GDPR and Health and Social Care - Kate Francis, Programme Manager, Health and Social Care
Much of the citizen experience thus far with GDPR consists of receiving emails from every mailing list we’ve ever subscribed to asking us to reconfirm our wish to receive emails or telling us about updates to their data policies. On a personal level, companies are attempting to bring citizens along with their thinking on data protection and privacy. But how is GDPR likely to affect an important part of everyone’s lives, health and social care? As the health and social care industries generate and utilise large quantities of data in their daily operations, the introduction of GDPR is an important development.
techUK has been exploring these issues with members and experts over the past year. This included an event dedicated to exploring the impact of GDPR on Health and Social Care as well as publishing several guest blogs exploring some of the issues. Many techUK members working in health and social care believe GDPR should be seen as an opportunity to be seized to change the way we think about data. Greater rights for individuals to control their health data, along with the promise of better data portability, have the potential to spark innovation by encouraging the exploration of new and exciting uses for accessible data to help citizens self-manage and self-care. On a macro level, GDPR can be seen as an opportunity to build the trust required to enable the digitisation of health and social care. There is huge potential for technology to transform health and social care, but citizens need to trust suppliers and the NHS with their data to help with this change.
Defence Cyber Protection Partnership - Fred Sugden, Head of Defence
The UK Defence Industry and its primary customer the Ministry of Defence (MOD) has its own set of unique challenges when it come to the protection of data. Much of the data used by the MOD and its supply chain is extremely sensitive, meaning it must be adequately protected in order to maintain military capabilities and operational resilience. As such, the MOD and its suppliers are subject to heightened data protection and cyber security measures, which go beyond the standard requirements in other industry sectors.
To better protect the sensitive data that resides in the defence supply chain, the MOD and industry formed a joint initiative called the Defence Cyber Protection Partnership (DCPP) which was formed in response to the cyber threats faced in defence. Through the partnership the MOD has created a number of cyber security standards which have to be met in order to contract with the department. Based on the Cyber Essentials scheme, the standards are set out in a Cyber Security Model, which outlines the proportionate security controls to be implemented, and evidence of this to be submitted as part of all MOD contracts.
From April 2017, the new requirements were introduced at the Prime contractor level only, and in October 2017 the requirements were flowed down the supplier chain through the Primes in the form of a new Defence Condition – DEFCON 658. At the time of writing, several examples of the new cyber protection requirements being flowed down to the fourth tier of supply chain have been seen, showing that the DCPP has produced a more robust system to protect its data. techUK strongly advises any organisation working in defence to obtain as a minimum Cyber Essentials or Cyber Essential Plus (or preferably both) accreditation, in order to avoid interruptions to their businesses.
GDPR can be more than just a compliance issue for local government – Georgina Maratheftis, Programme Manager, Local Government
The EU General Data Protection Regulation (GDPR) comes into effect in the UK and across Europe on 25 May 2018. The GDPR, which represents the most significant reform of data protection laws for twenty years, will have implications for organisations across all sectors that collect and process personal data. The implications for local government are widespread. However, GDPR should not just be seen as a compliance exercise but the opportunity for councils to transform services by putting data at the heart of working and service design. Putting in place robust information and data governance is an important condition in creating an environment for successful transformation.
Building a culture of data trust
To help raise awareness of GDPR amongst our members who are active in local government and to councils themselves we held a briefing session with industry experts and councils leaders on the implications of the new regulation for the local government market last October. Overall the recurring theme was that GDPR can help build a culture of data trust within the organisation as well as with citizens.
Trust is the biggest barrier to data sharing but councils can use GDPR as an opportunity to reinvigorate training and awareness raising across the organisation to build confidence as well as put citizens at the heart of service design. Information and data are incredibly important to public service, in terms of both intelligence value and helping design citizen centered services. As such, GDPR means councils should now review and look into what information they hold and how they manage it and fundamentally review their policies. GDPR will also require councils to put in place proper data governance. This will help build stronger relationships with more accurate, meaningful data. Councils will have the quality data needed as a result to design services that are more predictive and user-centric. Ultimately ensuring good data quality will help put insights at the heart of driving service improvement.
Making the case for transformation
Data sits at the heart of creating the environment for successful transformation and GDPR is a hook that can also help make the case for it at senior management level to get going on a digital transformation project/journey. It's also an opportunity to bring together transformation, privacy and the data agenda and overcome any collaboration deficits in the councils.
A journey beyond May
GDPR is an ongoing process and organisations need to change the way they think about data. It goes beyond May 2018. Councils should not just see the new regulation as a compliance issue but one that can help make the case for transformation and be the lever for creating a culture of data trust and confidence.