Despite all the best will in the world and processes in places, data breaches can happen. Here’s what to do when/if it happens.
Despite all the best will in the world and processes in places, data breaches can happen. It can be as simple as a lost USB with patient information or a more sustained hacking attempt which affects only your clinic or you as part of a wider organisation which has been maliciously attacked.
Informing the supervisory body.
The most important point is that you have 72h to inform the supervisory body as soon as you are aware of the breach as per Article 33. If you don’t do this within 72h, you must give reasons as to why this wasn’t done. The information you will need to provide is:
- Nature of the breach:
- Categories of data subjects
- Numbers of data subjects.
- Numbers and categories of data records affected.
- Data protection officer contact details as well as those of other people who may be able to give relevant information.
- Explain the potential consequences of this breach.
- Explain what you have done so far and what you plan to do to mitigate the effects of the breach.
Informing the patient.
Once you have informed the supervisory authority, you need to notify the person whose data has been breached (data subject) in clear and plain language. As per Article 34, you do not need to inform the patient if:
- The data was encrypted or used other methods to ensure that it is unintelligible to persons not authorised to access it.
- The data controller has taken extra measures to ensure the risks of the data breach are not likely to materialise.
- It would involve a disproportionate effort. Public communication would be the alternative in this case.
If the supervisory authority feels that this is a high-risk situation and you have not informed your patient/data subject, they make take on the task of informing patients about the data breach and its potential consequences.
Health data is by definition and function sensitive data, but as anyone seeing patients knows, it is not always practical to get consent when treating a sick patient.
It is not necessary to encrypt or anonymise patient data if:
- The patient as given express consent.
- It is in the vital interest of the patient, and the patient is unable to give consent. E.g., an unconscious patient arrives in the ER or if the patient is a minor.
- The professional processing the data to provide health care is already under a professional obligation to treat patients according to a code of confidentiality. This is the Hippocratic oath and all other versions which have followed.
When you do find out more information about, for example, an unconscious patient, you are under the obligation to update records immediately. Again standard practise for medical professionals before the GDPR was brought in.
It’s a short article because it’s a short message.
Don’t let the fear of data protection legislation stop you saving lives!
When you share patient data as a doctor, for example, referring your patient to a cardiologist colleague, you are ‘disclosing personal data’. You don’t have to disclose the transfer of the information to the patient or data subject if you are still respecting professional confidentiality. The receiver or recipient of this data then becomes the data controller with the inherent obligations.
Patients too have the right to take their data with them wherever they go, this is the right to data portability.
Apps are not covered by professional confidentiality. So any changes in who has access to or is processing the data have to be informed in full to the app user including the identity of the new app data controller, the categories of data which will be used and the recipients of the data among others. It is a long list, but how many people just click on the “updated terms and conditions” without reading them? Most of us…
Being based outside the EU does not exempt an app from complying with GDPR if the data subject or app downloader is based in the EU. So unless you are 100% certain that you are complying with GDPR you should limit your app store access to countries not covered by the GDPR.
If the data is being shared outside the EU (of particular interest in the context of Brexit), then similar levels of protection should be requested. Chapter V covers the transfer of data outside of the EU and clearly states that once the EU has decided if the minimum requirements are met, this has to be reviewed every 4 years. It is the European Commission who decides if the standards are being met
You may think that ensuring compliance with data protection in a large organisation is even harder than in a smaller clinic. However, it can be the complete opposite as you may find yourself having to appoint a Data Protection Officer (DPO) who takes over this role. Whether you need to do this or not will depend on the conclusions of a Data Protection Impact Assessment (DPIA) as per Article 35.
The use of new technologies such as EHR or health apps combined with large quantities of sensitive data such as in the case of a hospital means it is necessary to carry out a DPIA following the advice of a DPO. It is the data controller (doctor or other in charge of the data) who has to instigate this.
Data processors too have to think about a DPIA and if you are developing a health app this means you also have a responsibility:
When appointing a DPO, whether in the context of a larger clinical setting or app development, you can use the same DPO as other establishments as long as you easy access to that person. They can be part of your staff (and potentially fulfil other functions). You must communicate who your DPO is to the supervisory authority.
Even if a DPO is appointed the data controller is still required to record all the processing activities.