GDPR Accountability – No. 7

GDPR Accountability – No. 7

Introduction and comments

We made a change to our schedule this week, and instead of fair processing we have looked at the levels of accountability which we are required to demonstrate following GDPR:

  1. Practice accountability – the technical and organisation measures that need to be in place in order for us to be able to demonstrate this.
  2. 3rd party supplier accountability and contract management.

We will cover fair processing in a later blog and you can view the updated timetable here.

As an aside, we have continued to get many questions related to GDPR, and a recurring theme has been how to respond to various scenarios related to Subject Access Requests (SARs). I wanted to take this opportunity to clarify an important principle related to whether or not practices can levy a charge for SARs. We had previously, and in retrospect incorrectly, reflected an observation that it should be the purpose of the information which guides the decision to charge and if that purpose is the production of a medical report (regardless of who generates the report) then the practice can make a charge. We have now discussed this with the ICO and have had clarification that practices should only charge when they themselves are creating a medical report. In summary, then, we cannot charge a lawyer or insurance company who are requesting information on behalf of the patient even if that purpose is for the production of a medical report unless we have been asked to generate that report.

How to manage the significant resource which will fall to general practice as a result of SARs remains a thorny problem. We believe that the best way forward in the longer term will be to prepare our medical records and share them widely with our patients so that SARs can be responded to through this mechanism. Here is a thoughtful blog about that subject which we recommend you read, which recognises that this is not a straightforward process and highlights some of the challenges ahead.

Access to your Medical records online – It’s hard work for practices, even to do the right thing….

Review of action points from prior session

  • To do 18 Check your renewal data for registration with ICO, you will need to change to the new payment regime on renewal.
  • To do 19 Complete the Template Record of Processing
  • To do 20 Check the legal bases for processing for different categories of data
  • To do 21 Using the Policy Document Template, create a Policy Document for each category of data

Work covered this week

1)   Measures to demonstrate Practice accountability

Accountability is one of the data protection principles of GDPR.  Not only are we responsible for complying with GDPR but we must also be able to demonstrate our compliance. Whilst this is not a new principle, it is now a legal requirement.

This week we looked at technical and organisational measures which allow us to do this over a range of activities including:

Data Protection Impact Assessments (DPIAs) which we covered in Blog no3 can be excellent examples for showing the controls we have in place within our organisation which demonstrate our compliance.

The old IG toolkit provided a way of evidencing accountability, and this will continue with the new Data Security and Protection Toolkit.  It is now a mandatory requirement for all organisations that process NHS data to complete the Data Security and Protection Toolkit, which has been updated to include GDPR and also contains new recommendations to increase cybersecurity.

The new toolkit can be found here and this must be completed and submitted by 31st March 2019. As before your IG lead will be required to sign your practice up to the toolkit. The difference this year is that instead of this being a process of self-declaration “Yes we have done it”, there will now need to be external validation “Show us how you are compliant with the following requirement”.

CCGs are required to ensure that GP Practices are compliant with the Data Security and Protection Toolkit, so will be monitoring GP Practice compliance on an annual basis (after 31st March of each year). The specific nature of the external validation processes is yet to be clarified, but CQC inspection will almost certainly require evidence that the IG toolkit has been assessed and validated by an external assessor. The toolkit itself will help practices to demonstrate the actions they have taken to meet GDPR requirements and will be a repository which will allow scrutiny of any supporting evidence.

We will be revisiting the IG toolkit in a later blog and will provide templates to help you collate evidence for your Data Security and Protection Toolkit submission, which will be shared on this website.

2)   3rd Party Supplier and Contract Monitoring

As part of the principle of accountability, there is a requirement for data controllers to show that they monitor the performance of their data processors. This links in with the work we have done on DPIAs (Blog No.3 DPIAs) and Contract Reviews (Blog No.5 ISA & DPA)

Where processing is taking place, you should ask the third-party supplier for the independent audit of their Data Protection and Security Toolkit (this should be in the contract Terms and Conditions). The Template Data Processing Terms and Conditions (Crown Commercial service templates) was provided in Blog No. 5.

Some of these data processing services may have been commissioned by the CCG and will have had contractual details as part of the commissioning process. In these circumstances, compliance should be monitored by the CCG as the organisation which has commissioned the service. You should ask the CCG for their validation/review of provider/supplier compliance.

When working on the contract reviews we stated that Practices should be using the Crown Commercial service templates which would include those Terms & Conditions.  Whilst there is a processing agreement between GPs and EMIS as their data processor, there is not a similar arrangement with TPP.  NHS digital has advised that in the case of TPP this has been covered by local call offs that are signed by CCGs, in addition to a signed deed of undertaking which protects individual GPs against supplier data protection breaches.

Most data processors will be using the Data Protection and Security Toolkit (previously IG Toolkit), and the monitoring should be a simple matter of them providing you with their Toolkit compliance report.

If they are not taking part in the Toolkit or have not done an audit and you need further assurance, you can use a Provider Assurance Monitoring Checklist.  We have included two checklists – one for NHS data and one for non-NHS data (employee). Note that most processors will be using Toolkit and the monitoring should be a simple matter of them providing their Toolkit compliance report. The checklist below is more detailed but should not be required in the majority of cases of processors dealing with NHS data.  We have also included a letter template for you to send to your third-party processors with the checklist.

Practices must monitor responses (you can use Contract Log), and if there is sufficient assurance set an annual review date. If the response is inadequate and shows a level of non-compliance, send a second letter detailing the specific requirements by a given date. State that if the requirements are not met that you will consider termination of contract, financial penalty (if included in TOCs) or reporting data security concerns to the ICO.

Resources Used

Output Documentation

Learning points

  • This weeks activity provides an opportunity to review any DPIAs to make sure they are comprehensive and meet the accountability requirements by detailing the technical and organisational measures in place in your practice.
  • The Data Security & Protection Toolkit must be submitted by 31 March 2019
  • Evidence of assurance must be obtained from third-party data processors either through a Data Security and Protection Toolkit assessment or from the response to the checklists stated above.

Practice checklist

  • To do 22 Review your DPIA to see what technical and organisational measures are required for your Practice
  • To do 23 The list of contracts you have listed for Blog No. 5 will require an assessment of compliance against the Data Security and Protection Toolkit or against the questions asked within the template checklist. If the latter send letter and checklist template to provider/supplier to complete and follow the process outlined within the blog.
  • To do 24 Review information on the new Data Security & Protection Toolkit and sign up for Webex training sessions
  • To do 25 Log-in or register for the Data Security & Protection Toolkit to start completing your submission before 31 March 2019

Next session on 23.08.18

(Blog No. 8 and No. 9 due 28.08.18)

We will be covering two topics next week – reporting mechanisms through the DPO and access to records by children. There will be two separate blogs covering these subjects.


Comments are closed.