Here we discuss the United Kingdom governance relating to the use of mobile phones for clinical photography. There are obscene amounts written on patient data protection. We have attempted to navigate the various sources to provide some clarification!
Each NHS Trust has its own Information Governance Handbook. It aims to provide a way for employees to deal various rules set out in a plethora of places. The "Key Information Governance Policies" are:
Relevant policies and other guidelines are discussed in the sections below. You should always refer to your trust's Information Governance Handbook.
The General Medical Council (GMC) has a published guide relating to the "Making and using visual and audio recordings of patients".
The key takeaways:
- Serious or persistent failure to follow the guidance will put your registration at risk.
- Respect patient wishes.
- Make recordings only where you have appropriate consent or other valid authority for doing so.
- Disclose or use recordings from which patients may be identifiable only with consent or other valid authority for doing so
- Make appropriate security arrangements for storing recordings.
- Be familiar with, and follow, the law and local guidance and procedures that apply where you work.
A few excerpts are particularly relevant.
You must get the patient’s consent to make a recording that forms part of the investigation or treatment of a condition, or contributes to the patient’s care, except in the circumstances described in paragraph 10. You should explain to the patient why a recording would assist their care, what form the recording will take, and that it will be stored securely.
Recordings made as part of the patient’s care form part of the medical record, and should be treated in the same way as written material in terms of security and decisions about disclosures.
The Information Commissioner's Office (ICO) has a published a series of guides, codes and advice on how to comply with the Data Protection Act 1998 (DPA). Below we review some of the relevant ones.
The guide was created for those who have day-to-day responsibility for data protection.
The eight principles are (summarised):
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This is a statutory code that explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data.
The key takeaways:
- Only share what is necessary.
- Information must be shared securely.
- Ensure you are giving information to the right person.
- Record your data sharing decision and your reasoning and include:
- What information was shared and for what purpose.
- Who it was shared with.
- When it was shared.
- Your justification for sharing.
- Whether the information was shared with or without consent.
It is worth noting that this code is designed for the sharing of any personal information. Where it talks about sharing information without consent, other codes, guidelines and laws suggest otherwise in a medical setting.
This guidance has been produced to help app developers comply with the Data Protection Act 1998 and ensure users' privacy.
The key takeaways:
- Personal information captured from the phone (e.g. a device identifier and photo metadata) can still be considered "personal data".
- It's vital to know where and how data will flow when your app is used, and who is in control of the data throughout the life cycle of the app.
- If a mobile app is the "Data Controller" they must register with the ICO.
- You should only collect and process the minimum data necessary for the tasks that you want your app to perform.
- When providing notices or information in your mobile app, use plain English and use language appropriate to your audience.
It is worth noting that PicSafe removes metadata from photos. It should also be noted that the user controls where the data is sent and is thus the "data controller". According to the registration self assessment, PicSafe is "under no requirement to register". Use of PicSafe, however, allows users to comply as a data controller.
In July 2016 the NHS published a report reviewing how data is safely and securely managed in in the NHS.
- Data security policies and procedures were in place at many sites, but the day-to-day practice did not necessarily reflect them.
- Data security systems and protocols were not always designed around the needs of frontline staff. This leads to staff developing potentially insecure workarounds in order to deliver good timely care to patients – this issue was especially evident in emergency medicine settings.
- All staff should be provided with the right information, tools, training and support to allow them to do their jobs effectively while still being able to meet their responsibilities for handling and sharing data safely.
- IT systems and all data security protocols should be designed around the needs of patient care and frontline staff to remove the need for workarounds, which in turn introduce risks into the system.
There are almost too many reports and guidelines to comprehend! Beyond what we discussed above, all other documents relating to patient privacy and mobile clinical photography mostly repeat the same points.