Do you need an Information Governance Professional or a Lawyer to apply health and social care data protection law? And anyway, what’s the difference?
Picture the scene. You think you need to appoint a Data Protection Officer (DPO) in order to comply with data protection law. This sounds like a “legal matter” so you instinctively think a legal firm or a solicitor may be the best option. It is certainly true that their expertise and detailed knowledge of legislation and case law will invariably allow them to provide technically accurate legal advice to their clients. But, are they the best option when it comes to providing practical advice and problem solving, particularly when the questions and challenges being faced are as much about wider policy, organisational politics and personalities than they are about the law?
When it comes to appointing a DPO, it’s important to think about why you need one and what you need them to do. A legal firm or a solicitor may be able to tell you what the law says but they won’t necessarily be able to tell you the best way to fix a more nuanced problem that has arisen. Legal firms and solicitors will also often have charging structures that can make simply approaching them for advice very expensive! If you are discouraged from seeking the views of your DPO, it’s unlikely they will be able to fulfil their role effectively.
For those working in the health and social care sector, things can be even more challenging. The UK’s health and social care sector is particularly formidable to navigate as in many cases data protection law is only one area of compliance which needs to be considered. In addition to the Data Protection Act and UK GDPR there is the common law duty of confidentiality, legislation covering public health, the management of health records and insurance reporting, as well as a range of public sector and NHS policy requirements to take into account. This is one of the reasons why this discipline is often referred to as ‘Information Governance’ (or IG) rather than ‘Data Protection’ because the requirements go far beyond data protection law alone.
In our experience, when it comes to health and social care it can be as much about navigating the processes and people as it is about the law itself. Understanding the context within which the law needs to be interpreted and applied and finding solutions which are acceptable to everyone involved, is often more valuable than simply being able to provide an accurate interpretation of the law.
Over the years, I have seen lawyers and legal teams brought in, often at great expense, to help resolve data protection issues within the health and social care sector. Invariably, their advice is accurate, but their ability to fully understand the broader picture and pragmatically solve the actual problems people have has been lacking. It’s one thing to know the right answer to a legal problem. It’s quite another to find a way to apply that effectively and efficiently to a complex situation and resolve the issue at hand in a way that everyone involved is comfortable with.
A great example of this is the approach that many health and social care providers take when it comes to producing Data Protection Impact Assessments (DPIAs) for new technologies and services they are looking to implement. The law is very clear; it is the data controller who is legally accountable for ensuring DPIAs are completed. A health or social care provider looking to implement a new technology or service will often operate as a data controller and the supplier will act as a data processor on their behalf. A lawyer might therefore advise a supplier who will be acting as a data processor that there is no legal requirement for them to complete a DPIA. This would be entirely accurate advice as far as the law is concerned, but is unlikely to be particularly helpful in practice.
As experienced IG professionals, we understand that health and social care providers are often limited in their capacity or capability to complete DPIAs themselves when implementing new health technology and services, which can lead to significant delays when implementing or taking your health technology to market. It is therefore considered best practice for suppliers to develop a DPIA covering a typical implementation of their product or service which can then be adopted or adapted by the provider organisation, or at the very least, used to inform any DPIA they may look to complete themselves.
At 8foldGovernance, we pride ourselves on not only providing our clients with the data protection and information governance advice they require, but also ensuring they benefit from the significant experience, knowledge and expertise that our team of IG professionals offer. Unlike many legal firms or solicitors, even those specialising in data protection law, our team has decades of experience working within the health and social care sector, allowing us to provide a greater degree of pragmatism and problem solving for the benefit of our clients.
‘Information Governance as a Service’ provides our clients that need advice and support with access to our IG professionals to help ensure their success. This can be enhanced via the ‘Data Protection Officer as a Service’ for those organisations that are legally required to appoint a DPO, or who wish to do so voluntarily.
“Do I need to appoint a Data Protection Officer (DPO)?”
Under the UK GDPR, you must appoint a Data Protection Officer (DPO) if:
- you are a public authority or body;
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
For organisations supporting the provision of health or social care services, the processing of health data is likely to be core to their business. Even if you aren’t legally required to appoint a DPO, you can still appoint one on a voluntary basis.
Having a DPO can help to build confidence and trust in your organisation as it demonstrates that you are taking data protection seriously. At 8foldGovernance, we strongly recommend that any organisation working within or alongside the health and social care sector appoints a DPO. It is likely to be a legal requirement and it will certainly be expected by the NHS or social care organisation that you work alongside.
For more information about the role of a Data Protection Officer, or to find out when you need to appoint a DPO, check out the Information Commissioner’s Office website. Alternatively, get in touch with me or the 8fold team below.
