The ICO have recently published their findings that many public sector bodies, including NHS organisations, still do not have appropriate policies, processes or staff training in place to ensure compliance with GDPR. In particular, they have identified failings in three key areas, being (i) inappropriate disclosure of data; (ii) insufficient data removal and redaction; and (iii) failure to identify and report a data breach. The failures have resulted in the ICO issuing reprimands to the organisations involved, which then go on to be published on the ICO website for all to see.
How confident are you that your practice is properly managing the risks of GDPR, and what are the possible consequences of a reprimand from the ICO?
What is an ICO reprimand?
In the event of a complaint about you to the ICO, or a claim for damages against you from a wronged data subject, the GDPR imposes a statutory duty on you as a data controller to demonstrate that you have implemented the GDPR Article 5(1) ‘data protection principles’ and the wider GDPR provisions. This is known as the ‘accountability principle’ and an inability to demonstrate compliance could result in you receiving a reprimand from the ICO. Note that it is not enough to simply comply, you have to be able to demonstrate how you comply.
In June 2022, the ICO announced that they would generally rely on their wider powers of warnings, reprimands and enforcement notices when dealing with public sector GDPR breaches, and would only issue fines in the most serious of cases. It is slightly unclear whether primary care providers would be regarded as public sector for these purposes, as the ICO used the terms public authority (which most practices are) and public sector (which most are not) interchangeably, but at least initially we would expect the ICO to err towards reprimands.
Primary Care providers may not consider receiving an ICO enforcement notice or a reprimand to be overly serious (and it will certainly be preferable to a fine), but the ICO publishes the enforcement action it takes on its website, which is constantly monitored by the media and claimant solicitors.
Providers who receive an ICO enforcement notice or reprimand may therefore quickly find themselves under the media spotlight and in receipt of damages claims from solicitors representing affected data subjects. It will be very hard to defend any data breach claim if the ICO has already published that you are not complying with the GDPR.
Top tips to avoid an ICO reprimand
We suggest that you carry out a thorough and regular review of your policies, procedures and training and document the outcome of each review. You may wish to prioritise the following:
- all data protection policies, procedures and staff guidance and training, particularly those relating to the management of data subject requests and requests for access to medical records
- those policies and procedures relating to the removal and redaction of third party and non-personal data and those for data disclosure and sharing
- procedures and training on how to detect and report a personal data breach
- staff data protection instruction and training to confirm that it complies with the ICO’s Accountability Framework. Particular attention should be given to the training of those responsible for managing data subject requests, the removal and redaction of data and the disclosure and sharing of personal data.
Data protection legislation is a complex but increasingly litigious area, and practices are particularly at risk of claims because they hold such sensitive personal data. LMCs, PCNs and primary care providers who require further information on anything covered in this article, or who would like a confidential conversation about complying with the GDPR’s Article 5 requirements can contact Nils Christiansen on 01483 511555 or send an email to firstname.lastname@example.org