GDPR and health data – the questions you need to ask as a doctor.

As a doctor, I have always been very aware of the importance of patient confidentiality. Not only for ethical or legal reasons but also for purely practical purposes. If you don’t have all the information you can’t make the right decisions, and you will only get all the embarrassing information if patients are confident it won’t go any further.

However, from a legal perspective, it is not always that clear, especially when we are talking about health data which now comes from sources other than just the patient. Fitness trackers, for example, give useful information, but how should I store that data?

And if you are looking to buy into some new digital technology, what are the questions you need to ask?

If you are still using paper records or are outside of the EU, this too affects you as all data are covered by articles 2 and 3 of the GDPR.

Historically this has been recognised as a concern as early as 1970 with privacy being covered in the European Convention on Human Rights. Data protection was mentioned in 1981 in the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Therefore the right to data protection is a fundamental right. Now, most people will have heard of the General Data Protection Regulation or GDPR which came into effect in May 2018, if only because of the pop-ups requesting permissions or in the case of certain non-EU websites, refusing access altogether.

For doctors, the essential concepts to understand about data processing or actions on information that can identify their patient are:

  1. Data controller: Person who decides what data is collected, how this data is collected and for which purpose. As a doctor, you or your institution can be a data controller.
  2. Data processor: Person or service who processes the data under the instructions of the controller and as a doctor using #digitaltech this can be the software you are buying storing the data and which needs to be formalised with a contract.
  3. Data subject: Patient or identifiable person.

Article 5 of the GDPR covers data processing, and as a doctor/data controller, you need to be aware that the data you collect should be:

  1. Lawful, fair and transparent.
  2. Limited to purpose – you need to be recording data with a specific, limited and explicit purpose.
  3. Minimised – irrelevant data should not be recorded.
  4. Accurate – doctors are used to keeping treatment changes, for example, and we are all aware of the legal consequences of not keeping legible notes.
  5. Storage limitation – this refers to not keeping the data for longer than required. Health is probably one of the few exceptions where you can argue that the data should be stored for the entire life of a person to give the best care.
  6. Integrity and confidentiality. This refers to the fact that the data must be protected appropriately through technical and organisational means. You need to consider not only loss and damage (accidental or other) but also that it is not accessed inappropriately by different members of staff. This is a core question when being presented with a new medical application or technology for your practice. Larger institutions such as hospitals will have an information security officer, but if you practise in a smaller setting, this responsibility will be yours.

Finally, to process any data, you need to be sure that there are legal grounds for processing the data you have collected. For doctors, the concepts are familiar:

  1. Consent has been given.
  2. It is necessary for a contract to be carried out and specifically, in the health care setting, this includes an agreement to medical treatment either implicitly or explicitly.
  3. You are complying with a legal obligation.
  4. You are protecting the vital interests of a patient.
  5. You are carrying out a task in the public interest or in your capacity as an official authority.
  6. There exists a legitimate interest for processing.

Sensitive data, as health data is, get more privacy protection, and Article 9 covers this specifically. Safeguards used include:

  1. Pseudonymisation: This is removing identifying fields such as name, date of birth and address but in health needs to go even further. A diagnosis of a specific disease and treating hospital plus gender may be enough to identify the patient. With big data and large amounts of patients, it becomes harder to identify individuals, but even there it is important to think about unusual characteristics which may make the patient stand out. Some doctors have fallen foul to this on twitter when making what they thought were generic comments about a type of patient they may have seen during a specific shift. However, at the same time you still have to have the correct data to treat your patient. This means that you need additional information in order to access all the information about your specific patient.
  2. Anonymisation: This means that you strip away all the identifying aspects from the data and can no longer identify the patient. This is a valid technique for research. You can no longer identify the person even if you have the additional information. As mentioned previously, it is very hard to anonymise medical data and there is a chilling report here for al those with any level of data protection responsibility about how supposedly anonymised health data sets were not so anonymous once compared to local newspaper reports. 43% of the individuals were identified.
  3. Encryption: This encoding of the data is very much more a technical aspect.  Most doctors would find it hard to know what questions to ask and then interpret the answers. However, thinking of specific clinical contexts may make the technical team think about uses and deviations which they had not come across.

In general, observing good medical practice will set you on the right road, but the questions come when you want to contract a new software.

  1. What / who is the data processor you use? Are they compliant with GDPR and what sort of guarantees do they offer?
  2. As this is sensitive data, how is it:
    1. Pseudonymised?
    2. Encrypted?
  3. How are you complying with data protection by design and default?

Although most clinicians without any programming or technical knowledge would find it hard to ask specific questions and then understand the answers. However, technicians don’t have the situation-specific understanding of how this data will be used and going through a typical consultation together step by step can help uncover moments when there may be data compliance issues. This is the data protection by default – only the sensitive data needed for the specific process can be processed. For example:

  • How do you lock the screen temporarily while examining a patient when family members may be present?
  • How do you deal with multiple doctors using the same computer?
  • How are blood results transferred between the laboratory and your EHR?
  • Are emails encrypted if you have to do a referral to a colleague?

The company selling you any software should be able to give you clear answers and explanations as to how they are helping you comply with your obligations as a data controller in the clinical setting. Your obligations when contracting a data processor are set out in Article 28, and even if you don’t know the article in detail (!), the people selling you the EHR should.



Sponsored Post Learn from the experts: Create a successful blog with our brand new courseThe Blog

Are you new to blogging, and do you want step-by-step guidance on how to publish and grow your blog? Learn more about our new Blogging for Beginners course and get 50% off through December 10th. is excited to announce our newest offering: a course just for beginning bloggers where you’ll learn everything you need to know about blogging from the most trusted experts in the industry. We have helped millions of blogs get up and running, we know what works, and we want you to to know everything we know. This course provides all the fundamental skills and inspiration you need to get your blog started, an interactive community forum, and content updated annually.

How do medical devices get approved

As a clinician it is not always clear what and how new medical devices get approved. Patients are often ahead of the curve especially if they have a chronic disease.  A combination of frustration at the industry not moving fast enough and patient knowledge can lead to movements such as the #wearenotwaiting movement in diabetes. Sharing of opensource code has led individuals to set up DIY pancreas systems hacking into commercial insulin pumps. However, these are not licensed and have not passed the test required by the FDA in the USA, nor do they have the CE mark required in the EU.

In the EU, the European Commission has set out to harmonise the interpretations of previous legislation which had differed according to different countries by bringing in new regulations which will be phased in between now and May 2022. For the non-specialist this means stricter pre-market controls and and EU wide database to pick up any post-sale problems with device ID cards to increase traceability. A group of European level specialists will need to authorise sales of new devices (which can include software) with a conformity assessment being carried out and clinical trials will be more strictly controlled. During the conformity assessment both the performance of the device plus the technical aspects are revised and audited. The regulation is also being expanded to cover more medical devices not previously included such as coloured contact lenses.

In the USA the FDA is in charge of clearing medical devices which have to have proven scientific value. Of note is the section of devices covered by the HUD or Humanitarian Use Device in which refers to devices for conditions affecting fewer than 4000 individuals in the USA per year. The traditional route which drugs currently have to undergo takes up to 10 years includes 4 phases of discovery & development, preclinical research, clinical research with 4 levels of trials, and finally an FDA review before any product can hit the market. This is obviously not going to be a viable option even for drugs in the future.

Artificial intelligence is throwing up new challenges to all regulatory authorities. The fact that artificial intelligence and machine learning inherently change all the time reacting to the data being processed lead to traditional pre and post-marketing checks becoming redundant. Although still in the consultation process the FDA would be looking at needing to be updated when algorithms change. As these algorithms are often the magic in the box which separates one manufacturer from another it will be interesting to see how commercial interests will align with safety regulations. Perhaps the future will be in more reactive regulations and more emphasis on analysing post-marketing data. This may mean limited approval in exchange for more detailed and personalised monitoring of patients using their own wearables and cloud info.


Insulin pumps and artificial pancreas

As expert patients go, there are few as expert as type 1 diabetics when it come to the latest technology. Patients with diabetes who turn up unwell in the ED with high blood sugars and an insulin pump can get diabetes nurse input before a transfer to ITU. However, ED docs and GPS can use the tech to help them out with some basic knowledge of how it works.

Insulin pumps

No access? Insulin pumps deliver insulin via a sub cut catheter which is changed every 48-72h. This catheter can be used to continue delivering insulin if:

– a blocked catheter is not the cause of the presenting compliant (DKA in it’s extreme)

  • Check for signs of infection around the catheter site
  • Ask when it was last changed – if high BMs have started after a catheter change this may be the cause although most DM patients know themselves to put insert a new one in if high BMs after a change.
  • Does the patient think it might be blocked?

no air bubbles are present in the tubing. Bubbles once identified can be purged and again the best person to ask is the patient themselves.

– the pump insulin is effective

  • Extreme heat and cold can affect the potency of the insulin itself but also the patient requirements themselves. Especially important to bear in mind with unexpected heat waves.
  • The cold chain needs to be maintained from buying to starting to use the insulin. Although once starting to use the insulin, it can be kept in a pump or bag if in an insulin pen, if there has been a break in the cold chain at the time of getting it from the pharmacy to the home fridge it may be a reason for it not being effective. It might be the case that if the patient has various boxes stocked at home they might not even remember this break in the chain.

If the diabetes team have reviewed the catheter and pump, you can ask about the possibilities of delivering ongoing insulin through the pump especially if the main presenting complaint is not specifically related to diabetes. All pumps work delivering a continuous infusion of fast acting insulin with boluses also of fast acting insulin. This is also the reason why insulin pump users are at a higher risk of DKA. They have no long acting insulin in their body should there be a problem with the pump delivery of  said short acting insulin.

DIY pancreas systems involve using the hardware of existing pumps and open source software with differing goals according to the software used. Generally the idea is to automate insulin delivery as much as possible, delivering more if the tendency is for blood glucose levels to increase and to stop basal delivery if levels are decreasing. Some commercial pumps also do this. The important point to remember are that if levels are falling quicker than expected, the pump may not stop in time so low blood sugar levels that need treating may still occur. Meal boluses that have been delivered can also not be taken back should the meal not be eaten or a greater quantity of insulin be delivered than needed according to the carbs eaten. Most of the pumps show active insulin i.e. recent boluses of fast acting insulin which are still active in the body.

CGM / Glucose level sensors

Many patients now have CGM or continuous glucose monitoring in one form or another. Results are sent to receptors which can be phones, smartwatches, insulin pumps and sensor specific receptors. These can avoid constant finger pricks and have the additional advantage of giving trends of blood glucose showing rapid falls or increases, and stability.

All results should be initially checked with finger pricks to ensure they are working properly and significant treatment decisions need finger pricks.

Unexpected results or feelings of hypo or hyper that do not correlate with the sensor reading need to be checked with a finger prick.

Furthermore, as there is a 5-10 minute time lag with the results of finger pricks due to being placed in the interstitial fluid, hypo or low blood sugar levels need finger prick checks.

They usually store 12-24h information within the receptor and weeks or months online which can be invaluable when it comes to finding out when alterations started.


  • Freestyle libre is a 35mm disc which if interrogated by a receiver can tell you the current glucose levels. It will only give you that information if it is interrogated. It may also not update properly especially if consistently at higher levels, so results should always be checked initially and periodically with a finger prick. It cannot be calibrated with a finger prick blood sample.

Freestyle libre

  • Dexcom is a true CGM in the sense that even if you do not interrogate it, it will continue sending the blood glucose levels every 5-10 minutes to the receptor which can be a phone, pump or dexcom receptor. The newer dexcoms don’t need to be calibrated with finger prick but the older ones will need a finger prick 2-3 times a day. Calibrating at times of rapid change will lead to inaccuracies and over calibrating too will affect the sensor algorithm. Having said that they are usually accurate although sensors can fail and inaccuracies can be the first signs of this.


  • Enlite sensors are linked to the Medtronic pumps and send the information directly to the pump every 5-10 minutes, or if using open source apps such as nightscout to a phone or smartwatch. Again these need to be calibrated a couple of times a day and the same points as to not over calibrating and checking against finger pricks is valid.


enlite sensornightscout

Learning on the go

As most medics have to fit in their CPD (continual professional development) around seeing patients, meetings and life in general, there is a wealth of professional podcasts on offer. Although some of these are quite specialised, many of them use easily understandable language with explanation of specialist terms used to make them accessible to all types of medics and therefore the general public prepared to learn about a specific topic.

Some examples of podcasts which anyone can listen to are:

Screenshot 2019-03-11 13.26.19Hypothermia  – The Resus Room. A combination of prehospital and ER doctors talk about how to deal with low temperatures with real life references backed up by the scientific papers. This and other topics covered mean you get the true version of ER.

The latest Evidence Based Medicine review of papers.  For any data scientists this is where to hear how your output will be analysed by clinicians…so you can preempt the criticisms.

Screenshot 2019-03-11 13.24.36MDTea podcasts – A multidisciplinary team talk about different topics affecting older patients including cancer, trauma, prostate issues and polypharmacy (use of many medications). Accessible to all and interest to any one who has personal or professional contact with older people but also an introduction to understanding how doctors work with many other different professionals.

Screenshot 2019-03-11 13.30.32The Good GP covers a wide variety of themes from measles to #AI in General Practise. Learn the posibilites offered by #AI in General Practice and for the #healthtech people a thought provoking talk about the real life challenges that need to be overcome. Also covers health records.



Silver trauma for the non specialist.

One of the joys of working in medicine is the life long learning as an individual but also as a profession. On the back of new data from the TARN database reflecting the reality of clinicians, there has been much talk as to how to assess and treat older patients who have had trauma. First of all what constitutes a trauma call in itself is being reassessed – for those who have never been involved the BMJ visual summary explains it all. A prealert is sent to the hospital by the ambulance service so that a multidisciplinary team involving emergency medicine, surgery, orthopaedicas, anaesthetics and others are present on patient arrival in the ER should the ambulance crew be called to a patient who triggers any of the alarm parameters such as a low blood pressure or a high risk mechanism of injury. Previously a fall >2m was deemed to be needing a trauma call but the big change is that in older patients falls from less than 2m were found to be the leading cause of multiple trauma in older patients. The severity of the trauma is assesses retrospectively over the patients time in hospital with an ISS injury Severity Score calculated on the basis of injury to different parts of the body many of which will not be identified until CT scan or even later on the ward especially in older patients. The challenge is therefore how to triage parents to a trauma call when so many older patients are brought in for falls on the floor. New guidelines for both clinicians and patients are needed. Here below an example for clinicians from the Royal Free London.

Screenshot 2019-03-06 19.41.21

Note that in older patients a systolic blood pressure of 110 and not 90 is a cause for alarm as is a GCS (Glasgow coma scale of assessing conscious level) of less than 15 even if it is their baseline. Importantly confusion can not be automatically attributed to baseline cognition issues (dementia) and delirium should always be considered as it can be fatal. The DTS calculator is a <20 second ER tool to rapidly rule out delirium as are the bCAM calculator or the CA2MS below- the important points to remember are that being quiet can still be delirium and controlling the basics such as analgesia and hydration help.

Download Delirium prompt card – ByramScreenshot 2019-04-03 12.50.16

Trauma patients are also often immobilised on their arrival so that their spinal cord is protected. This involves being taped into place between plastic blocks and being rolled in your entirety if you need to use a bedpan or vomit. A miserable if necessary experience at the best of times, for older patients a curved spine might make it even more uncomfortable and in the case of confused patients turn the whole experience into a very frightening experience. The jury is out as to whether the risks outweigh the benefits and it is always worth having the discussion as to whether full immobilization is needed and if so, to prioritise early imaging to remove blocks or collars if possible.


The easiest and most complete way to learn about this by listening to the MDTea podcast.…and further resources are available at the RCEM . HECTOR have been pioneering in looking at this and have a very complete guide as have Leicester who have a good introduction to the frail patient in general in the ED.

The Hearing Aid Podcasts

Presented by: Dr Iain Wilkinson Faculty: Pam Trangmar, Dr Cathryn Mainwaring, Susan Hendrickson, Rebecca Norton Release Date: 26th Feb 2019 Iain: Functional decline or lack of improvement is common in older adults with severe #frailty undergoing #TAVR or #SAVR.