These FAQ’s supplement the NCHA Position Statement Impact of the General Data Protection Regulation in Clinical and Medicines Homecare Services (version 1.1 last updated 15 Jan 2019).
Please note in order to aid reading, key sections have been identified. However, we advise readers to review all the questions and answers in their entirety as we have tried to avoid duplication of information across multiple answers.
Sections are as follows:
● General Questions
● NHS Questions
● Data Processor / Controllers Responsibilities
● Data Sharing Agreements
● GDPR Impacts for Manufacturer Funded Homecare Services
● Informed Consent
● Private Patients
● Record Keeping and Data Management
● Reporting Incidents and Breaches
● Right to be Forgotten
We currently have no timescales for Wales and Northern Ireland.
GDPR commonly uses the term incident to describe a potential loss of personal data (e.g. a parcel containing medicines is delivered to the wrong address and not opened) and a breach to mean actual loss of personal data.
In homecare services, an “Information Governance Incident” would include both GDPR Breaches and GDPR Incidents i.e. any loss or “near miss”/potential loss or unauthorised disclosure of personal data.
Also see FAQ section on Reporting of Incidents and Breaches
The new NHS Standard Terms and Conditions for Homecare Services will include the basic legal provisions required for GDPR compliance. These are due to be published in early 2019. Each new homecare service contract will then need a Data Protection Protocol to complete the contractual documentation set. NHMC is currently developing a template Data Protection Protocol suitable for use with NHS commissioned homecare services.
Also see FAQ section on Data Sharing Agreements.
Data Processor / Controllers Responsibilities
If there is a clinical or nursing element to the homecare service, what is the status of the Homecare Provider or sub-contracted Nursing Provider?
This means that Homecare Providers providing dispense and delivery service become data controllers for their record of that patient’s data on first dispensing for each patient.
A data processor does not direct the purpose and means of the data processing activity (Article 4), For clinical and nursing services, whilst each case must be assessed individually, an organisation that does not create their own further personal information, but simply processes the personal information provided by a data controller for the purpose determined by the data controller is likely to be a data processor.
As a rule of thumb, Homecare Nursing Providers registered with CQC and undertaking regulated activity would be considered data controllers as they provide a professional service where they determine the purpose and means relating to their patient records of the regulated activities provided. For unregulated clinical and nursing services, the status of the organisations involved would need further individual assessment.
If an organisation provides a professional, regulated healthcare service directly to a data subject, that organisation generates personal information which they are responsible for directing the purpose and means of processing and that organisation is therefore a data controller.
In funding a homecare service, the manufacturer determines the menu of services that will be offered to a cohort of patients, but does not normally determine which services are provided to individual patients and therefore does not determine the purpose and means of data processing.
In a regulated Patient Support Programme or patient access scheme, identifiable personal information may be provided to the manufacturer who decides whether the supply of medicines can be made to an individual patient. An example would be thalidomide supply where the conditions of the Pregnancy Prevention Programme must be fulfilled. In these cases, the manufacturer may be designated as data controller for the patient records they generate.
Data controllers holding or processing NHS Patient Data must comply with the provisions of the Data Security & Protection (DS&P) toolkit. All data controllers must pay a data protection fee to the Information Commissioner. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-fee/
However, the ICO guidance para 33-39 clearly says
– mail providers/couriers who do not make their own records of personal information, i.e. they just read the label on the letter/package, sort and deliver as per the label are neither data processors nor data controllers.
– couriers who make records to support their delivery service are data controllers but only for the personal data they generate when making the delivery i.e. the courier’s system records of consignee name, delivery address, sender contact name and address, their driver name who made the delivery and any records they make for proof of delivery e.g. name and signature of neighbour if named consignee is not available.
The homecare data for which the courier would be controller is not health data as this (should) never includes health data, only sealed consignment delivery information.
See Article 4 for the definitions.
Data Sharing Agreements & Contracts
GDPR Impacts for Manufacturer Funded Homecare Services
Privacy notice(s) must identify the data controller and give details of how the data controller will store and process the data they receive, who will have access to the data, its purpose and give details of any onward sharing of the data. Under GDPR, pseudonymised data is considered to be personal level data (unless it can be demonstrated that it cannot be “decoded”), so sharing and processing of pseudonymised data must also be transparent to patients. A generic statement is not sufficient.
As each data controller has a duty to make their own assessment of GDPR compliance, Homecare Providers are concerned that legal advisors within manufacturers will take different views. NHS England have committed to support the NCHA establish a single view where possible and create a common approach.
Where the data is shared with the manufacturer who is data controller, full privacy information should be provided to the patient. Where data is shared with the manufacturer as data processor, the Homecare Provider’s privacy information should name the data processors who will receive the personal data and explain what processing will happen.
Binding Corporate Rules are used by multinational organisations based in several “adequate” countries. The definition of adequacy can be checked with the Information Commissioner’s Office.
Homecare Providers should be assured that manufacturers meet the requirements of the NHS DS&P toolkit before providing NHS patient identifiable data under any lawful basis other than explicit GDPR consent.
The regulatory requirements for PV reports are that they are anonymised. Patients must provide explicit GDPR consent for the inclusion of their identifiable data in PV and/or AE reports.
Assuming GDPR consent to proceed is given, following the Homecare C&I Guidance, the pharma manufacturer will agree with the other parties involved in the incident which organisation will be primary investigator and which secondary investigator(s). The primary investigator should be the most appropriate party to investigate the incident, determine root causes and co-ordinate reporting – this is unlikely to be the pharma manufacturer unless they are already a designated data controller for the homecare service.
Is this the responsibility of the manufacturer / marketing authorisation holder, if they are data controllers in their own right, to have the necessary safeguards in place to assure GDPR adherence?
If the manufacturer is processing data on behalf of the Homecare Provider and is acting as data processor it is sufficient to inform the patient and provide a link to the Homecare Provider’s Privacy Notice where the relationship and data sharing with data processors are explained.
If the manufacturer assumes data controller status for patient identifiable data, full Data Privacy information must be provided by the manufacturer and the lawful basis of the data sharing and data processing must be transparent to the patient and their clinical referring centre. Where appropriate, explicit GDPR consent should be gained and documented prior to sharing patient data with the manufacturer.
The same would apply to the consent for the patient information that may be forwarded onto the regulatory authority as we would not be able to list them?
Regulatory authorities would also have to be individually named. However, regulatory authorities do not require patient identifiable information and anonymised regulatory reports are not subject to GDPR.
Where the privately funded homecare service is provided via a contract between the Homecare Provider and an insurance company or employer, the Homecare Provider has a legitimate interest Article 6(1) f in delivering the homecare services in accordance with the Homecare Provider’s contract with the payer. Article 6(1)(b) is not appropriate as the contract must be with the data subject.
Record Keeping and Data Management
Where possible, the patient’s clinical record should be kept separately to the administrative data relating to deliveries (e.g. designated delivery address different from the home address, contact details for carers).
It is recognised that GDPR also applies to historical data. Many Homecare Provider systems were designed prior to GDPR regulations coming into force, so it may not be possible to separate the administrative data from the clinical record. Homecare Providers would have a legitimate interest in keeping administrative data for the same retention period as the patient’s clinical record if it is not reasonably practical to separate that administrative data from the patient’s clinical record. GDPR requires that GDPR compliance is built into systems going forwards so, when changes occur, change management processes should seek to ensure data sets are segregated such that anonymisation and/or pseudonymisation of personal data is implemented where appropriate and the relevant retention periods can be applied.
In this scenario, if this is not regarded as sharing personal data, is it the NCHA position that the patient should nonetheless always be made aware that the anonymised data will be shared with the manufacturer (given that there is a very slight risk that their data could be “unlocked” either by the Homecare Provider or by another party in future)?
It makes no difference which organisation holds the “key”. The important factor is the accessibility and security of the key.
Where pseudonymised data is shared, it is always good practice to inform patients about all data sharing and to be transparent to ensure data subjects are made aware by the controller of all the data processing activities.
Homecare organisations should not rely only on website information, as they cannot assume that everyone has internet access. Some NHS Trusts have sent letters and Privacy Notices to all patients, some have hand-outs available at key locations within the Trust, others signpost and provide links to their website. There is no consistent model and any channel can be used as long as patients are informed. The NHS would like to standardise the approach, but this will take time.
Reporting Incidents and Breaches
For GDPR compliance, the Information Governance Toolkit has been updated into the Data Security and Protection Toolkit. The criteria for assessing whether a breach must be reported have changed and the new guidance can be found here https://www.dsptoolkit.nhs.uk/Help/29. The updated criteria are based on the likelihood of the breach having occurred and the severity of the impact on the data subject(s).
If an actual breach is not reported to the ICO, the organisation’s Information Governance Incident report should include justification based on the level of risk (likelihood and severity) in accordance with the DS&P Incident Guidance.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. The ICO has produced a guide which may be found on its website.
If an organisation decides not to notify individuals of a breach, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. The ICO has the power to compel organisations to inform affected individuals if it considers there is a high risk. Organisations should document their decision-making process.
Minor breaches must be logged. They can be logged/ reported on the Data Sharing and Privacy toolkit, but this should not be used in place of the organisation’s local incident management process. It is solely for the purposes of reporting to the relevant regulatory authority.
If there are multiple data controllers involved in an incident, only the primary data controller must report a breach, however, other secondary data controllers may have their own regulated reporting requirements. When secondary investigator(s) report the same breach, the two reports need to be clearly cross referenced to avoid duplication of investigation efforts and double counting of breaches. Further guidance on Primary and Secondary investigators and reporters for incidents can be found in the RPS Homecare Handbook Appendix 19.
In the case of significant breaches (loss of data), it is recommended that the homecare organisation also directly notifies the ICO of the incident including the DS&P report reference to ensure compliance with GDPR Article 33 which requires reporting of a breach within 72 hours.
Where multiple data controllers are involved in an incident, more than one of the organisations may be required to make a regulatory report. It is also possible that the breach is an incidental part of a wider patient safety incident where only the secondary investigator is required to make a regulatory report. In all case liaison between the data controllers is important to ensure robust reporting without unnecessary duplication.
Right to be forgotten
Data processors must act on the instruction of the data controller from whom they received the information.
Where the patient consented to data sharing with another data controller, the patient must have been fully informed before the original data sharing occurred. The additional data controller must have asked for and received specific consent for their additional data holding and/or processing and must have provided their own Privacy Notice to the patient.
The data controller(s) for the patient identifiable information must decide whether the data they hold should be deleted and each data controller must inform the patient of any data they will continue to keep and/or process including the lawful basis for their decision.
NCHA does not warrant or represent that the material in this document is accurate, complete or current. Nothing contained in this document should be construed as medical commercial legal or other professional advice. Detailed professional advice should be obtained before taking or refraining from any action based on any of the information contained in this document.
NCHA would like to thank Carol McCall for drafting this document and leading the multidisciplinary workgroup review and consultation. NCHA very much appreciated the assistance of NHS colleagues in developing this guidance relating to the implementation of GDPR in clinical and medicines homecare services.
In particular, NCHA would like to acknowledge support received from
Kiran Mistry, Data Sharing and Privacy Specialist, NHS England
Shaid Hussain, Senior Data Sharing & Privacy Manager, NHS England
Susan Gibert, Chair National Homecare Medicines Committee
Joe Bassett, East of England Regional Homecare Specialist
Version 1 – Approved – 26 Sept 18 – New – Author: Carol McCall, Kiran Mistry, Susan Gibert, Joe Bassett, Shaid Hussain
Version 1.1 – Approved – 15 Jan 19 – Minor corrections prior to publication – Author: Carol McCall
NHS Publishing Reference 001086