The enactment of GDPR this past May represents a major shift in how the ownership of personal data is perceived. Healthcare providers, in particular, collect vast amounts of highly sensitive data and GDPR has resulted in profound changes for how this information must be collected, stored, and deleted.
Whereas prior to GDPR, data was considered to be the property of those who collected it, the new regulations redefine this ownership. All information collected of EU residents will now be considered their property. Any authority regarding the access and usage of this information now resides with the individual.
This means that even if data is collected by companies based outside of the EU, they must comply with the new regulations with regards to data collected from EU residents.
GDPR highlights three kinds of data collected that is particularly relevant for healthcare providers: Genetic, Biometric, and Data concerning health.
- Genetic data. This refers to personal data “relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”
- Biometric data: This refers to the personal data, “resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
- Data concerning health: This refers to personal data related to the “physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”
Do’s and Don’ts: Collecting, Processing, and Sharing Sensitive Data
Because of the highly-sensitive nature of healthcare information, collection, processing and storing the aforementioned data is subject to additional limitations and requirements. In particular, GDPR forces companies to explicitly request consent when collecting and using data; it can no longer be obfuscated in a long and complicated terms-and-conditions agreement. When companies are permitted to collect sensitive data is also now subject to stringent regulation. Here are the nitty-gritty details of these new regulations:
- Consent: The data subject MUST give explicit consent to having their data collected, stored, analyzed, or processed. Explicit consent is a clearly defined term by the GDPR in Article 7. At its core, explicit consent means that it must be clear and unambiguous that the data is being collected and the user must be the agent to actively acknowledge the giving of consent (e.g. consent cannot be an auto-populated field on a form.) Furthermore, data controllers must be able to furnish proof of consent. When obtaining consent, data controllers are expected to provide subjects a clear and easy-to-understand form.
- Barriers to Consent: Biometric, genetic, data concerning health, along with a series of other pieces of personal information (religion, sexual orientation, racial or ethnic information, etc.) are prohibited except in certain situations.
- Necessary to Administer Care: In order to collect or process the three type of data listed above, they must be considered necessary for the purposes of preventive and occupational medicine, management of social or medical systems, and/or for assessing a person’s ability to work. It is further stipulated that the purpose of collecting the data must be assessed by a professional under obligation of professional secrecy under Member State law.
- Public Health and Safety: The GDPR also stipulates that professionals bound by professional secrecy may also collect data for, “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
Prevention and Protection: New Regulations For Data Security
Collecting and processing the information is but a portion of the picture. Protecting and managing the data also carries a set of rules and regulations. For those handling these kinds of information, organizations will now require the following:
- Data Protection Officer (DPO)- Organizations are obligated to appoint a data protection officer. This person will be responsible for the collection, processing, storage, and protection of the data. This is particularly helpful in not only ensuring that the legal obligations are fulfiled with regard to healthcare-related data, but that all areas under GDPR are being met.
- Data Protection Impact Assessment (DPIA)- When the genetic data, biometric data, or data concerning health are collected, organizations will be responsible first to carry out a DPIA. This is done with the intent to engrain notions of data protection from the very onset of creating new policies or procedures.
GDPR should be seen as a way to return power to the individual over their information. They are able to request it, transfer it, correct it, or delete. With potential fines for non-compliance upwards of €20 Million, there is an incentive for companies to inform and proactively review and revise their data protection policies and procedures. Healthcare organizations deal with vast amounts of data. Leveraging this data allows them to afford better treatment and save lives. But with it, comes the responsibility to ensure the information is protected.