In May, the UK will formally adopt two EU initiatives to safeguard essential infrastructure and services and to protect personal data. Highland Marketing outlines the key points of the Network and Information Systems Directive and the General Data Protection Regulation; both of which are likely to have a significant impact on health and care.
While the debate about how Britain will exit the European Union continues to rage, two important EU directives are about to come into force.
The first is the General Data Protection Regulation, which takes effect on 25 May, and the second is the Network and Information Services Directive, which takes effect two weeks earlier, on 10 May.
While it’s the GDPR that has attracted most attention, the second may have as bit an effect on the NHS and its suppliers. The fine for failure is the same in both cases – an eye-catching 20 million Euros or 4% of global turnover.
The General Data Protection Regulation (GDPR)
What is it?
EU Regulation 2016/679 is intended to unify and strengthen data protection rules for EU citizens and residents. It aims to give them significantly more control over their personal data, while strengthening data protection frameworks, and introducing tougher fines for breaches.
The UK government is bringing the GDPR into UK law via the Data Protection Bill, which was introduced to Parliament last September. This also updates other aspects of data protection legislation, including the laws that cover the Information Commissioner’s Office and the use of data in law and terror investigations.
The government must pass the legislation in time for the GDPR to come into force on 25 May. The negotiations for Britain to leave the EU will not affect this. Introducing the Bill to Parliament, Matt Hancock, the minister of state for digital, said it would “prepare Britain for Brexit.”
The EU’s GDPR portal says the directive is “the most important change in data privacy regulation in 20 years”; although the UK government and the Information Commissioner’s Office have stressed there is continuity between current data protection laws and the new regime.
The EU flags the big changes as: the territorial scope of the directive (it will apply to data on EU citizens and residents, wherever that data is processed); and the size of the fines (which will apply to any breach of the regulation, not just to data breaches).
Also, tougher rules on consent (“the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached”); new rights for people to access the data that organisations hold on them, and a “right to be forgotten”. Plus, a requirement for organisations to build in “privacy by design” and to appoint expert data protection officers.
Health and care organisations will be expected to comply with the new regulation. The Information Governance Alliance, a coalition of NHS bodies with and interest in IT, has issued guidance for chief executives that flags up some key clauses to consider.
In addition to the points above, its ‘headline impacts’ include: a requirement to consider data protection issues when setting up services that involve data processing; a requirement to carry out ‘data protection impact assessments’ for ‘high risk processing’; a requirement to keep records of data processing activities; and tighter rules “where consent is the basis for processing.”
What’s the latest advice?
The IGA has been updating an FAQ document as information has been released on aspects of the GDPR, such as what a ‘data protection impact assessment’ should look like. But its website admits that “the IGA is experiencing delays in the publication of advice material.”
The Information Commissioner’s Office has also been publishing guides to the GDPR for different organisations. The latest version of its health advice looks in detail at some particularly vexed issues, such as consent. This is one of six ‘legal basis’ for holding and processing personal information, and the ICO warns that the GDPR “sets a high standard” for working with it.
Consent “requires a positive opt-in”, a “very clear and specific statement of consent” not a “blanket” approach, and an easy way for “people to withdraw consent.” The ICO advises “public authorities and employers to take extra care to show that consent is freely given, and should avoid over-reliance on consent.”
Is the NHS ready?
In an interview with Highland Marketing, David Stone, managing director of Kaleidoscope Consulting, says there is a lack of IG capacity in the NHS. This has led many organisations to wait for central advice on the GDPR that has been slow to emerge.
He is also concerned that preparations for the GDPR have shown up poor data protection processes at many organisations, and that many bodies are treating it as a “tick box exercise” or getting hung up on consent. He advises organisations to try and understand what the GDPR is looking to achieve, and to use it as an opportunity to embed good data protection processes and culture.
The Network and Information Security Directive (NIS)
What is it?
The EU describes the NIS directive as “the first piece of EU-wide legislation on cybersecurity”. If the GDPR is trying to harmonise measures to protect data, then the NIS is trying to harmonise measures to protect digital infrastructure and services.
What does it say?
The NIS requires the member states of the EU to be “appropriately equipped” to defend themselves against cyber-attack. For example, it says they should have a computer security incident response team or CSIRT in place.
It also requires them to encourage “a culture of security across sectors that are vital for our economy and society” and to draw up security and notification processes for “key digital providers” such as cloud computing vendors.
How does it impact the NHS?
The National Cyber Security Centre ran a consultation to determine which organisations should be designated as ‘operators of essential services’. At the end of the consultation, the government confirmed that “non-primary NHS healthcare” organisations would be classified as OES.
NHS trusts and their equivalent in Scotland, Wales and Northern Ireland will be required to follow cyber security regulations set out by their sector regulator (effectively, NHS Digital) and report security breaches to it. In the event of a breach, the regulator will be able to investigate and impose those fines.
In a statement issued to digitalhealth.net, NHS Digital said it “welcomed” the new measures because they would support its efforts to improve cyber-security in the health service. The government, NCSC, and NHS Digital have all stressed that financial penalties will be “a last resort.”
How does it impact vendors?
OESs will be expected to hold their IT suppliers to account for the services they provide.
Meanwhile, companies that are designated as “digital service providers” will be expected to “ensure a level of security appropriate to the risk posed” in doing what they do; to have an incident response service in place, and to report breaches to the appropriate authority.
The directive lists search engines, online market places and cloud computing services as DSPs. The NHS is being encouraged to make more use of cloud computing services; but compliance with the NIS is likely to become one of the requirements for doing business with it.
What’s the latest advice?
The NCSC has published an introduction to the NIS directive, that outlines the main points, sets out its role, and starts to explain how it will work with other ‘competent authorities’ (when they are formally established). NHS Digital has yet to issue further guidance.
Will the NIS really affect the NHS?
Dr Saif Abed, founding partner of consultancy and Highland Marketing partner AbedGraham, predicts that the NIS directive will be significant.
In digitalhealth.net’s predictions for 2018, he said it should reinforce the message that “it is no longer acceptable for critical services such as healthcare to be significantly disrupted by a cyber-security incident.” Also, practically, that it should encourage the appointment of chief information security officers to work with chief clinical information officers on best practice and staff training.
In its press release announcing the steps that it is taking to implement the NIS directive, the Department of Culture, Media and Sport noted that it is designed to prevent and respond to incidents such as last year’s WannaCry attack.
The clear implication is that, if a similar cyber-incident affected health organisations to the same degree, they could be subject to regulatory action – and, of course, those very large fines.