GDPR – understanding personal data in the healthcare sector
In this article Stanley Lees considers the legal aspects of personal data in the Healthcare sector.
GDPR post Brexit
The General Data Protection Regulations 2016/679 (GDPR) is a regulation under EU law which was implemented in and tailored to the UK by the Data Protection Act 2018 (DPA). References to the GDPR in this article include also the DPA.
Data protection rules vary across the world from country to country and within jurisdictional regions within countries. EU GDPR applies to citizen of the EU. After Brexit the UK became a ‘third country’ for EU GDPR purposes. The UK adopted its own UK GDPR regime based on the EU GDPR regime and DPA and accordingly the EU members states became ‘third countries’ under UK GDPR. At the moment, both EU GDPR and UK GDPR are aligned.
Personal data in the healthcare sector
Medical records contain such sensitive information that GDPR rightly deems it necessary to put such data in a special category of personal data and demand even further steps for its protection than other regular types of personal data.
According to Articles 13-15 of the GDPR, there are three types of personal data that are especially relevant to the healthcare industry:
- Data concerning health – personal data related to the physical or mental health of a person, including any information relating to the type of care received;
- Genetic data – information relating to a natural person’s genetic characteristics. This includes any lab results relating to an analysis of a biological sample, as well as any characteristics that might reveal details of the patient’s physiology or health; and
- Biometric data: Biometrics refer to data related to someone’s physical, psychological or behavioural attributes of a natural person. These include facial images, fingerprints, gait traits and more.
When healthcare and tech institutions handle personal data, patients should be given the right information: patients should be well informed about their rights, for what purposes their health-related personal data is processed, and how it’s processed, as well as by who, for how long and additional information. Patients should also be made aware of the recipient/third parties with whom their personal data are shared.
Given the shared nature of cloud-based systems often used within the healthcare sector, ensuring that only those necessary have access to patient data is fundamental. Having measures such as two-factor authentication or single sign-ons in place could also help with providing further measures for data protection when it comes to accessing patient files.
NHS approval process
To capture and use personal data under the GDPR, individual users must consent to their data being collected in the first place. However, this consent requirement does not apply to the Confidentiality Advisory Group (CAG). CAG is an independent body which provides expert advice on the use of confidential patient information without patient consent. Under the NHS Act 2006, CAG can give section 251 approval for the use of confidential patient information without consent for a specific purpose by the Health Research Authority or the Secretary of State for Health and Social Care. However, such approval is seldom authorised and is only granted when an organisation requesting the data makes the case that it would be very difficult or impractical to seek consent.
‘Appropriate technical and organisation measures’
The GDPR draws a distinction between “data controllers” and “data processors”. Data controllers collect data and determine the purposes and means of data processing, while data processors process the collected data on behalf of the controllers and advise on data collection.
Security of the data is a major concern for both types of organisations. Whether data is collected, stored or accessed via wearable devices, mobile applications, cloud computing capabilities or databases, their misuse may have irreversible consequences for the data subject concerned so effective security measures are paramount.
Under the GDPR, both the controller and the processor must implement ‘appropriate technical and organisation measures’ to ensure a level of security appropriate to the risk, including:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Risk, liability and ownership
If a company is found guilty of mishandling personal data, it could be subject to a fine up to €20 million or 4% of its annual revenue – whichever amount is greater. In January 2019, the UK Information Commissioner’s Office imposed a £99.2 million fine on Marriott and a £183.4 million fine on British Airways for data breach related violations. Businesses, including healthcare and tech organisations, should take a proactive approach to implementing appropriate technical and organisation measures in order to limit the risk of being fined for non-compliance.
When it comes to ownership of personal data there are two schools of thought, that “since the controller assumes the risk, it owns the data” (Rob Glickman, chief marketing officer at data platform Treasure Data) and that “..the individual owns the rights to their data…” (Mike Dougherty, chief executive officer of Jelli). Responsibility for handling data and control of that data follow accordingly so for Rob Glickman “the processor must handle data securely and, if there is a breach notify the controller…but is the controller that is legally responsible” whereas for Mike Dougherty, “..the individual owns the rights to their data…they have the final say, not the company that possesses it – whether obtained through consent or not”.
The GDPR does not directly address ownership of personal data, however it does provide the individual with a high level of protection and control including:
- To capture and use personal data under GDPR, individual users must consent to their data being collected in the first place.
- Companies must also explicitly state how and why user data is being processed.
- GDPR significantly expands the definition of personal data to include information like IP addresses and biometric data in addition to basic identity information.
- Under GDPR, users have the right to submit a subject access request (SAR) for access to their data. Companies have 30 days to respond to such requests.
- Under certain conditions, users also maintain the “right to be forgotten”. If for example, the explicit purposes claimed by a company in collecting and processing user data no longer applies, users can request their personal data be deleted. Here too, the company would have 30 days to respond.
- Users can also withdraw their consent for future data collection at any time.
In effect through the GDPR it is the individual who is protected and ultimately controls what happens with their personal data and therefore has these key hallmarks of ownership. Please note however that this is a separate question to rights to ownership of databases under the Copyright and Rights in Databases Regulations 1997.
Specialist legal advice for the healthcare sector
If you would like further guidance in relation to personal data in the healthcare sector, our team of specialist legal advisors can help. Please get in touch by calling 0117 906 9400 or email firstname.lastname@example.org