With GDPR (and digitalisation) transforming how healthcare professionals handle data, it’s now more apparent than ever that facilities can’t afford complacency when it comes to physical documentation, writes Mark Harper of shredding, baling and waste compacting machinery firm HSM UK.
Our National Health Service (NHS) astonishingly treats over one million patients every 36 hours – a number that has certainly increased under COVID-19.
However, with the current strain on our National Health Service (NHS) and the sheer number of patients they and private practices deal with, it’s fundamental that data protection procedures remain airtight.
Under GDPR, those in the sector are required to keep all special category data – both physical and digital, safe and secure. Although many have successfully implemented data protection regulations into their own practices, keeping compliant can be challenging, and an afterthought for some. Yet, with the threat of major penalties, fines and possible loss of licence, it’s clear that healthcare facilities can’t afford to let their standards slip.
Despite the majority of patient records being held digitally, a large number of healthcare professionals are still relying on pen and paper. For example, in 2018 it was reported that the NHS still used almost 9,000 fax machines across the country. Furthermore, many doctors continue to write sensitive patient notes into already full paper medical records, leaving a huge risk for this information to be misplaced or forgotten about.
From unsecured storage, to unauthorised access, paper documentation presents a number of security risks. And given the sensitive nature of healthcare documents, security breaches can be extremely serious for every healthcare facility, regardless of size, type or location.
Our own NHS has suffered investigations, fines and a public outcry after losing almost 10,000 patient records in 2017. And most recently patient records from a Northern Ireland hospital were found discarded on a public road, leading to an investigation by the Information Commissioner’s Office (ICO).
Just last year, a London based pharmacy was the first to be fined £275,000 by the ICO for failing to ensure the security of special category data. Approximately 500,000 documents, which included names, address and medical information were left in unlocked containers, at the back of the premises – leaving information on an unknown number of patients unsecure.
This is a stark reminder that the handling of physical documents is still an issue for many healthcare professionals. Rather than causing alarm, this should be a reminder as to why destroying physical documents, when no longer required, is crucial to remaining GDPR compliant.
Having strict procedures in place is fundamental in ensuring that a patient’s privacy and confidentiality is not compromised – especially when disposing of physical data. Still, paper is a constant factor that is landing organisations of all types in hot water.
To avoid potential ‘slip-ups’, it’s important for all organisations to upgrade their data protection procedures by investing in an in-house shredder system. From there, education is key. Employees at all levels of the organisation must understand the correct procedures of dealing with confidential and sensitive information – including what security levels they must shred their documents at.
As stated on the NHS Destruction and Disposal of Sensitive Data Good Practice Guidelines, documents containing Personal Identifiable Data (PID) should be micro cross cut shredded to a level of at least P-4/P-5 prior to disposal. In addition, under destruction methods, the guidelines refer to a 4x15mm shredding security as standard and something that’s employed by the CPNI for Government, MOD and security services. Teams that follow these guidelines will ensure paper documents are destroyed to a point where reconstruction is near impossible – thus removing the risk of data misuse through loss or theft.
Yet, back in November 2018, the CPNI removed approval for all mobile paper destruction service providers for all but the lowest ‘Official’ security classification. This means that any health establishment that is actively using an external onsite or off site shredding contractor to dispose of sensitive information may be doing so outside of NHS and CPNI guidelines, exposing the organisation to potential financial penalties, media exposure and reputational damage.
Furthermore, healthcare facilities that choose to use the appropriate in-house shredding systems can further guarantee that they’re shredding to a secure level. This is in comparison to external shredding services that leave too many unknowns, unnecessarily risking unauthorised access when entire documents sit for days or weeks in consoles.
Aside from this, data security best practices can also be followed – removing files from desks once finished and implementing a ‘shred all’ policy can further remove the danger of unauthorised viewing and paper documents being stolen or misplaced. Healthcare facilities, like others, can benefit from introducing a ‘shred little and often’ policy. Adding these policies to a data protection system can help ensure that individuals are doing everything theyh can to secure confidential information.
As the ICO illustrates, the neglect of physical data can not only have harmful consequences to reputation and business operations, but it can also lead to a loss of patient trust. With patient confidentiality at the heart of the data protection regulations, healthcare professionals simply can’t afford to slip up.
To elevate that pressure – especially for the NHS, it’s key to invest in effective physical document protection systems. Pair this with fully educated healthcare personnel, and healthcare facilities can remain compliant, guaranteeing the privacy of their patients for years to come.