Introduction
Healthcare data is becoming increasingly important. But despite its significance, many people – patients and healthcare professionals alike – still aren’t aware of how their data is used and the consequences that could result from its misuse, especially when the data is being shared with third-parties. That’s because handing over data to third-parties reduces the oversight that an organisation has on how the data is used, and increases the risk of unauthorised access and usage, data breaches and other potential data hazards.
The sharing of healthcare data is governed by the UK GDPR which outlines that when sharing, data organisations must:
- Be honest and open about how data will be stored and why it is being collected.
- Give individuals a right to access their personal information.
- Report breaches of information storage, for example, if data is accessed, changed or stolen.
- Assign a Data Protection Officer (DPO) to manage the way the data is stored and used by their organisation.
Sharing Patient Data for Research Purposes
Worldwide, there is growing support for streamlining the data sharing process, and there is an argument that in order for medicine to progress quickly and effectively, we need to be sharing data. Research organisations undertaking various projects will typically obtain data from different sources, such as NHS Foundation Trusts. Sometimes, the research requires them to combine information gathered from multiple datasets before data analysis can take place. That leads to increased risk of data leakage or inaccuracies, and inevitably, this will lead to the questions, “how can this be done?” and “what are the risks?”.
There are new and emerging platforms such as the Mayo Clinic Platform, which store de-identified (anonymous) patient data. The de-identification of patient data and its storage in one central place mitigates risk whilst also allowing for ease of sharing. Clinicians, biologists, and other medical professionals often do not grasp the intricacies of data protection, which has the potential to be dangerous. However, where data sharing systems are established with comprehensive compliance measures using the appropriate privacy enhancing technologies (PETs), it could be hugely beneficial to innovation in the healthcare industry. The ‘Ten Commandments of Translational Research Informatics’ provides some in-depth thoughts on this topic.
Sharing Patient Data to Provide Patient Care
Patient data isn’t just shared for the purpose of medical research and advancements, but also to provide individual patient care. Healthcare providers will collect and use information regarding your health to understand your medical history, and then share this data with other healthcare professionals, such as a consultant at a hospital or a physiotherapist. This is done to provide patients with the best care.
The Information Commissioner’s Office (ICO) has provided an example of where data sharing in the healthcare sector has been undertaken effectively. It highlights the importance of communication when data sharing is involved, outlining that the solution to effective and fair data sharing was to properly engage the parties involved. This includes:
- Hosting public events and delivering presentations to specific user groups to raise awareness of the planned data sharing and to explain to individuals how they could choose whether to be included in the project.
- Engaging local GPs to explain the data sharing plans, how they could opt into the scheme (on behalf of their patients), and what they needed to tell their patients.
- Working with Social Care staff to raise awareness of the data sharing plans and amending the information consent form to reflect the new arrangements.
- Working with the press and their own communications channels (such as emails, websites etc), to raise awareness of the data sharing plans with the general public.
And let’s not forget the importance of an accurate and transparent privacy notice!
Conclusion
Sometimes, the thought of sharing health data can be a scary one, but it’s important to understand the benefits to sharing this data. It’s also important that those individuals who need to share data in the healthcare sector understand how this can be done safely, with minimal risk, but optimal transparency.
For organisations, the two key takeaway points should be, firstly, making sure your privacy notice is fair and transparent, outlining how and why you may be using patient data. Secondly, when sharing data with other organisations, are you satisfied that you are meeting your responsibilities under Article 24 of the UK GDPR as the data controller and sharing that patient data with the appropriate technical and organisational measures in place. For example, by way of implementing a data sharing agreement and data protection impact assessment.
How can DPAS help?
At DPAS, we have many services that can support you as an organisation when it comes to sharing data ethically and safely. We can support the creation of Data Protection Impact Assessments, Data Sharing Agreements, Data Processing Agreements, Addendums to Contracts, the list goes on.
We can also support you with completing or auditing the NHS Data Security and Protection Toolkit.
If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or fill in a contact form and we’ll get in touch with you. Check out our website here.