Primary Care Networks (PCNs) are becoming increasingly active within the primary care landscape in helping to deliver local patient care. With these increased levels of activity, there is in turn an increasing number of data protection considerations to navigate.
In this article, Helen Wallwork, Partner and head of our Healthcare team, and our IP, IT and Data Protection team, explores what PCNs and their member practices need to consider in order to stay compliant.
The evolution of Primary Care Networks
Whilst PCNs have been established for the last 12 – 18 months, and many member practices may have worked collaboratively together for some years beforehand, we are currently seeing new levels of business planning activity amongst Primary Care Networks, in a way which aligns with Network Contract DES Specifications.
PCN planning includes the employment of a variety of different medical and non-medical professionals to work in the member practices, engagement with other local health stakeholder organisations, and the possibility of tendering for new APMS contract opportunities.
Whilst some Primary Care Networks are now choosing to take the opportunity to incorporate into a limited company structure, others continue to run through “lead practice” and various other recognised models.
So where does data protection fit in?
Whether your PCN runs through a limited company structure or not, usual PCN collaborative activity such as the employment of and sharing of staff, or the delivery of particular local health services will inevitably give rise to the sharing of personal data.
Whilst the General Data Protection Regulation 2016 (GDPR) should not be seen as a barrier to sharing personal data when required, it is important that Primary Care Networks and member GP practices comply with their obligations under GDPR in sharing any personal data. This can only be achieved by considering data protection concerns from an early stage of your PCN plans by adopting a “privacy by design” mentality.
In many cases the personal data being shared within the PCN will be health information which is special category (previously known as sensitive personal data) and which requires further protection under GDPR, so it is important that appropriate measures are put in place.
NHS England has helpfully published a pro-forma Template Data Sharing Agreement that can be completed by PCNs. However, simply completing and signing this document will not be sufficient to discharge your obligations under GDPR, as an appropriately drafted data sharing agreement is just part of the puzzle in ensuring compliance with GDPR.
What steps should Primary Care Networks consider when looking at data protection?
A trap many organisations fall into when sharing personal data is to assume that if they sign a data sharing agreement or similar contractual document then they can share any personal data they like without restriction, but this is an over simplistic approach and ignores other factors that need to be considered. Below is a brief overview of some additional steps to consider:
#1 – Carry out a PIA
We would recommend a key initial step to take is to carry out a Privacy Impact Assessment or PIA or DPIA for short. A PIA helps organisations to identify and minimise the risks posed to data subjects when carrying out a new project or activity.
Under GDPR you must do a Privacy Impact Assessment before you begin any type of processing that is likely to result in a high risk to the rights and freedoms of individuals, and this would be advisable where personal data will be shared through a PCN.
A Privacy Impact Assessment should:
- Describe the processing you are undertaking and the intended/desired outcomes of your processing;
- Assess the nature and sensitivity of the data being processed; and
- Consider the nature of your relationship with the data subject.
This information will allow you to assess the necessity and proportionality of the processing activity. Wherever risks to the data subject’s rights are identified, the Privacy Impact Assessment should set out how those risks will be addressed or mitigated.
#2 – Map the data flows
The PIA should clearly record what data will be shared (and how) between the PCN member practices, and (if the PCN is incorporated) the PCN member practices and the corporate vehicle.
Do not forget to consider any third party stakeholders the PCN may engage with. Also take into account the third party suppliers of member practices who may then have access to the personal data of other practices if the data sharing goes ahead. For example, an IT support company may support one GP practice in the Primary Care Network but not the others. Sharing personal data within the Network means that the third party supplier may then have access to the personal data of other practice members of the Network.
With wider data sharing throughout the Network the number of people with access to the data will inevitably increase so it is important this is recorded in the data mapping and the PIA and managed correctly.
#3 – Establish a lawful basis and condition for processing special category data
A key part of the PIA will be considering the lawful basis for the processing and the lawful basis for transferring that personal data to other member practices and/or to any corporate PCN vehicle, as transferring personal data is a type of data processing.
When processing special category data like health data, race, religion etc. under GDPR you also need a condition for processing as well as a lawful basis for processing so it is important you can identify both the lawful basis and the condition.
#4 – Consider the data minimisation and purpose limitation principles
You should consider the ways you can minimise the personal data you process / transfer within the Network as data minimisation is a key principle of GDPR compliance. Under the data minimisation principle you must ensure the personal data you hold is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and this should be applied to any data sharing initiatives.
The purpose limitation principle should also be applied and this prevents you from using personal data for new purposes if they are incompatible with the original purpose you are collecting the data for. You should document the purposes you collect data for in your privacy notices and ensure you stick to those purposes. Wider data sharing may dictate that you need to change the purposes set out in your policies moving forwards.
#5 – Consider Privacy Policies and Notices
As part of the PIA you carry out, you will need to consider what your existing privacy policies and notices say and whether or not they need to be updated now your practice is part of a Primary Care Network or your PCN’s activities have expanded.
Transparency is key here and it is important that patients are aware of how their data is processed and who it will be shared with and why.
#6 – Data Sharing Agreements
Finally, if it is determined that you can share personal data with another practice or practices within your Network and/or with a PCN corporate vehicle, you will then need to tackle the contractual documentation and ensure adequate protections are put in place before data is shared.
You need to consider how the personal data will be transferred and stored securely and also ensure contractual protections are in place between the practices sharing personal data governing the data protection standards which will apply to that data. The NHS Template Data Transfer Agreement serves as a good starting point but will need to be tailored to your Primary Care Network’s requirements.
A key challenge will be identifying whether one practice will be acting as a data processor for other practices in the Network or whether the transfers will be transfers between a data controller to another data controller, and this can be a complex area of data protection law. If one practice is acting as a data processor for another, further measures will need to be taken in line with the requirements for appointing data processors set out in the GDPR.
You will also need to agree respective responsibilities between the practices with respect to handling complaints and subject rights requests and each practice’s responsibilities in the event of a potential data breach. Inevitably PCN members will have varying levels of existing data protection knowledge, experience and compliance in their own practices which will impact on how easy it will be to implement these measures.
Next Steps for Primary Care Networks
PCNs aim to improve efficiency and better support local patient populations and they unlock further funding for practices. Their evolvement is going to be key when we have a NHS under unprecedented strain and working together will only strengthen the resilience of individual practices. It is however important that data protection is factored into your Primary Care Network plans and is not just tacked on as an after thought.