The GDPR mandates that data breaches must be reported within 72 hours. Naturally, this will drive healthcare professionals and organizations to take better care of the data they hold and, of course, the higher fines in play will act as another incentive to dramatically improve data security.
Healthcare providers must ensure that they comply with the requirements of public authorities and are able to demonstrate that they are protecting their patients’ information adequately. Any hospital or other healthcare organisation must also verify its patients’ identities, and create an accurate system that allows for the erasure or rectification of their data.
Three categories of health data are introduced:
- Genetic data is contained within Article 9 of the GDPR: “Processing of special categories of personal data”. Recital 13 defines it as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
- Biometric data, when it is used for “uniquely identifying a natural person”, is also included in Article 9 of the Regulation. Recital 14 defines it as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
- Data concerning health also included in Article 9, is defined in Recital 15 as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Giving customers control can help to shape relationships in a positive way.
The GDPR makes clear that health data should be processed for health-related purposes, only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular, in the context of the management of health or social care services and systems, including processing by the management of such data for the purpose of quality control. This purpose limitation principle is to be linked with the consent provided by the data subject.
Security of the data is a major concern for both organisations processing personal data and individuals who want that their privacy to be safeguarded. Whether health data is collected, stored or accessed via wearable devices, mobile applications, cloud computing capabilities or databases, their misuse may have irreversible consequences for the individual concerned so it is crucial that the data ecosystem is secure.
The masses of data that healthcare organizations have been collecting for decades is still often unstructured and inaccessible. The ideas behind big data and how it can unlock the insights contained with healthcare information is a major reason why GDPR could offer the healthcare industry a huge opportunity. The insights that come from the drive to structure and integrate data could accelerate new therapies and bolster moves to improve prevention.
Overall, the GDPR is a reason for the health sector to be excited – it could help unlock the potential in huge stores of data that have remained dormant for decades.