NHS trusts spend £1 million to prepare for GDPR

The NHS is underprepared for GDPR despite the data protection law coming into force in just six weeks, according to new research.

Trusts have spent more than 1 million collectively on updating systems for the legislation, which aims to hand EU residents more control over what companies do with their personal data, and introduces tougher fines for firms who misuse that data.

Think tank Parliament Street asked NHS trusts across the UK to share their current expenditure and their projected expenditure for the next year on preparing for GDPR, and specifics about how the money is being used, collating the information in a report titled 'Getting the NHS ready for the GDPR'.

The Freedom of Information requests revealed a total of 1,076,549 had been spent across the 46 trusts that responded, of 84 approached, including expenditure on consultancy, secure email systems, software, staffing and training.

Citing Digital Health Alliance research that shows only 55% of acute trusts and 47% of mental health trusts have an implementation plan for the legislation, the report said: "This suggested that around half of trusts are properly equipped with a plan to tackle this complex legislation.

"A key issue for the NHS is how they manage and secure sharing of confidential patient records and data, which is extremely sensitive and personal to individuals."

The think tank argued that GDPR implementation would add further strain to NHS resources already struggling with rising costs for social care.

Luton and Dunstable Hospital Foundation Trust spent the most on its preparation - 111,200 - targeting resources at staff support and training, while Lincolnshire Partnership NHS Foundation Trust, the only other trust to spend more than 100,000, allocated funds toward staffing and training - including 1,755 on specialist training.

The lowest-spending trusts, committing less than 1,000 each on GDPR preparation, included East Kent Hospitals University NHS Foundation Trust, Rotherham Doncaster and South Humber NHS Foundation Trust, Cheshire & Wirral Partnership NHS Foundation Trust, Alder Hey Children's NHS Foundation Trust, Goodmayes and Royal Derby Hospitals.

The low-spending NHS trusts IT Pro spoke with were keen to point out expenditure was not correlative with or reflective of their level of preparedness.

A spokesperson for the Department of Health and Social Care said it has worked with partners to develop "a comprehensive suite of guidance products" to support the implementation of the General Data Protection Regulation in May.

They added: "GDPR will replace the current Data Protection Act and will set a more robust framework for how we collect, store and share data across the health and care system in future. In addition to the guidance produced by the NHSE-led GDPR working group, there is considerable information and guidance available, particularly from the Information Commissioner's Office."

As part of its research, the think tank also discovered additional detail on how trusts were spending their resources. For example, the Christie NHS Foundation Trust spent 54,000 on an Information Security Management System and consultancy resources, while the Queen Elizabeth Hospital King's Lynn NHS Foundation Trust spent almost 11,000 on a data flow and mapping licence, software training and configuration consultancy.

Among its recommendations, Parliament Street proposed the NHS establishes a national programme for managing and funding GDPR - bringing together lawyers, CIOs and CEOs to ensure consistency between trusts - as well as lobby the Treasury for extra support.

In addition, the government should provide dedicated legal advice in the form of solicitors and specialist counsel to enable all trusts to gain free consultancy on implementation, the report said.

The East Kent, Rotherham Doncaster and South Humber, Cheshire & Wirral, Alder Hey trusts, as well as the NHS itself, were approached for comment.