) legitimate interests;

We can see that consent or performance of the contract and/or legitimate interests of the employer are the three key grounds for processing data for the employer – again, these need to be looked at carefully and assessed with your data processing in mind.

Internal audits are necessary now
In order to properly obtain consent and/or rely on the grounds for processing employers need to:

  • Assess each category of data.
  • What is it?
  • What is the purpose of processing it?
  • Then demonstrate compliance i.e. outline the data, outline the grounds and/or the consent clearly:
    • Is it necessary for the performance of the contract?
    • Is it necessary for compliance with legal obligation?
    • Is it necessary to satisfy the employer legitimate interests?
  • Then an employer must record this ideally in a data register and be able to show in audit and through reporting that this has been done and done correctly, if you don’t you are not compliant.
What else is going to change? 1. Privacy notices – much greater detail will be requiredPrivacy notices must be issued to applicants and staff for the processing of their data. The GDPR includes much more detailed listing of information that must be provided in privacy notices which are obligatory – such as retention periods and data sources. There are also differences in what you must provide if you’re collecting the information directly from data subjects or from a third party.

2. Data subject access requests, no fees and less time!

Employees can already make such requests for a broad range of data including all e-mails on certain subjects, this can be used strategically to gain evidence and of course if you’re not compliant it can be used as another component of a claim.

Soon you will not be able to charge any fee and instead of three months to reply you only have one month.  Again, its time to audit processes and get your house in order as we expect more data subject access requests will come with the waiver of the fee and the reduction in time to collate and disclose data.

3. Data subjects have right to compensation from the data controller

Not only is the burden to justify processing data greater the data subject, for example, an employee can claim compensation for any breaches of data handling on the part of the employer.

Furthermore, even if no harm is done, if you can’t demonstrate compliance you can still be fined!

4. Duty to report your breaches 

This can apply to your own employees and, of course, the Information Commissioners Office. So again it is crucial to audit what data you have and where, your justification and/or consent to handle it and procedures for handling breaches and/or access to it.

5. Liability for your sub-contractors 

If you contract out, say, payroll or health assessments then the Data Controller can be liable for the mistakes of the sub-contractor. So a review of your external suppliers and to what extent they process data for you and how – is important.