The General Data Protection Regulation (EU) 2016/679 (GDPR) in a Medical facility

The General Data Protection Regulation (EU) 2016/679 (GDPR) in a Medical facility

Introduction

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside these areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

What information does the GDPR apply to? The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The term ‘personal data’ is the entryway to the application of the GDPR. Only if a processing of data concerns personal data, the General Data Protection Regulation applies (GDPR Article 4 (1)).

This document focuses on the general application of the GDPR in the healthcare sector, were there are additional rules in the GDPR for the processing of special category of data (this includes information about an individual’s health). 

A major element in the General Data Protection Regulation (GDPR), is the consent of the persons concerned as a way to legitimize how their personal data is being processed within the health care organisation. Within this sector is the fact that such facility not only operates with standard personal data, but also with what is known as sensitive information.

As it is widely known, GDPR affects all professionals working in the health sector and its proper application is a legal requirement according to Regulation (EU) 2016/679 even more important than in other industries as the type of data processed within the health sector is, health data. Special category data is personal data that needs more protection because it is sensitive. In order to lawfully process special category data, you must identify both a lawful basis under GDPR Article 6 and a separate condition for processing under GDPR Article 9. The Regulation defines personal data related to health as data “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (GDPR Article 4.15).

The new aspect of this definition is that now information and data related to the provision of health care services which reveals information on the person’s health status is also included as health data. This means that a series of additional conditions needs to be met when processing this data.

The legal requirements that organisations have to adhere to in order to comply with this regulation are:

1.        Processing activities

The individuals responsible and in charge of the various processes are duty-bound (always in the cases of processing health, genetic or biometric data) to maintain a register of the processing activities made.

This register must contain at least the following:

  • Identification and contact details of the person responsible, the co-responsible, the representative and DPO
  • Purposes of the processing
  • Description of categories of the persons concerned and data
  • Categories of existing or expected recipients (including in third countries or international organizations). This is necessary if a patient is to seek/receive medical treatment outside the organisation
  • International data transfers and guarantee documentation for international data transfers except on the basis of compelling legitimate interests.

2.        Data mapping

A primary component of GDPR is in understanding what personal information is being collected and processed. Lack of understanding will make it difficult to ensure that the organisation’s data processing activities comply with the new obligations set out in the GDPR.

GDPR Article 30 (Records of processing activities) states that organizations must maintain a record of processing activities under [their] responsibility. That record shall contain all of the following information:

  • the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
  • the purposes of the processing
  • a description of the categories of data subjects and of the categories of personal data
  • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation
  • where possible, the envisaged time limits for erasure of the different categories of data
  • where possible, a general description of the technical and organizational security measures referred to in Article 32(1).

The controller or the processor shall make the record available to the supervisory authority on request.

Key elements of a Data Map

Data mapping allows you to identify the information that your organisation keeps and how such information travels from one location to another, whether electronic or physical documents, for example radiologists to doctors and treatment centre through to the patient. By mapping the flow of data, you’ll be able to review the most effective way of processing data and identify any unforeseen or unintended uses.

3.        Additional information

With the GDPR the level of information that all users should receive from those responsible for processing their data increases. In this respect as a minimum, the information provided should contain the following details:

  • The contact details of the Data Protection Officer (DPO), who has been appointed
  • The legal base or legitimacy for processing (see para 3)
  • The period or criteria for storing information
  • The existence of automated decisions or profiling
  • The expected transfers to third countries
  • The right to proceed with a Complaint to the Commissioner for Data Protection, the Supervisory Authority (GDPR Article 51).

4.        Explicit consent

GDPR Article 9 of the GDPR reflects the main legal base to process this type of data, consent, which should be explicit (unambiguous) according to the new European regulation. Both hospitals and other health institutions will have to do far more to prove that patients have understood and accepted their terms of use. Aside from consent, the legislation only allows to process data under this special category when it applies to some of the following circumstances:

  • When the processing is needed to protect the vital interests of the person concerned or another physical person in case the person concerned is not able to give their consent
  • When the processing is needed for preventative medicine or work purposes, work capacity assessment of the worker, medical diagnosis, provision of health or social care or treatment, or managing the health and social care systems and services under a contract with a health professional
  • When the treatment is needed for reasons of public interest in the area of public health.

5.        Lawful Basis

The lawful basis for processing personal information is: GDPR Article 6(1)(c)  ‘…for compliance with a legal obligation…’  Where the collection or provision of data is a legal requirement.

The lawful basis for processing personal data is: GDPR Article 9(2)(j)  ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Processing that is necessary for reasons of public interest in the area of public health, and is carried out (i) by or under the responsibility of a health professional, or (ii) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

6.        Organizational and security measures

The new regulation no longer establishes security measures by levels but applies measures according to the risk that may occur when processing the data.

On this basis, the level of risk is enormous in the case of processing health data. Therefore, organizational and security measures must be designed according to this risk.

7.        Impact Assessment

Within the active responsibility measures required by the GDPR is the Impact Assessment, whose concept is detailed in GDPR Article 35. It is obligatory for high risk processing, which includes health data.

The hospital’s IT Centre responsible for processing data should complete the Impact Assessment, which is therefore responsible for the assessment before processing, although it must be assessed by the Data Protection Officer, on a regular basis.

A Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA) was introduced with the GDPR (GDPR Article 35). This refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing.

The PIA evaluates the risk and aims to allow those responsible for processing the data to take the correct measures to reduce those risks (minimize the probability of their materialization and negative consequences for the persons concerned).

8.        Special categories

Additional safeguards are essential if “special categories” of data, which include health and genetic data (along with data about racial or ethnic origin, religious beliefs, and political views) are being used for research. The “special categories” of personal data are considered especially sensitive: a further condition is required and there are stricter requirements to meet if these types of data are being used. These safeguards include minimizing the amount of personal data required, for example through anonymising data where possible rather than using personal data.

9.        Fairness and transparency

In preparing for GDPR, the regulation emphasises the importance of fairness and transparency as core principles that data controllers should always have in mind, whether they are using Consent (see para 4) as their basis for processing or not. It’s really positive that as a result of this legislation, the hospital/clinic and academic researchers should be providing more information about how patient data is collected, stored, kept secure and used.

10.     Pseudonymised data

Many researchers use data from health or clinical records, but do not want or need identifying information. In these cases, data is often “pseudonymized”, for example by replacing the person’s name with a code. Pseudonymised data is still considered personal data and falls within the scope of the GDPR.

11.     Communicating data

Often data is communicated between entities in order for the best treatment for the patient. In these cases, the person concerned should be aware of this, as it will be them who allow this transmission.

The organisation (data controller) must comply with certain requirements:

  • In a written contract define the data processing regulation on behalf of a third party
  • Establish that this third party, the data will only be processed according to their instructions
  • Check that the data will not be used for purposes different to those established in the contract or communicated to other people
  • The third party must comply with the same security measures that the data controller complies with.

12.     Exemption

An exemption is the use for personal data where some or all requirements or rights are changed. Some exemptions are full, i.e. don’t require the organisation to collect, store or process the data according to GDPR and data protection law at all, and some are partial, i.e. allow the data controller or processor not to follow some rules, provided others are followed.

For example, some of the rights and obligations that might not exist for certain uses include:

  • the right to be informed
  • the right of access
  • reporting personal data breaches
  • following the principles.

Generally, exemptions exist where there is a national or public interest that is greater than the interests of the individual. However, often the extent of the exemption can be relied on only if it would otherwise be unfeasible to uphold the rights and principles under GDPR.

Data and uses that fall outside the scope of GDPR are not exemptions. For example, these might be when the data is not personal data, or when the user is not a business or an organisation. Uses not covered by GDPR include use as data in the investigation of a crime or enforcement of the law, and in national security interests.

13.     Data Protection Officer

As clearly stated in GDPR Article 37(1) a DPO must be appointed if: the relevant data processing activity is carried out by a public authority or body, who “... the core activities of the relevant business involve processing of sensitive personal data, or data relating to criminal convictions and offences, on a large scale”.

The DPO should have autonomy in carrying out his/hers, which can be done full or part time, and as long as there is no conflict of interest in his/her duties within the organization.

14.     Medical Insurance

In the specific and exceptional circumstance of reciprocal insurers and insurance companies, medical data can be communicated according to the principle of quality and only in order to produce the invoice for healthcare spending.

That is, only those that are adequate, relevant and not excessive to determine the amount of the health care and meeting GDPR Article 24, there will have to be a data recipient contract between the Insurer and the Health Centre or Private Professional.

Conclusion

To comply with the GDPR, as well as protect the sensitive personal data of patients and staff, there are steps healthcare organizations can take. For instance, they will have to appraise their existing data management framework and adopt new policies for accessibility, archiving, organization, and protection. There should be an efficient system in place that can guarantee that data subjects can exercise all the right presented in the GDPR.

In the meantime, organizations have to manage the growing risk of supply chain attacks. Risk assessment is vital and companies should only work with organizations that are compliant with the GDPR and are reliable partners in data protection. Apart from that, they should perform risk assessments on their suppliers, do background checks on anyone with access to the hospital’s databases, medical devices and equipment.

An area of growing importance is "penetration testing" of organisations networks by professional companies which is also highly recommended and worth considering. A “penetration test”, also referred to as a pen-test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了