Skip to content
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
  • Blog
  • Contact
Menu
  • DTAC
  • Services
    • DTAC
    • Cyber Security
    • Data Security & Protection
    • Interoperability, Accessibility & Usability
    • Clinical Safety & DCB0129
    • Information Governance
  • About
  • Blog
  • Contact

+44 (0)1273 569172

← From our blog

Information Governance Professionals V.s Lawyers in Health and Social Care

← From our blog

Information Governance Professionals V.s Lawyers in Health and Social Care

Data Protection Officer vs Information Governance

Do you need an Information Governance Professional or a Lawyer to apply health and social care data protection law? And anyway, what’s the difference?

Picture the scene.  You think you need to appoint a Data Protection Officer (DPO) in order to comply with data protection law.  This sounds like a “legal matter” so you instinctively think a legal firm or a solicitor may be the best option.  It is certainly true that their expertise and detailed knowledge of legislation and case law will invariably allow them to provide technically accurate legal advice to their clients.  But, are they the best option when it comes to providing practical advice and problem solving, particularly when the questions and challenges being faced are as much about wider policy, organisational politics and personalities than they are about the law?

 

When it comes to appointing a DPO, it’s important to think about why you need one and what you need them to do.  A legal firm or a solicitor may be able to tell you what the law says but they won’t necessarily be able to tell you the best way to fix a more nuanced problem that has arisen.  Legal firms and solicitors will also often have charging structures that can make simply approaching them for advice very expensive!  If you are discouraged from seeking the views of your DPO, it’s unlikely they will be able to fulfil their role effectively.  

 

For those working in the health and social care sector, things can be even more challenging.  The UK’s health and social care sector is particularly formidable to navigate as in many cases data protection law is only one area of compliance which needs to be considered.  In addition to the Data Protection Act and UK GDPR there is the common law duty of confidentiality, legislation covering public health, the management of health records and insurance reporting, as well as a range of public sector and NHS policy requirements to take into account.  This is one of the reasons why this discipline is often referred to as ‘Information Governance’ (or IG) rather than ‘Data Protection’ because the requirements go far beyond data protection law alone.

 

In our experience, when it comes to health and social care it can be as much about navigating the processes and people as it is about the law itself.  Understanding the context within which the law needs to be interpreted and applied and finding solutions which are acceptable to everyone involved, is often more valuable than simply being able to provide an accurate interpretation of the law.

 

Over the years, I have seen lawyers and legal teams brought in, often at great expense, to help resolve data protection issues within the health and social care sector.  Invariably, their advice is accurate, but their ability to fully understand the broader picture and pragmatically solve the actual problems people have has been lacking.  It’s one thing to know the right answer to a legal problem. It’s quite another to find a way to apply that effectively and efficiently to a complex situation and resolve the issue at hand in a way that everyone involved is comfortable with.  

 

A great example of this is the approach that many health and social care providers take when it comes to producing Data Protection Impact Assessments (DPIAs) for new technologies and services they are looking to implement.  The law is very clear; it is the data controller who is legally accountable for ensuring DPIAs are completed.  A health or social care provider looking to implement a new technology or service will often operate as a data controller and the supplier will act as a data processor on their behalf.  A lawyer might therefore advise a supplier who will be acting as a data processor that there is no legal requirement for them to complete a DPIA.  This would be entirely accurate advice as far as the law is concerned, but is unlikely to be particularly helpful in practice. 


As experienced IG professionals, we understand that health and social care providers are often limited in their capacity or capability to complete DPIAs themselves when implementing new health technology and services, which can lead to significant delays when implementing or taking your health technology to market.  It is therefore considered best practice for suppliers to develop a DPIA covering a typical implementation of their product or service which can then be adopted or adapted by the provider organisation, or at the very least, used to inform any DPIA they may look to complete themselves.

 

At 8foldGovernance, we pride ourselves on not only providing our clients with the data protection and information governance advice they require, but also ensuring they benefit from the significant experience, knowledge and expertise that our team of IG professionals offer.  Unlike many legal firms or solicitors, even those specialising in data protection law, our team has decades of experience working within the health and social care sector, allowing us to provide a greater degree of pragmatism and problem solving for the benefit of our clients.


‘
Information Governance as a Service’ provides our clients that need advice and support with access to our IG professionals to help ensure their success.  This can be enhanced via the ‘Data Protection Officer as a Service’ for those organisations that are legally required to appoint a DPO, or who wish to do so voluntarily.

 

“Do I need to appoint a Data Protection Officer (DPO)?”

Under the UK GDPR, you must appoint a Data Protection Officer (DPO) if:

  • you are a public authority or body;
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.


For organisations supporting the provision of health or social care services, the processing of health data is likely to be core to their business.  Even if you aren’t legally required to appoint a DPO, you can still appoint one on a voluntary basis.  

 

Having a DPO can help to build confidence and trust in your organisation as it demonstrates that you are taking data protection seriously.  At 8foldGovernance, we strongly recommend that any organisation working within or alongside the health and social care sector appoints a DPO.  It is likely to be a legal requirement and it will certainly be expected by the NHS or social care organisation that you work alongside.


For more information about the role of a Data Protection Officer, or to find out when you need to appoint a DPO, check out the Information Commissioner’s Office website. Alternatively, get in touch with me or the 8fold team below. 

 

Adam Spinks

Adam Spinks

Adam is a specialist information governance lead and has worked extensively for NHS trusts, CCG’s, private healthcare providers and digital health technology companies. He has extensive knowledge of data protection and privacy law, information risk management, data flow mapping and is expert in the practical application of data protection impact assessments (DPIA) and information sharing agreements (ISA). He is an expert communicator and trusted advisor in the industry.

Published:

  • January 18, 2023

Posted In:

  • Information Governance, Data Protection

SHARE THIS POST

Facebook-f Twitter Linkedin-in Envelope

Book your free, no-obligation discovery call with our experts.

If you need for support with any of your information governance and compliance needs including, DTAC, DSP Toolkit and Clinical Safety (DCB0129 and DCB0160), please get in touch for quick no obligation chat.

Book your call now
Book your call now

Other articles

Data Protection Officer vs Information Governance

Information Governance Professionals V.s Lawyers in Health and Social Care

Read article →
New 8fold, New Look

New Year, New Look for 8fold – A Message from Lyndon, our CEO

Read article →
B1G1 giving back

We Make Giving Part Of Our Everyday Business

Read article →

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Clinical Safety Data
  • Security & Protection
  • Interoperability, Accessibility & Usability
  • Cyber Security

LINKS

  • About
  • News
  • Contact
  • Charity Work

CUSTOMER

SATISFACTION

RATING

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold

+44 (0) 1273 569172

info@8foldgovernance.com

DTAC SERVICES

  • Full DTAC Support
  • Information Governance
  • Interoperability, Accessibility & Usability
  • Clinical Safety Data
  • Security & Protection
  • Cyber Security

LINKS

  • About
  • News
  • Contact

Customer

Satisfaction

Rating

 Privacy Policy | Cookie Policy | Terms & Conditions

© 2023 8Fold
X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept