healthcare sector

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data must be managed with more of a holistic approach. Organizations must have certain procedures in place that can be acted upon immediately in order to meet the requirements. Starting with being more cautious with the personal data, knowing where it is being stored and how it is being processed. This applies for both, public and private sector:  hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, e-shops that sells pharmaceuticals, and every other company or organization that processes data concerning health.

The definition of sensitive data and conditions to process it

The GDPR defines personal data processed in the Healthcare sector as “sensitive data”. Therefore, standards for its protection are much higher and GDPR mentions three special references to data concerning health:

  1. Data concerning health – “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
  2. Genetic data – “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
  3. Biometric data – “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

The processing of mentioned forms of data is allowed under certain conditions only, which are:

  1. The explicit consent to process the data is received from the data subject.
  2. “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […].”
  3. “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”

However, according to the GDPR, Member States may maintain or introduce further conditions, including limitations, regarding the processing of genetic data, biometric data or data concerning health. With the GDPR, data subjects gain more rights. For the Healthcare sector, the most important ones are the right to access that allows data subjects to access their health data that is processed. The right to data portability allows data subjects to transmit their health data to any other healthcare provider more easily. The right to be forgotten – the most difficult one to operationalize. It allows data subjects to request for termination on health data processing and it’s deletion.

It‘s stated under the GDPR that Healthcare sector should have a Data Protection Officer (DPO), since sensitive data being processed on a large scale. Carrying out a Data Protection Impact Assessment (DPIA) helps to evaluate the origin, nature, particularity, and severity of a risk to the rights and freedoms of individuals that processing operations are likely to result.

The Healthcare sector has an obligation to report security breaches (within 72 hours) not only to the local data protection authority but also to individuals whose personal data might be compromised. Clear, practical and effective procedures in the case of the breach should be thought through. Breach notification procedure, including detection and response capabilities, must be put in place. Therefore, training and fire drills should be done every once in a while, to keep the staff and the system ready.

In the case of a data breach, fines can reach up to 20 mln € or 4% of the global annual turnover, whichever amount is higher. The most recent breach in the Healthcare sector happened in Portuguese Hospital. The fine of 400 000€ was initially imposed for accessing patient data through false profiles. Read more about GDPR fines.

EU Member states may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

Steps for the Healthcare sector to take towards the compliance

In order to avoid any breaches, organizations must implement compliance points mentioned above, including reviewing contracts – DPA (Data Processing Agreements). As well as, updating policies, procedures, documentation, and records in order to be ready for inspections. Therefore, data processing activity records and data retention and deletion periods also should be in place.

Due to aging IT infrastructure and weak IT security practices, the Healthcare sector is one of the greatest targets for cyber-attacks. Meaning that technical security measures must be set in order to avoid unauthorized access, mishandle and loss of personal data kept in the server or cloud.

 

More on:
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1543321123665&uri=CELEX:32016R0679
https://ico.org.uk/for-organisations/health
http://www.eu-patient.eu/globalassets/policy/data-protection/data-protection-guide-for-patients-organisations.pdf

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Subscribe to our Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Latest Posts
First GDPR Fine Issued in Lithuania

First GDPR Fine Issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...
Cyber Attacks from the Perspective of GDPR: Ransomware

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore,...
Six Months With GDPR in Force. What Happened?

Six Months With GDPR in Force. What Happened?

The GDPR, that came into force on the 25th of May, 2018, expanded the EU‘s data protection area coverage, introduced...
Healthcare sector: How to Comply With GDPR?

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data