{"id":12271,"date":"2023-02-15T12:02:12","date_gmt":"2023-02-15T12:02:12","guid":{"rendered":"https:\/\/formdr.com\/uk\/?p=12271"},"modified":"2023-02-22T10:27:39","modified_gmt":"2023-02-22T10:27:39","slug":"will-your-patient-forms-cost-you-thousands","status":"publish","type":"post","link":"https:\/\/formdr.com\/uk\/blog\/health-news\/will-your-patient-forms-cost-you-thousands\/","title":{"rendered":"Will Your Patient Forms Cost You Thousands \u00a3\u00a3\u00a3?"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n
<\/div>\n\n\n\n

The last thing any practice or business wants is to be fined over \u00a3250,000 by the Information Commissioner\u2019s Office (ICO) in the United Kingdom for not storing sensitive special category data securely. Personal health data is one of many special categories of data under UK GDPR and the Data Protection Act of 2018 (DPA) that need to be treated with great care due to sensitivity. While these data protection regulations are relatively new, we are starting to see how the government expects practices and businesses to treat health related information. Many businesses don\u2019t understand the gravity of their current processes and that this type of penalty is completely avoidable.<\/p>\n\n\n\n

Penalties are in Effect NOW<\/em><\/strong><\/h2>\n\n\n\n

The most significant fine in the health care sector thus far was levied in late 2019 against a London based pharmacy that did not handle health data in a proper manner. This pharmacy was fined \u00a3275,000 for failure to ensure the security of special category data and ordered to improve its data protection processes within three months or face additional consequences. You can read the citation in its entirety<\/a>, although what stands out is how the citation directly references Article 32 of GDPR titled \u201cSecurity of Processing.\u201d<\/p>\n\n\n\n

Article 32<\/a> states in relevant part (emphasis added in bold):<\/p>\n\n\n\n

\n

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures<\/strong> to ensure a level of security appropriate to the risk, including inter alia as appropriate:<\/p>\n\n\n\n

<\/div>\n\n\n\n