This section offers guidance on demonstrating compliance and accountability in the handling and storage of patient data. It aims to help optical practices understand what is changing and what needs to be done.
It is important to note that the fundamental basis for collecting and storing patient health records has not changed with this enhanced regulation. Optical practices and eye care practitioners will continue to process and store patient data; however, GDPR increases the emphasis on demonstrating compliance and accountability in the treatment of patient data, and how it is used.
Data controllers are responsible for implementing appropriate technical and organisational measures to demonstrate and ensure that any data processing performed follows the GDPR guidelines. In basic terms, this means that opticians and optometrists are obliged to ensure the security of all personal data stored, owned and processed by them.
It is the responsibility of the practice owner to ensure that the business is compliant with GDPR; this does not solely concern the practice management system. It also relates to other systems or services the practice provides that process patients’ personal data and are not wholly dependent on Ocuco services.
Ocuco recommends that practice stakeholders review the legislation personally or seek appropriate guidance from experts in this area. Guidance related to each person’s responsibilities under GDPR can be found by regularly checking the websites of national protection authorities. See related links for guidance in each country.
If you have more detailed questions on GDPR regarding your specific situation, you should also seek independent legal advice relating to your status and obligations under the GDPR. If you have any questions regarding Ocuco’s practice management system not answered in the following pages, then please email email@example.com.
Capturing, storing and using patient’s personal information on paper or in a database is a vital part of the provision of eye health services.
The regulation points out that this processing of data is lawful for the ‘performance of a contract’ as it is in the ‘vital interest’ of the patient. Refer to Article 6.1(b) and Article 6.1(d).
Recalls by any channel, phone, letter, email or SMS fall into this category and do not need to be consent based.
Marketing and other processing which does not fall under ‘vital interest’, require explicit opt-in GDPR consent.
GDPR Consent – Patients must be made aware of data processing activities and data subject rights under GDPR at the time of data capture. The act of giving consent must be affirmed, freely given and easily withdrawn without repercussions.
Where processing is based on the patient’s consent, the controller should be able to demonstrate that the patient has given consent to the processing of their personal data across the optical practice.
You are obliged to have comprehensive and proportionate policies and processes to safeguard patient data and to ensure that you are compliant with data privacy legislation and the extent to which you must do this depends on the volume and sensitivity of stored data.
Important Initial Step – Data Protection Impact Assessment
There is a strong emphasis on accountability in the new regulation. As data controllers, the onus is on the practice owner to demonstrate that they have a clear knowledge of the data they are processing and the measures they need to put in place to ensure its security and that data subject requests are complied with.
This starts with a Data Protection Impact Assessment or DPIA. It is not a complicated document, but it is essential to have a DPIA on record. The production of a DPIA starts with an audit of the practice and all the data processing that happens within the practice and with third parties. The DPIA is a living document and must be reviewed and refreshed regularly.
The May 25th deadline mainly brings into place fines for misuse or breach, a requirement for awareness of patient rights and to have consent for marketing. Documentation on the review of how the practice processes personal data and the changes required is also vital. If it is not possible to implement all of the recommended changes by May 25th this document must show some progress and plans to implement all the required changes.
At a minimum this DPIA should include :
Other items to consider when creating a DPIA outside of the practice management system. This is not a complete list but should help to start the process. It is important to consider if it is still valid to hold this information and if so is it secure.
Data Protection Officer
It is not necessary to have a Data Protection Officer employed in an optical practice. However, assigning the role of Data Manager to a member of staff would assist in the DPIA and the implementation of a practice’s policies and systems. GDPR is an ongoing process; new staff will need to be trained, each new third party will need to be assessed, security will need to be reassessed regularly etc…
The Optical Confederation in the UK has prepared a great guide to GDPR, and it contains an example of a practice audit report.
System Security and Data Breach Guidance
The new regulation places the responsibility on the practice owner to ensure that the information stored is, as practicable as possible, secure and safe from unauthorised use, access or loss. The applies to paper and electronic records, staff data, as well as patient data. Note that loss of data does not have to be directly due to a data breach. Practice owners must ensure that measures are in place to safeguard records against loss or damage. All records should be protected where possible against fire or flood for example.
Ocuco recommends the following steps be undertaken, with guidance sought from IT personnel or IT suppliers concerning the practice’s current infrastructure to ensure minimum standards are met for personal data security beyond Ocuco systems. In this section, we refer to specific articles within the act itself and recommend reviewing them with providers to determine a practice’s state of readiness and compliance.
Security of Processing Personal Data – Electronic and Paper Records
The regulation itself places the level of security into context in Article 32.1:
Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Therefore, IT systems must include security features and maintenance in the following areas:
Data Breach Guidance
A data breach is any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The new law increases the level of sanctions that can be imposed for serious data breaches in the practice; the practice owner is expected to put into place a comprehensive but proportionate set of IT security measures to manage patient data security and prevent data breaches. Data breaches can lead to significant fines.
Demonstrating that reasonable steps have been taken to protect patient’s data will reduce the risk of reputational damage and fines that may result from any potential data breach.
All breaches do not have to be reported, but all breaches should be assessed and prevented from happening again.
You must report a data breach where it is likely to result in a risk to the rights and freedoms of patients which if left unaddressed could cause a ‘significant detrimental effect’. This includes breaches resulting in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. The definition will apply to any inappropriate or unauthorised release or disclosure of patient or staff data. Patients must also be notified if the breach is likely to result in a “high risk” to their individual freedoms. For further guidance we recommend you contact your data protection authority directly if you are unsure of the risk.
Action in the event of a data breach
From 25 May 2018 in the event of a serious breach, the data protection authority must be notified within 72 hours without undue delay.
A breach report should contain the following information