December 2, 2015

Data Protection - Healthcare data security in the wake of Vidal-Hall

Extra vigilance is required to ensure that data is kept securely.

With the recent change in the interpretation of the law, all healthcare providers and those who insure them are now at increased risk of receiving claims under the UK’s Data Protection Act 1998 (DPA). With the vast majority of healthcare providers relying on electronic and online systems to store records, the market will need to assess whether insureds have sufficient cover in light of the change in the law. While the decision in the case of Google v Vidal-Hall [2015] relates to the storage of cookies on a web browser, the impact on healthcare providers could be huge given the sheer volume of sensitive personal data they hold.

Historically, a breach of the DPA could only result in a potential claim for damages under s13(2) where the claimant suffered both types of damage, in the form of financial loss, and distress. The Court of Appeal in Google v Vidal-Hall ruled however that the previous interpretation of s13 was not compatible with the right to an effective remedy under the EU Charter of Fundamental Rights and accordingly, as it stands, has removed the requirement for financial loss to be proven.

In the context of medical information and records, in the past it was difficult for a claimant to demonstrate the breach had caused them to suffer financial loss and accordingly the claim would fail. In light of the decision in Vidal-Hall, the claimant only needs to be able to demonstrate there has been a breach of the DPA and it has caused them distress to be able to bring a claim.

In recent years, the Information Commissioner’s Office (ICO) has expressed concern about the standard of data security within the heath sector as a whole and has handed out a number of significant fines where organisations did not take steps to appropriately safeguard medical information. Indeed, the ICO has previously confirmed it would consider that the loss of medical records would constitute a “serious contravention” of the DPA and, given the expectation that medical records will be kept securely, it is difficult to imagine a scenario where a claimant would not be able to demonstrate distress as a result of any breach involving their medical data.

While the likely quantum of individual claims may well be small, there have been a number of well-publicised data breaches where the records of hundreds and even thousands have been compromised. The recent breach involving an HIV clinic sharing the email addresses of its users is an example of how a simple human error could result in a significant breach.

Vidal-Hall has been referred to the Supreme Court for appeal by Google, but until a decision is made, healthcare providers should be extra vigilant in ensuring data is kept securely and managed appropriately. The risks involved with data security needs to be filtered throughout all levels of an organisation and policies and procedures should be reviewed and tightened. Those that insure healthcare providers will need to assess whether existing “traditional’ policies extend to cover claims arising from a breach of the DPA and how claims for cover will be handled if and when a breach occurs.