Data Protection Compliance for the Healthcare Sector
However, aside from the requirements set out in UK law, healthcare organisations that handle NHS patient data have additional obligations that they must fulfil:
The Data Security and Protection Toolkit (DSPT)
The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's ten data security standards, which provides assurances that they are processing personal data responsibly and practising good data security.
Any organisation accessing NHS patient data must complete the DSPT annually. Whilst naturally applying to NHS organisations, such as Trusts and Clinical Commissioning Groups (CCGs), it also applies to many other categories of organisations across the public and private sector. Completing the DSPT is a contractual condition when working with the NHS and where you process or access NHS data and systems.
Normally the deadline for completing the DSPT each year is the 31st of March, however this year, due to the ongoing impact of the COVID-19 pandemic, it has been pushed back to the 30th of June.
Every NHS organisation is now required to appoint a Caldicott Guardian to ensure compliance with the “Caldicott principles” when using patient data. Whilst not currently mandatory for social care providers and other suppliers who hold patient data to have a Guardian, it is always necessary that they understand and manage data using these principles.
Caldicott Guardians were introduced after the report by Dame Fiona Caldicott’s Committee on the Review of Patient-Identifiable Information published in 1997. Whilst originally there were only six principles, there are now eight.
Although both the GDPR and the Caldicott principles share many of the same ideas, the seventh principle “the duty to share information can be as important as the duty to protect patient confidentiality” conflicts with the GDPR which sees patient confidentiality as paramount. Therefore, it is not advised that an organisation’s DPO also take on the role of Caldicott Guardian due to the potential for conflicts of interest to arise. To mitigate this, organisations may want to consider outsourcing one, or both, of these roles.