Secure data destruction in the health care sector

GDPR has caused much anxiety within the health care sector. Steve Mellings explains why the most critical part of compliance is the approach to data protection itself

With the hyperbole surrounding the General Data Protection Regulation (GDPR) beginning to dissipate, the stark reality of the need to comply with a law which is not going to go away is only now really beginning to dawn on many organisations. For those operating in the health care sector, where data is key to providing patient care, many of the requirements under GDPR are viewed as cumbersome and an operational burden, leaving many to question the need to change the way in which patient care has traditionally been delivered. This stance is further supported by the complex way which data is shared between multiple entities, each necessary to provide patient care. However, GDPR and the UK Data Protection Act are here to stay and 18 months since the law was implemented we are beginning to see data subjects make use of their rights and the regulator take an interest in those companies who are not on their journey towards compliance.

One organisation I’m involved with, Clinical DPO, operates as an outsource Data Protection Office (DPO) for over 100 health care organisations and my experience here tells me that the health care sector has some way to go where compliance to GDPR and the UK Data Protection Act is concerned. Despite being mandated by law to have a DPO as a result of the large-scale processing of Special Category data, we’re still seeing many large and smaller independent heath care practitioners adopting an internal tick box approach to compliance, which is leaving many obvious GAPs waiting to be identified by both patients and regulators.

With many overwhelmed, it is sensible to try to break the compliance project into specific tasks. One area where the health sector has traditionally struggled is that of secure data destruction. Two of the largest five fines, in excess of £500,000 (pre-GDPR), were levied on the heath care sector were as a result of improper destruction of data. Despite these obvious examples of the financial risk posed by this business process, we’re still seeing poor practice where data destruction is concerned.

Secure data destruction
It’s perhaps pertinent to start by outlining what we mean by secure data destruction. There are various times within the data lifecycle where erasure is required and that is usually managed on a file basis using system tools which remove the file index keys rendering the data unaddressable, but still in existence. Generally over time the data is overwritten by new saved data and as such becomes unrecoverable. The risk here from this activity is low but that changes significantly when the whole device is released from control, generally at end of life. Healthcare organisations seek suppliers to provide brokerage, recycling or ITAD services and it is here where the real problems begin. Since starting ADISA − a certification scheme for companies who recovery IT assets and perform data sanitisation services − we’ve carried out over 500 audits of this business process and as a result of this experience we see common mistakes organisations make when disposing of assets which are relatively easy to fix.

The first common mistake is to underestimate the need for secure data destruction, which means the whole process is treated dismissively. You would hope that the previously mentioned financial penalties would ensure renewed focus is given but it appears, particularly in health care, that retired assets with data on and also hard copy files, get identified as waste and treated as such. In addition to the fines for failing to dispose of old PCs we have seen pre-GDPR fines for the improper disposal of filing cabinets containing patient records. All of the issues which causes these fines were easy to fix if the proper focus had been applied to this business function.

Operationally, a common weakness is a complete lack of control over the process itself. Whilst the act of data sanitisation is often mentioned in contracts, the control over inventory is not. Loss of the physical asset is a far greater risk than an overwriting toolset not being used properly. It would make sense that if you are releasing your assets into a supply chain that you understand what assets you have released, which in turn will enable you to reconcile what was processed. This is an imperative under GDPR as Article 24 make it very clear that it is the responsibility of the controller (the health care organisation releasing the assets) to take ‘Appropriate Technical and Organisation Measures’. Not only is it the opinion of the author that it would be appropriate to know what you have released but, and of course more importantly, it is also the opinion of the UK Information Commissioner’s Office. Within their penalty notices for the two health authorities fined for improper disposal, both listed a lack of inventory as a key contributory factor to permitting a breach to happen.

Using a contract
A recurring and frustrating issue for ADISA members is the inability to put a contract in place between themselves and their customers. Under the Data Protection Act 1998 it was illegal for a controller to use a processor without a contract and this has been further emphasised under GDPR by making it illegal for either party to conduct business without a contract being in place. That contract is used to provide compliance to a range of GDPR requirements which are listed in Article 28 and forms a key component in the controller/processor relationship. It would seem obvious that a transaction with such a large amount of data would be governed by strict written authorisation, but sadly that is often not the case. Even where written authorisation is in place, it is often not fit for purpose and the addition of standards which are not relevant, merely shows the authors have no proper grasp on the process.

The frustration for ADISA members is that the Standard they are certified to, has made it mandatory since January 2016 to have contracts in place, but all too often an audit we have seen email evidence from the customer saying: ‘I’m not going to sign your contract and if you don’t collect I’ll get someone else to’. This for many transactions is the commercial reality but is fundamentally illegal and as one member says: “our certification saves our customers from themselves, if only they would let us lead them”.

Finally, a common mistake is data controllers not knowing what to look for in their suppliers. A smart website with impressive claims and credibility built by statements about compliance or approvals is commonplace in an industry which is largely unregulated. Article 28 (1) states that you should only use a processor which provides sufficient guarantees to implement appropriate technical and organisational measures. Unless during your due diligence you dig beneath the claims and assess them on their own merits by physically inspecting their facility and their processes then there is no way you can be compliant with this. Unless, of course, you use a vendor who voluntarily gets screening by an independent certification body such as ADISA.

So is this another article lambasting bad proactive? And if it is why should you care?

The truth is that GDPR has caused much anxiety within the health care sector, as it has in most sectors, compounded by companies wishing to sell silver bullet solutions to compliance. The reality is that the most critical part of compliance is the approach to data protection itself. There are many, many aspects which are simple to implement and easy to maintain if the data controller is motivated to approach this properly. Compliance with GDPR is not a one-time process and it isn’t a bolt on solution, it is about the business building processes into its day to day operation which have data protection at the core and support staff in making the right decisions to maintain a compliant position.

Secure data sanitisation is one area where you can apply some basic and sensible principles to manage your risk and become compliant. If you have any doubts about what you are doing speak to an ADISA members directly as they have been well versed in helping organisations manage this one part of the overall GDPR compliance project.

Steve Mellings is the founder of ADISA and a consultant at Clinical DPO.