(Time to read: 6 minutes)
You’ve read every blog and news article about GDPR. You’ve gone over every communication with the proverbial fine-toothed comb. You’ve analysed every GDPR risk and identified every piece of personal data. You’ve even issued swipe cards and assessed authorised privileges. You’ve instituted a GDPR-compliant process for every data eventuality and ensured thorough auditing of every document-related action. And then – come GDPR deadline day or later – some bright spark leaves a print-out containing patient details hanging out of the recycling bin.
While the above is unlikely to be commonplace in GP practices, it does bring to the fore the fact that the EU’s General Data Protection Regulation (GDPR) requires organisations to have security practices in place for both electronic and paper based data. That means considering physical security – something that’s often overlooked – in order to be GDPR compliant.
Article 24 of the GDPR outlines an organisation’s responsibility to implement “appropriate technical and organisational measures” to ensure and demonstrate proper processing of personal data.
Article 32 goes a step further to explain that “In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
An important aspect of this regulation is the emphasis on preventing unauthorised access. This is where physical security is essential. Specifically, it can help safeguard data against internal and external human threats that aim to exploit gaps within your organisation’s walls and through your workforce. This includes limiting what data can be observed, stolen or accessed.
This can successfully be implemented by considering the flow of paper documents around the premises, physical positioning of computer hardware, database access when on the move and so on. Some questions to ask include:
- Can patients see a receptionist’s screen? Are screens visible from a window or door? If so, do you need to invest in a privacy screen?
- Do you recycle? If so, how are documents stored until they’re collected?
- Are documents containing personal documents shredded? If so, this should happen immediately and not be left sitting around in a pile.
- How about files? What paper documents do you keep hold of and how are they securely stored?
- Do printers have access controls such as swipe card or PIN ID to stop documents falling into the wrong hands?
- How are passwords controlled? Do staff members write them down?
- Does anybody access any personal information remotely – at home for example? Do the above questions apply to them?
- Are any laptops securely locked to desks to prevent them being easily stolen?
Take it to the next level
Most of the above is common sense, but policies do need to be put in place to ensure GDPR compliance. And while it might seem like yet another part of this burdensome regulation that is just creating more work, it is an opportunity to think about overall premises security too.
Whilst the focus of premises security traditionally has been to safeguard medicines and staff, the NHS Information Governance requirements require procedures to safeguard the security of hardware, software and information. Therefore, there must be measures in place to delay and prevent unauthorised access, to detect attempted or actual unauthorised access, and to ensure that there are procedures for staff to follow in the event that unauthorised access does occur.
Here are ten points from the NHS to bear in mind:
- Particular attention should be paid to the consultation and surgery areas. These are likely to contain patient or service user information on computers or in hard copy form. Paper copies of sensitive information should not be left unattended in the consultation/surgery area. Computer workstations in the consultation/surgery area, if left unattended, should be physically secured, and password protected when not in use.
- The dispensary area should never be left completely unattended during the hours of business. Pharmacies should consider the minimum number of staff required to be in attendance in the dispensary given the floor-space of the premises, the time of day and any other risks. Consideration should be given to the physical security of paper records and computer workstations, relative to risk. If necessary, specialist guidance on security may be available from loss adjustment/commercial risk advisers or local crime prevention agencies.
- A risk assessment should be undertaken on the security of offices and storerooms. Key considerations are the type of information stored in these areas, whether there is an adequate minimum staff level in these areas, and whether the rooms are in routine use. There may be a need to consider physical security measures such as keeping doors locked during working hours when the rooms are not in use.
- Windows in ground floor rooms are favourite access points for burglars and, particularly during hot weather, staff should ensure that they are closed when the room is not occupied. A risk assessment should be undertaken with possible physical security measures including window locks or if the area contains information or products which need to be particularly protected,
- There should be an alarm system that is of an adequate specification to protect the premises. Security specialists should be engaged when installing a new alarm system, or taking over new premises. Alarm systems should be tested on a regular basis. When refitting the premises, or developing new services, there should be consideration of whether the existing alarm system is adequate for the new security requirements, and seek security advice if necessary.
- Fire alarms should be fitted in all areas and regularly tested. Fire doors, automatic and manually operated fire control systems all help prevent the spread of fire.
- Physical keys should be issued on a need-to-have basis and a degree of inconvenience may be preferable to a large number of duplicate keys. Electronic keys can be cancelled with relative ease, but it can be time consuming and expensive to change locks on doors. A record should be kept of keys issued for long-term use and staff should be briefed on the importance of reporting lost keys. A log should be maintained, and procedures adopted to ensure keys have been returned when staff members have left employment.
- Staff should be encouraged to clear desks (including dispensing benches) of all sensitive and confidential information when it is no longer required for the task in hand and to ensure that such information is locked securely away overnight. Staff should also be informed of how to use a password protected screen saver on their computers if they need to leave their machine unattended.
- There should be an assessment of physical security. This should look at the premises as a whole, taking into account legitimate entry and exit points, areas where forced entry is possible and any unstaffed parts of the building(s). Having identified any areas of risk, the risks should be weighed against the likelihood of the threatened risk actually occurring. For example, the assessment may identify a risk of burglary, the question to be asked is whether this a high risk, a medium risk or a low risk.
- Physical security should be subject to regular risk assessment and updated guidance/ procedures issued to reflect new risks to the premises due to new ways of working or the purchase of new equipment. There should be checks that staff members comply with the procedures, e.g. by review of burglar alarm logs. Awareness and training should be provided to all new staff as part of their induction, and existing staff should be provided with regular updates as necessary.
Topics trending in the forum: