Data Protection: What every practitioner needs to know

By Dr Natalie Blakely and Mandy Luckman / 01 May 2014

Dr Natalie Blakely and specialist lawyer Mandy Lucian answer key questions about the ethical and legal issues involved in storing patient data

Protecting your patient’s details isn’t just crucial for your business but also for your reputation. If you record, handle and store medical information, then you are liable under the Data Protection Act 1998 to protect that information. The Act states you should only collect the information you need, keep it secure, ensure it is up-to-date, only hold as much as you need and for as long as you need it and allow the patient to see it on request. With data protection breaches for unauthorised disclosure and for lost and stolen paperwork higher in healthcare than in other sectors, collecting good quality data and storing it securely demonstrates good practice and could help to protect you against litigation.

Is it legal to transport paper medical records around?

Clinical records must be kept confidential at all times, including during transfer between sites. It is legal to transport medical records if necessary but stringent security measures must be put in place to avoid security breaches. There are many reported examples of data protection breaches occurring. One such case involved a lawyer who was transporting patient records by hand to a court hearing. Unfortunately she was involved in a RTA and the records were dispersed around the site of the accident. Clearly, although the circumstances are very unfortunate, this had the potential of allowing very sensitive patient information to be accessed by unauthorised persons. This resulted in stringent measures being put in place to avoid the scenario recurring. For example, records should only be transported when absolutely necessary and if so, they are stored in locked cases.

What must we do to ensure patient data protection when transporting medical records?

Security measures will include physical, organisational and technological measures, such as use of secure portable equipment and ensuring administrative and strategic processes are in place to guarantee that the documentation is secure at all times. The movement and location of records should be controlled so that a record can be easily retrieved at any time, any outstanding issues can be dealt with, and there is an auditable trail of record transactions.

Is it legal to store patient photos on phones and/or a personal cloud?

The Data Protection Act 1998 controls how data is used by organisations, businesses and public authorities (part 1 (1) (e) Data Protection Act 1998)1. A key principle of the Act stipulates that information must be kept safe and secure. There is a stronger legal protection for more sensitive information such as information related to health. It is therefore not advisable to store confidential data on mobile phones which can easily be lost or stolen, or on a personal cloud which disseminates to other devices around the house.

What security features should you look for in a digital system?

Cloud-based storage systems encrypt data and back it up on several servers: this is called redundancy and means that, should a server fail, your data is unaffected. It is worth checking with your cloud provider that their server is based within the EU. Right now the EU provides strong protection for personal data. If data belonging to EU businesses or citizens is stored outside the EU, the transfer of that data needs to be secure with data protection requirements at the other end, at least as strong as those in the EU.

What happens to patient records if you terminate the contract with a digital provider?

EU data law states that cloud providers must allow a person or business to move data from one cloud provider to another. It’s also worth checking that, should you request it, your data will be returned to you in a usable format, such as a PDF.

Where should patient photos be stored?

Appropriate technical and organisational measures should be taken against accidental loss. Therefore it is advisable to store confidential data in a safe secure environment or electronically where appropriate security protections are in place. The Data Protection Act advises that you should have security that is appropriate to the nature of the information in question and the harm that might result from its improper use, or from its accidental loss or destruction.2 Since photographs pertaining to medical treatment may be particularly sensitive there will be a greater requirement for security. Guidance given by the Information Commissioner’s Office states that physical and technological security is likely to be essential as well as management and organisational security measures3. Physical security includes considering the quality of doors and locks, and whether premises are protected by alarms, security lighting or CCTV. It also includes how you control access to premises, supervise visitors, dispose of paper waste, and keep portable equipment secure. Technological security involves use of secure servers, firewalls and encryption.

The movement and location of records should be controlled so that a record can be easily retrieved at any time, any outstanding issues can be dealt with, and there is an auditable trail of record transactions. 

How long must we keep patient medical records for?

The Data Protection Act stipulates that records should only be retained for as long as necessary.4 There is no definition of ‘necessary’ in the Act; however, the Department of Health states that the maximum period of retention of NHS records should be thirty years.5 The NHS code of practice states that records should be retained for at least eight years for adults and 25 years for children.6 GP records must be kept for ten years after a patient dies or leaves the country.7 This also applies to private records in accordance with the Private and Voluntary Health Care (England) Regulations 2001.8
The Medical Defence Union advises that, if possible, records should be kept for beyond the prescribed periods, as claims do sometimes arise after these timescales, and it may prove difficult to successfully defend a claim without the records.9

Ideally, all records should be reviewed before they are destroyed, and it is sensible to keep any patient records where there has been an adverse incident or complaint. Disposal should be carried out in such a way that protects patient confidentiality, for example, by shredding paper records. Computer-held records may be difficult to delete entirely from a hard drive and it is advisable to seek appropriate advice from a specialist IT company. The Information Commissioner’s Office advised that data retention and review schedules should be in place for categories of personal data to help practitioners comply with this principle. After a set period of time the data should be reviewed, and destroyed when it no longer needs to be retained.10 When paper records are no longer required, their placement in a designated secondary storage area may be a more economical and efficient form of storage. There are several accredited documentary storage facilities, which are able to securely store NHS, medical and pharmaceutical records.

Who do the records belong to?

Legally, although the patient owns the information contained within the medical records, the healthcare provider owns the paperwork that contains this information. The records should therefore be retained by the treating clinician, though patients have a legal right to access their medical records under the Data Protection Act 1998.11 This means that any individual is able to obtain a copy of their own medical records upon request, subject to paying reasonable copying charges up to a cost of £50.12

What does the new EU directive on information governance for 2015 mean for practitioners and clinics?

Under current law, the Information Commissioner’s Office can issue a maximum penalty of up to £500,000 for the most serious breaches of the Data Protection Act.13 Moreover the Information Commissioning Officer can decide to apply fines or not at their own discretion based on the severity of the consequences of such breaches. Fines have been imposed in the past for incidents such as transfer of personal data using unencrypted memory sticks and loss of electronic devices containing personal data.14 The draft proposal introduces a requirement for supervisory authorities to impose prescribed fines of up to €1 million (£0.9 million) or 2% of a company’s annual global turnover in the event of a violation of the Regulation (Article 79), regardless of the harm caused. More serious breaches are likely to involve deliberate misuse of data leading to substantial damage or substantial distress.15 

Other key changes in the new EU directive include:

  •  Higher standard of consent (Articles 4(8) and 7) 
  • Data minimisation (Article 5) 
  • New and strengthened rights for data subjects (Articles 12, 17 and 18) 
  • Breach notification within 24 hours (Article 31) 
  • Data protection impact assessments prior to risky processing operations (Article 33) 
  • Obligation to appoint a data protection officer (Articles 35-37) 
  • Imposition of large fines for failure to comply (Article 79)

Upgrade to become a Full Member to read all of this article.