An introduction to the protection of personal information in the healthcare practice

8. The 8 conditions for lawful processing of PI

8.7. Security Safeguards (Sections 19-22)

Topics

  1. Integrity
  2. Confidentiality
  3. Risk management
  4. Operators
  5. Notification of breaches


1. Integrity

A RP must secure the integrity of PI in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information.

Backup regime

If your practice operates on your own server and does not have a proper backup regime in place, you are vulnerable to data loss due to viruses, ransomware, hardware failure, theft or fire.

The data that you collect on your software is of the utmost importance and it should be a priority for each practice to make sure that you contract an expert IT consultant to make sure that your IT is dealt with properly. It is imperative that your  hardware keeps up to date and your backup process is implemented with all due diligence.

It is the responsibility of the practice to verify the validity of backups by checking that backups were successful with no errors and to confirm that backup files are present at the backup locations after every backup. If there is any indication that the backup is not successful, it is the responsibility of the practice to contact the IT company immediately to resolve the problem.

A big concern is that practices do not implement proper safety precautions for their servers, making the data especially vulnerable to viruses and ransomware. Best practice dictates that no emails should be opened on a server and proper fire wall protection for your server should be implemented.

The following internal controls diagram describes the processes that should be followed during the year in every practice. You will notice that each period ends with a backup to be made of the data. Different sets of hardware should be used for the different backups, as some viruses go undetected for a while.

A good procedure is to have different hardware for:
1. Monday to Friday backups
2. Week 1 - 4 backups
3. Month 1- 4 backups
4. Yearly backups.

Make independent backups i.e. to different USB media instead of rewriting to one medium. If a virus is picked up on Week 3 of Month 2, and you notice the virus only during Week 1 of Month 4, you will at least have an uncorrupted backup from Week 2 of Month 2 and not lose all your data.

Verify backup media after making a backup by testing archives and file sizes.

It is imperative that backups be kept off site in case of theft or fire. Leaving a backup device connected to the PC will not be of any use in such circumstances or in case of ransomware or viruses.


2. Confidentiality

A RP must secure the confidentiality of PI in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of PI.

You can take the following practical steps to secure confidentiality of PI:

  1. You have an access control policy which specifies that users must follow your practice's procedures in the use of PI, for example passwords on software.
  2. You implement a formal user access provisioning procedure to assign access rights for employees (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example a 'new starter process'.
  3. You restrict and control the allocation and use of privileged access rights.
  4. You keep a log of user access to software holding PI.
  5. You regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the practice.


3. Risk management

To give effect to the duty to secure the integrity and confidentiality of the PI, the RP must take reasonable measures to manage the risk by:

  1. identifying all reasonably foreseeable internal and external risks to personal information in its possession or under its control
  2. establishing and maintaining appropriate safeguards against the risks identified
  3. regularly verifying that the safeguards are effectively implemented

  4. ensuring that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. Amongst other things, this may include information security policies, access controls, security monitoring, and recovery plans.

To be compliant is therefore an ongoing concern which needs to be managed as a separate project.


4. Operators


Take note:

In this diagram, the bureau is an operator of the practice, and the software can either be an operator, if it directly contracts with the RP, or it can be a sub-operator, if it contracts with the bureau.

An Operator processing PI on behalf of a RP or a sub-Operator processing PI on behalf of another Operator, must:

  1. process such information only with the knowledge or authorisation of the RR
  2. treat PI which comes to their knowledge as confidential and must not disclose it

A RP must have a written contract with the Operator to ensure that the Operator which processes PI for the RP establishes and maintains the security measures as required of the RP.

Using clear and comprehensive contracts with your Operators helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.


5. Notification of breaches

The Operator must notify the RP immediately where there are reasonable grounds to believe that the PI of a DS has been accessed or acquired by any unauthorised person.

Where there are reasonable grounds to believe that the PI of a DS has been accessed or acquired by any unauthorised person, the RP must notify:

  1. the DS, unless the identity of such DS cannot be established
  2. the IR.

The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the RP’s information system.

The notification to a DS must be in writing and communicated to the DS in at least one of the following ways:

  1. mailed to the DS’s last known physical or postal address
  2. sent by email to the DS’s last known email address
  3. placed in a prominent position on the website of the RP
  4. published in the news media
  5. as may be directed by the IR.

The notification must provide sufficient information to allow the DS to take protective measures against the potential consequences of the compromise, including

  1. a description of the possible consequences of the security compromise
  2. a description of the measures that the RP intends to take or has taken to address the security compromise
  3. a recommendation with regard to the measures to be taken by the DS to mitigate the possible adverse effects of the security compromise
  4. if known to the RP, the identity of the unauthorised person who may have accessed or acquired the PI.

The IR may direct a RP to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of PI, if the IR has reasonable grounds to believe that such publicity would protect a DS who may be affected by the compromise.