The NHS European Office's Sarah Collen unpacks what Brexit could mean for data privacy and cyber security and what NHS organisations need to know, and do, ahead of May 2018.
Since the result on 24 June, we have received a number of enquiries about what lies ahead for the new EU law on data privacy and complementary EU legislation on cyber security. Will they ever be applied in the UK in light of the Brexit vote?
Both pieces of mutually reinforcing legislation – the EU General Data Protection Regulation and Directive of Security of Networks and Information Systems – are important for the NHS. Data privacy legislation is important as it regulates how personal data is managed and processed, and defines the purposes the health sector can lawfully process personal data for.
The legislation on cyber security is also relevant as healthcare has been identified as an ‘essential service’ in the new law. Accordingly, healthcare providers will be required to take “appropriate and proportionate technical and organisational measures” to manage cyber security risks.
But what will be the impact of Brexit on both pieces of legislation?
Prime Minister Theresa May has confirmed that Article 50 will be triggered by no later than March 2017. Once this happens, the UK will enter into a complex and difficult negotiation with the 27 EU member states and European institutions. While the UK government has not outlined its negotiating position yet, it has become clear that controlling immigration is a priority.
This raises questions over which level of access to the EU single market the UK will be able to secure. Senior EU decision-makers have on several occasions insisted they will not allow the four EU fundamental freedoms which govern the EU single market – mobility of goods, services, capitals and people – to be split.
In the event that the UK remains part of the single market, EU regulation on the single market would most likely automatically apply. Were the UK to leave, this would mean that the set of EU laws that regulate the market would no longer automatically apply, leaving the UK free to decide its own rules in a number of areas – including data protection and cyber security.
Whether inside the EU’s single market or out, the UK will be confronted with the dilemma over the degree of regulatory convergence it will want to maintain, or not, with the EU in future.
While it is impossible to look into a crystal ball and see what lies ahead for the future UK-EU relationship, I believe I can offer some clarity, at least for the short term.
Both pieces of legislation have already been agreed. The deadline for implementation of both laws is May 2018, when the UK is highly likely to still be a member of the EU. In light of this, the UK government has recently confirmed that the UK will be implementing the EU Data Protection Regulation.
The culture secretary Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee on 24 October 2016 to say:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
This being the case, the NHS is preparing to implement both pieces of legislation to deadline.
Regarding the future, in her first speech as information commissioner for the UK, Elizabeth Denham said:
“When the UK leaves the EU (based on what we know today – 2019 or later) a new data protection law will need to be in force….The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe.”
Considering this, and the business interests of continuing regulatory alliance with the EU, my view is that in the long term, the UK will see the EU’s data protection and cyber security legislation – or something very similar – being applied to the UK.
From a health and social care perspective, it is also important to remember that data protection and cyber security chime very much with recent developments nationally, such as the Caldicott review on data security, consent and opt-outs and the Wachter review on harnessing the power of IT to transform care. It is unlikely that we will see any radical departures from the EU law in the coming years.
With that in mind, here’s how you can start to prepare for both pieces of legislation.
- Read our briefing! We have produced a short briefing on data protection for information governance leads in hospitals to help them to prepare.
- Conduct the necessary impact/risk assessment or audits so that you are able to identify and analyse your risks as an organisation. Analyse the threats and gaps, but think about opportunities too – data protection is a key enabler of innovation and better care.
- Think about a response team, for both data privacy issues and cyber incidents.
- Prepare a response plan – how are you going to respond to the different types of incidents and meet notification/reporting requirements?
- Put together a policy which defines how you will implement it. Be able to demonstrate how you are compliant with legislation.
- Put together a budget – for NHS trusts, think about how you can get funding for your plans. Can you use some of the Treasury money for NHS digitalisation to support these initiatives, which are crucial elements of any digitalisation strategy? A word of warning, with the EU data protection law, copies of medical records will need to be provided to patients without charge, so you need to plan for this loss of income.
- Train staff and get the message out.
Sarah Collen is a senior policy manager at the NHS European Office, part of the NHS Confederation. Follow the organisation on Twitter @NHSConfed_EU
Like this post?
Share it on Twitter or leave a comment, below.