Search Hill Dickinson

Information Governance Legal Advice

Content

More than ever, information is recognised as one of the greatest assets of the health, care and life sciences sectors. Using that information to best effect while at the same time respecting people’s information and privacy rights can be a careful balancing act.

Quality information systems are essential to provide the best care. Data sharing is key to joining up care and driving the integration of services. Digital transformation, data-driven technologies and artificial intelligence (AI) have enormous potential to improve healthcare – for example, supporting clinicians to diagnose conditions and optimise treatment, achieve efficiency savings, and understand and address health inequalities.

However, the confidentiality and sensitivity of health data also brings with it a complex legal framework and potentially serious consequences if things go wrong, as demonstrated by high profile cyber-attacks, data breaches and the associated reputational consequences. Patients are also increasingly aware of how their data can be used and their rights in respect of it. It is therefore essential that health and care providers and their partners have confidence in the lawful basis for their use of data and robust information governance arrangements in place.

How we can advise you

As a long-standing partners to the health, care and life sciences sectors, our information governance specialists offer not only comprehensive legal expertise, but also exceptional insight into the key drivers and concerns of everyone concerned with the use of health data – be that patients, the NHS, private providers or suppliers. We can advise you on all aspects of information governance, including:

  • All aspects of the General Data Protection Regulation (GDPR) and Data Protection Act 2018, including:
    • Data protection principles and lawful basis for processing
    • Individuals’ rights, including privacy notices and subject access requests
    • Accountability and governance, including data protection impact assessments (DPIAs), the role of data protection officers (DPOs), data sharing, data processors and international transfers
    • Security, including technical and organisational measures and personal data breaches
  • Relevant information governance law, including:
    • Confidentiality
    • Access to health records
    • Freedom of information
    • Environmental information
    • Privacy and electronic communications
    • Human rights, in particular the Article 8 right to respect for private and family life
    • Regulatory requirements for health and care providers and professionals
    • Brexit implications
  • NHS-specific legislation and policy, including:
    • Control and use of confidential patient information, including the national data opt-out, ‘section 251 approval’ and using health data for research and planning purposes
    • The Data Security and Protection Toolkit, including data security standards and breach reporting
    • The Caldicott principles
  • Data sharing and processing, including:
    • Data sharing arrangements within the health and care sector, for example for the purposes of integration, safeguarding or public health, or the transfer of records to a newly-appointed provider
    • Data sharing agreements between public and/or private organisations or within Integrated Care Systems and Sustainability and Transformation Partnerships
    • Data processing agreements between health and care providers and their suppliers
    • Ad hoc sharing of patient data in the public interest, for example to the police or in relation to serious communicable or genetic diseases
    • International transfers and cross-border data processing
  • Compliance solutions for:
    • Data-driven technologies, services and research – including artificial intelligence (AI)
    • Digital consultation platforms and symptom checkers
    • Medical devices and apps
    • Integrated clinical records systems
    • Outsourcing/subcontracting arrangements, for example digital consultations or diagnostic services
  • Regulatory action and complaints and claims management, including:
    • Investigations and enforcement action by the Information Commissioner
    • Data protection, freedom of information, environmental information and electronic communications complaints, including appeals to the ICO and the Information Rights Tribunal
    • Claims for breaches of confidentiality, data protection or human rights
    • Criminal sanctions
  • Breach response, including investigation, reporting, reputation management and crisis communications

  • How our team will work with you

    We believe in the power of information to transform health and care and take pride in helping our clients achieve their objectives, rather than just identifying the risks. 

    Our information governance specialists form part of our full service health and life sciences team. We can help you find solutions to a standalone information governance issue, provide integrated advice as part of a bigger project, or review and develop your organisation’s information governance policies, procedures and practices to ensure legal and regulatory compliance.

    We are ideally placed to understand and advise upon the interaction of information governance with other legal aspects of health, care and life sciences, such as consent to treatment, mental capacity, mental health, genetics, fertility, safeguarding, claims, inquests, public inquiries/investigations, health and care regulation, commissioning, employment, commercial contracts and intellectual property. Our specialist expertise is also sought out by organisations operating in other sectors, such as the education and utilities sectors.

    We also provide training on information governance to people working at all levels of an organisation – from administrators dealing with day-to-day information requests to the board of directors. We run popular annual information governance seminars for our clients as well as bespoke training. 

  • Our clients

    We act for a variety of health and social care organisations, including:

    • NHS organisations – including NHS England, Health Education England, clinical commissioning groups, NHS foundation trusts and NHS trusts
    • Independent health and social care providers
    • Suppliers to the health sector, including health tech start-ups and digital providers
    • Regulators
    • Local authorities
    • Utility providers
    • Education providers

  • Our experience

    Our team’s recent experience includes:

    • Advising on the privacy implications of the COVID-19 pandemic
    • Advising health tech suppliers and customers on:
      • the use of data-driven technologies in the health sector, including the use of AI to support clinical decision-making
      • the use of digital-first technologies, such as video consultation
      • privacy notices, disclaimers and terms and conditions for patient-facing websites, apps and medical devices
    • Advising organisations on data sharing in a variety of contexts, for example:
      • the development and implementation of integrated/shared records systems within the health and social care sector
      • data sharing for the purposes of population health management, public safety, research and corporate/commercial transactions within the health and social care sector
      • sharing data about vulnerable customers within the water sector
    • Assisting national and regional organisations on the development of their data protection policies and procedures
    • Advising on Data Protection Impact Assessments (DPIAs) and undertaking consultation with the Information Commissioner
    • Advising on the use of data for research purposes, including within the health and education sectors
    • Advising on the disclosure of patient information without consent, for example in relation to children and those who lack capacity, transmissible and serious genetic diseases, and to assist the investigation of crime
    • Assisting with the handling of complex subject access requests, including the review, redaction and disclosure of high volumes of electronic and manual documents
    • Assisting with the handling of contentious FOI requests, for information relating to high-profile national negotiations, public tenders and confidential compromise agreements
    • Representing organisations in relation to investigations by the Information Commissioner and appeals to the Information Tribunal
    • Advising NHS bodies in relation to the management, retention and disclosure of data from inquiries and investigations, including the Mid Staffordshire NHS Foundation Trust public inquiry, the Morecambe Bay investigation, the Independent inquiry into Child Sexual Abuse and Infected Blood Inquiry
    • Advising on the use of covert audio and video recordings within a clinical setting
    • Advising upon the storage, digitisation, retention and destruction of health records
    • Advising organisations on their response to personal data breaches
    • Providing training on access to health records; effective management of FOI requests; data sharing and advanced training to information governance specialists including data protection officers (DPOs), Caldicott Guardians and senior information risk owners

Key contacts

Emma Stockwell

Partner
Liverpool
Contact
Emma Stockwell | Hill Dickinson

Eleanor Tunnicliffe

Legal Director
Leeds
Contact
Eleanor Tunnicliffe | Hill Dickinson

Richard Parker

Legal Director
Manchester
Contact
Richard Parker | Hill Dickinson