Can your clients trust you with their data?

Not, I hasten to add, that you would deliberately misuse it – you wouldn’t sell their details, or pass them on without consent, would you? However, your practice database is worth a fortune in the wrong hands – and that means that there are people out there who would put a lot of time and effort into stealing it – and that is something you need to care about – for moral, professional and legal reasons.

Did you know, for example, that if hackers were able to steal any of your clients’ personal information, you would be legally liable, unless you could prove that you had taken all reasonable steps to prevent it? The fine for a serious breach could be up to £500,000, not counting civil action by people whose data was lost or stolen.

Personal Data – the goldmine of the 21st century

There’s a common saying in the IT industry – if you’re not the customer, you’re the product. In other words, there’s no such thing as a free lunch: if you’re getting a free service, it’s because the company supplying it is getting something in return – usually, access to some of your data and browsing habits, which they can sell on.

Personal Data is defined as any information which relates “to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

In other words, if your practice management software, billing and accounts programmes, archived letters or records store a client’s name and contact details on a computer, you are storing personal data. This therefore brings you under the jurisdiction of the Data Protection Act 1998 – and the Information Commissioner’s Office (ICO), the government body charged with enforcing it.

Surely it’s secure on the practice computers – how is it at risk?

In 2016, 24% of all businesses experienced one or more “cyber breaches”. 13% of these involved attackers directly hacking into databases in computers that were connected to the internet; 8% resulted in theft of personal data.

It’s also worth bearing in mind that protected personal data isn’t just the clinical records (which are probably within your PMS environment), but also any other records stored on computer – copies of letters, bills, address databases, even emails and scanned copies of lab results would potentially fall into this category. Practice workstations and laptops are more easily penetrated by an attacker than an industry-grade server, and there’s always the possibility that a smartphone, tablet or laptop could be lost containing protected data (in November 2016, a historical society was fined after a member of staff had their laptop stolen – because they hadn’t taken sufficient precautions to protect the data in that eventuality).

While no security measures will protect you 100% of the time (much as a vaccine is never quite 100% effective), the absence of any formal, planned information security renders you non-compliant with the Act and therefore potentially liable.

What are my responsibilities under the Act?

There are 8 Data Protection Principles you are expected to abide by:

1) Personal data shall be processed fairly and lawfully

In other words, you must have a reasonable justification for collecting any data, and must be transparent with your clients as to WHY you have collected that data and what you intend to do with it. In addition, you cannot use it for any “unlawful” purpose (e.g. selling it without consent).

2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

This means much the same as the first, in terms of obtaining consent and using data appropriately, but also that you MUST by law be registered with the Information Commissioner’s Office.

3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

The key point here is that you must not hold more information than you strictly need to. This is sometimes known as “data minimisation”.

4) Personal data shall be accurate and, where necessary, kept up to date.

Hopefully you’re already doing this – in other words, you’re only storing accurate, up-to-date records!

5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This is an interesting one – essentially, it means you MUST delete data once you no longer need it. So, if a client leaves the practice, you must have a formal policy as to how long you will retain their data for. However, we are of course subject to other regulations – medicines records for 5 years, for example – so you will need to sit down (possibly with advice from your insurers) before you make an arbitrary decision on this.

6) Personal data shall be processed in accordance with the rights of data subjects under this Act.

Your clients have certain rights, as soon as you store their information on a computer database. They have the right to see all the data you hold about them (including letters or archived files); to object if they think that your handling of their data is likely to harm them; to have any inaccurate data corrected; and to claim compensation from you if you breach the Act.

7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

You MUST have appropriate security measures in place to protect data – formal policies (that are carried out!) physical and IT security measures, including data encryption. As a bare minimum, you need a record of all the data you hold, all files must be secured electronically, you must have anti-malware/antivirus software installed on all computers that hold personal data (even if they aren’t networked), and there must be independent backups of the data, secured and protected in the same way.

8) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

If you use gmail, or Dropbox, or Outlook, do you know where the data is being processed? If not, you really need to find out! You cannot allow US companies access to your data unless they are members of the EU-US Privacy Shield (the successor to “Safe Harbor” which is no longer considered sufficient protection).

So what does that actually mean?

There isn’t enough space in this blog to go through everything you have to do to be compliant! However, the key initial steps you MUST take include:

1. Register with the ICO as a Data Controller.
2. Find out what data you hold, and where it is.
3. Carry out the ICO Data Protection Self Assessment Checklist.
4. Check that your antivirus software meets the grade (AV-Test do independent testing of different antivirus programmes).
5. Write an Information Security Policy.
6. Make sure you and your staff follow it!

I know it seems a lot of hassle and work – but it’s a LOT preferable to getting a fine for a major data breach!