Access controls regulate who can view or use electronic resources, thus minimising risk to both the system and data within it. The importance of implementing proper access controls for documents containing personal data cannot be overstated. Personal data is a valuable asset, the misuse of which can lead to identity theft, financial loss, personal and professional reputational damage, and significant distress.
Further, medical information is subject to confidentiality obligations and carelessness can have substantial regulatory implications for healthcare practitioners. The health and social care sector must provide a certain level of protection for personal data. By implementing proper access controls, health and care providers can demonstrate compliance with these regulations, avoiding penalties and potential legal action.
The requirement to implement and manage access controls has been highlighted by the Information Commissioner’s Office (ICO) this year. In April, the Clyde Valley Housing Association was reprimanded after it released a new customer portal on which there was a configuration error. The result of the error was that any resident with an ongoing anti-social behaviour case was able to access all other documents on the portal (including 394 data entries linked to anti-social behaviour). Although the configuration error was inadvertent, the Housing Association then compounded the issue by failing to respond promptly to user reports alerting them to the issue. They had also not included data security in their testing of the portal – looking only at functionality – and did not engage in ongoing testing once the portal was live.
A similar situation arose for the Mayor’s Office for Policing and Crime (a part of the Greater London Authority) in relation to a webform to contact the London Victims’ Commissioner. Between 11-14 November 2022, the processor hosting the webform intended to give four members of MOPAC permission to the webforms, but accidentally made two web forms public. As data controller, MOPAC was expected to be able to confirm that its processor’s staff had been given training around granting permissions to the webforms. It could not do so.
Access controls are an integral part of privacy by design. The Data Protection Principles set out in the UK GDPR are clear that processing of personal data should be minimised, only occurring where necessary to meet specific purposes. Prevention of inadvertent or intentional access by the unauthorised is a key part of meeting this requirement. Restricting who can access and modify data, access controls help prevent unauthorised alterations, deletions, or additions to the data, thus enabling healthcare organisation to ensure that their records are adequate, relevant, accurate and up to date.
Controls also support accountability. By keeping a record of who has accessed or modified data, organisations can track data usage and, where there is a failure to comply with policy, will have the evidence needed to hold individuals accountable for their actions. An understanding by staff that their electronic pathways are logged can be highly effective in deterring both nosiness and malicious behaviour, helping to build the positive culture of data protection that healthcare providers want to see.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.