Data protection by design and default

the requirement in the GDPR is that data control is implemented with appropriate technical and organisational measures to protect data. It doesn’t define what would be appropriate or what a technical organisational measure is; it is one of a number of areas where organisations have to determine for themselves what is appropriate, and that means some form of risk assessment methodology and some mechanism for demonstrating accountability in taking appropriate steps to deal with risks to rights and freedoms.

When the regulation refers to ‘data protection by design and default’ it means making sure an organisation only processes the data that it needs for a speci!c, appropriate process. It should also employ techniques such as pseudonymisation (a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms) and minimisation to protect data as a matter of process design.

Data Protection Officer

The ICO has also said that public authorities should appoint a Data Protection Of!cer (DPO), who will then oversee the GDPR compliance framework.

Organisations may decide that this should be an external appointment, but a DPO can be a senior person who is already employed by the organisation.

The DPO should not have other responsibilities that conflict with this role, such as Information Governance Lead, Senior Information Risk Owner, or Information Security Officer.

DPOs will need to have complete independence and report directly to the highest person in the authority. They’ll need to be skilled people managers who can ensure even the most complex – and often long-hidden – data issues are clear and transparent.

The DPO’s task will be to:

  • inform and advise the organisation and its employees about their obligations to comply with the GDPR
  • monitor compliance with the GDPR, including managing internal data protection activities, advise on DPIAs, DSARs, train staff and carry out internal audits
  • be the first point of contact for the supervisory authorities and for individuals whose data is processed, such as employees and customers.

Multi-agency work and children’s services

Another area worth noting for the sensitive nature of the data involves multi-agency working schemes with vulnerable people or young people. Child data is particularly sensitive and there will have to be improvements in how a child’s personal data is captured, used and erased.

Under the GDPR, under 13s (in the UK) need parental consent to approve a child’s permission to use their personal data (this may eventually change to under 16 years of age, as is the case across the EU). This can be complicated for children in contact with health and social care services because of concerns about their welfare, and whose best interests may not always be served by parents with consent rights.

For the time being, child protection overrides privacy rights and this is likely to remain so, but healthcare workers will have to clarify how they decided additional consent should be waived. In their work with young people, healthcare workers will be well-placed to help children understand what is involved in agreeing to privacy statements and terms and conditions.

The Data Security and Protection (DSP) Toolkit

From April 1st 2018 the DSP Toolkit replaced the current Information Governance (IG) Toolkit the Health and Social Care Information Centre (HSCIC) had previously used. The new DSP Toolkit will be the new standard for cyber and data security for health and social care organisations in the UK. The draft assertions that are in the DSP Toolkit have already been released and the prototypes are now available on the online portal; compliance with the DSP Toolkit requires organisations to demonstrate they are implementing the 10-data security standards that are recommended by the National Data Guardian Review, which helps to ensure citizens’ con!dential information is safeguarded securely. Invitations to register for the DSP Toolkit were being sent to the !rst named IGT administrator for each organisations, with the intention that all organisations were invited by the end of April.

10 Data Security Standards

The 10 data Security Standards start with the requirement that:

1. All staff are able to handle data properly. That confidential data is stored and transmitted securely.

2. Staff understand their responsibilities, including obligations around handling information.

3. All staff complete appropriate annual data security training and pass a mandatory test.

4. Only staff who need to access personal data can do so and can only do so for as long as they need to access it and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems must be attributable to individuals.

5. The organisation’s processes are reviewed annually to identify and improve the use of internal auditors as a continual improvement mechanism is built into the DSP.

6. Cyber-attacks have to be identi!ed and resisted with CareCERT security advice responded to and actioned immediately following a data breach or near miss. So the requirements for Cyber-resilience become effectively part of the new DSP Toolkit.

7. There has to be a continuity plan in place to respond to threats to data security with reports to senior management.

8. There should be no unsupported operating systems within the IT estate.

9. A requirement for a strategy to protect IT systems from cyber threats and that is based on a proven cyber security framework such as Cyber Essentials.

10. IT suppliers are held accountable via contracts for the con!dential data they process so information security through the cyber supply chain.

Key considerations

Healthcare organisations need to be thinking about the way in which they can plan for risks and that means also looking at new technologies.

As mentioned previously, the GDPR highlights the idea of data protection by design and by default built into policy frameworks and as local authorities roll out their digital transformation programmes, by definition this creates new risks for data subjects.

GDPR compliance needs to be embedded into the organisational culture, from directors to healthcare professionals and through to the third sector. The balance between protecting data and protecting patients has to be well understood. Staff need to understand their responsibilities; they need to be able to operate reasonably freely in a way which is going to achieve those ends. That is a complex set of challenges for organisations to rise to. The GDPR intends to implement wholesale change regarding personal data. It needs to be taken very seriously and failing to comply is not an option.


bjfm GDPR fig1