The unprecedented speed at which the coronavirus has proliferated has forced all of us to adopt a “new normal”: to stay at home and respect social distancing to help reduce the immense burden on the National Health Services. This remains the case and indeed becomes even more critical as health services start to address the health backlog that has developed during the peak.
The effects of the pandemic will continue to create pressure on the health service for some time to come and, the NHS organisations across the country have turned to technology, in the form of video appointments, consultations, and telemedicine to help cope with the crisis.
Clearly, the pandemic has showcased the strengths and weaknesses of our current healthcare system and its capabilities. It has also caused the rapid adoption and scaling up of new technology to help meet unprecedented change in demand.
We have all recognised for some time the potential for technology to transform the way healthcare is delivered. It is also true to say that Technology Enabled Care Services (TECS) have not been a success story to date but could there be a burst post COVID-19? Are we going to be more open to leverage TECS to help fight any future waves of pandemic?
While we might not have clear answers yet, one thing is certain – the effects of the pandemic will linger. TECS are key for the transformation of services to vulnerable members of the society facing extended isolation. Some aspects of our life have radically changed, including the way we manage our health going forward, leading to the increased adoption of TECS.
We have started seeing some early signs: as per TechCrunch, “Google has started highlighting virtual care options in Search and Maps.”
What are Technology Enabled Care Services?
TECS can utilise a range of different technologies, notably, self-care apps (which help people self-manage their wellness), telemedicine/teleconsultations (which facilitate remote consultations through live videos, phone calls) and telehealth (remote monitoring of patients in their own homes, for instance, post-surgery, hypertension monitoring) to deliver care at a distance. TECS have various capabilities, from managing individual wellness and lifestyle (for instance, hair loss) through to behavioural health (stress, addictions, women’s and men’s issues) and certain complex multiple long-term conditions.
From a practical perspective, TECS can ease the pressure on health and care services by reducing physical attendances and admissions, reducing the time spent on routine observations and tests, and protecting those who are most vulnerable. TECS provide remote access to expert opinions to patients in the comfort of their homes, with no need to travel and reduce anxiety through self-care – effectively presenting advantages to both the health and care services as well as the patients.
For patient centric TECS to be fully effective, they require seamless integration with wider health and social care services. They need the underlying infrastructure (hardware, networks), the core enablers (such as shared electronic care patient record), the integration enablers (communications across multidisciplinary teams) and the patient enablers (the technology).
The information management technology and the technology infrastructure must be aligned, based on a carefully designed digital transformation roadmap.
From a regulatory standpoint, they also need to meet certain medical requirements and privacy requirements. The digital infrastructure must ensure secure connection between patients and physicians. Much of the technology has already existed, but more is being quickly developed to help the health and care system.
Information governance must not be an after-thought, and it is key to embed the right controls by placing the patient and their data at the centre of the TECS right from the design of the TECS, and throughout its life cycle.
Whether it’s crisis time or not, keeping patients’ trust is crucial, even more vital when the types of data processed fall within special category of data which require higher safeguards under the General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
Some of the key risks posed by the convergence of technology and special category of data are as follows:
- Monitoring: Telemedicine for instance allows the continuous observation of one’s own condition (physiological and physical) through body and/or home sensors. These techniques can be privacy intrusive and could lead to continuous surveillance.
- Loss of control over personal data: Vast amounts of personal health data may be collected, without the awareness of patients, hence, free and informed consent is questionable.
- Security: TECS can be an attractive target for cyber criminals looking to profit from the sensitive and valuable data they store. Ineffective data security has the potential to reverse the clinical benefits that result from remote monitoring. For instance, if a device is hacked into, the location of a patient can be tracked, and harm can be inflicted to the patient.
As a TECS provider to the health and social care services, what are the key information governance controls you need to consider, ensuring that data protection and confidentiality requirements are embedded in TECS?
(1) Flow of data
It is essential to understand and document the different types of personal data and special categories of data that will be processed, the various parties which will be involved, the relationships between the parties and the data protections obligations that arise due to the nature of the relationships and the geographical locations to which data will flow. This should easily help create a data flow map which can feed in the records of processing activities to have preliminary idea of risks posed by the data processing.
(2) Data Protection Impact Assessments (DPIAs)
Once the mapping is completed, a data protection impact assessment is essential to help identify and minimise any data protection risks posed by TECS on the outset and throughout the lifecycle of the technology.
It must not be conducted as a mere ‘tick the box’ exercise. A DPIA is a dynamic undertaking which is kept under review and is even more mandatory in the case of TECS, as processing relates to vulnerable individuals and special categories of data, possibly in large volume, likely to result in high risks to individuals.
A thoroughly conducted DPIA must provide insight into the following:
- The different categories of data subjects whose personal data will be processed;
- The different purposes of the processing;
- The necessity, proportionality of processing, especially where monitoring takes place and any sharing of personal data with third parties;
- The risks presented to different categories of data subjects, such as children, vulnerable individuals;
- The different geographical locations to which data might flow (for instance, for cloud hosting purposes) and whether these locations are considered as ‘third countries’;
- The different ways through which meaningful notices will be provided and consent will be gained, recorded and revoked, where relevant;
- The processes which will facilitate patients exercise their data protection rights;
- The security risks posed, appropriate technical measures required to mitigate the security risks, and how incident response will be managed.
The advice provided by your Data Protection Officer are key and must be recorded. For any residual high risks which cannot be mitigated, a consultation with the Supervisory Authority is important before the technology can be deployed.
(3) Implementation of the outcomes of your DPIA
For optimising the protection and security of patients’ data, there will be an absolute requirement to implement adequate privacy enhancing controls. These can be a combination of various measures, depending on the nature of the processing and the type of technology, such as:
- Minimising data by implementing techniques such as, anonymisation, reduction of precision/granularity in data collection, early deletion of unnecessary data, amongst others.
- Masking data, where possible, such as, control of privacy of metadata in electronic communications, encryption of stored information or information in transit from patient to server, etc.
- Separating data – partitioning of attributes of databases, where relevant
- Applying the necessary access controls, such as multi-factor authentication, identity access management technologies.
- Access controls required, for instance, whether two factor authentication would be an adequate extra security step.
Timely information must also be provided to individuals to comply with the higher standard of transparency mandated by the GDPR through clear privacy notices. To ensure the information is accessible to all potential audiences, it may be necessary to use multiple formats and communication channels. This must include easy read versions, translations, and notices suitable for vulnerable data subjects such as children.
The nature of relationships can be complex in the context of TECS where several parties are involved. Data processing agreements (controller to processor relationship) and/or data sharing agreements (controller to controller) may need to be implemented to govern the processing activities, the obligations and document the controls in place to protect data.
The pressure on health and care services has never been greater and TECs are more important than ever but the data protection and security safeguards must be equally balanced by taking a privacy by design and default approach.
At Gemserv, we work with both health services and technology providers to help enable service transformation; improving outcome, while improving affordability and protecting patients’ data.
To understand more about how we can help you rapidly transform existing services into sustainable, future proof operations in the context of the “new normal”, please contact firstname.lastname@example.org.