GDPR - power to the people in a digital age

'General Strike' by Kyle McKinley

'General Strike' by Kyle McKinley

So, you’ve probably heard or read about the EU’s General Data Protection Regulation (GDPR) by now, right?

A stream of GDPR emails filling your inbox giving you the chance to opt-out of all those services you can’t remember ever opting into in the first place (or maybe you didn’t?!). A little overwhelming, but this new piece of EU-wide legislation that comes into effect on 25 May 2018 is considered to be one of the biggest shifts in data privacy laws in a long time and is worth paying attention to. 

Ultimately, we feel it will help to bring power back to people (or ‘data subjects’ in the regulation’s terminology) in the digital age we live in – helping to protect your individual personal information and broaden your rights. 

The regulation will harmonise data privacy laws across Europe, providing national data protection agencies and regulators (the Information Commissioner’s Office in the UK) with a single reference point. Amongst other things, GDPR will deliver:

  • Greater protection and privacy rights for individuals

  • New rights for people to access the information organisations hold about them

  • An obligation on organisations to deliver improved data management /protection

  • Hefty penalties for non-compliance

With data power comes great responsibility

GDPR clarifies where responsibility for privacy protection lies with any organisations who collect, store, manage, process and analyse any form of personal data. The new law is therefore obviously very relevant to SH:24, and we welcome its introduction. 

We develop services that are user-friendly, accessible and highly secure by using a design-led approach and adopting Government Digital Service design principles which incorporates Privacy by Design (as required by GDPR).

As we’ve engaged and built relationships with users, one of the most audible messages from them was that they wanted the service to be highly confidential and discreet.

This has always been at the forefront our minds and we have strived to fulfil both our moral and legal obligations in relation to privacy and the information we collect.

We’ve also continuously harnessed the expertise of various professionals including clinicians, information governance (IG) and information security experts, NHS IG Boards, IG Leads, Caldicott Guardians, industry professionals, and specialist lawyers. This has helped us to assure we appropriately manage, protect and respect people’s privacy and information.

Consent – permission, not forgiveness

500 pages of oblique terms and conditions that leave you unsure what you are consenting to just isn’t cool. We’ve always sought explicit consent supported by clear website policies without using any pre-ticked boxes. We’ve built on this approach, using specialist lawyers to
comprehensively review our terms and conditions and privacy policy. This will ensure they are clear and transparent, setting out the legal basis for collecting the data we use to deliver our services as well as your legal rights under the new legislation. These policies have been updated in line with GDPR.

We keep your data in an ‘armoured vehicle’

A review of our security measures and technical architecture has confirmed they are compliant with GDPR and protect your data adequately. 

Right from the inception of the service we invested heavily in keeping your data in an ‘armoured vehicle’. The data we collect is retained securely within the NHS N3 network (soon to be migrated to HSCN), hosted within tier 3 datacentres by a highly accredited company called Redcentric, who also host a large amount of NHS records (including the NHS SPINE). 

Our approach has been peer reviewed by industry experts and we undertake vigorous testing to ensure it is resilient.

Evolving policy and practice

As a partner of the NHS, SH:24 has also always mirrored its code of practices and information governance (IG) standards. 

Our NHS IG Toolkit compliance last year was 97%, which increased to 100% this year. 

GDPR has given us the opportunity to evolve policy, culture and practice within SH:24. This has involved a range of activities including:

  • A full review of roles and responsibilities within SH:24, including appointing a new Data Protection Officer (DPO)

  • A comprehensive information mapping and audit exercise, underpinned by a review that confirms the legal basis for collecting service user information

  • A full refresh of all our IG policies, procedures and guidance including new requirements such as subject access rights and data retention

  • Staff training / briefings including specialist external GDPR briefings

  • Revisiting our data impact assessments

  • Conducting due diligence and a review of agreements with the NHS Trusts / partners we work with and our suppliers (such as Redcentric)

Learn more

This is a flavour of our preparation for GDPR – but if you have any further questions (no matter how geeky they might seem) please get in touch. We look forward to continuing to work closely with our users and partners to protect your individual personal information and your privacy rights: power to the people!