General Data Protection Regulation (GDPR) will apply directly to the UK on 25 May 2018 bringing important changes and additional measures to consider…
What is the GDPR?
The General Data Protection Regulation (GDPR) will apply directly to the UK on 25 May 2018, but will also be incorporated into UK law by the Data Protection Bill. The new legislation will strengthen the controls that organisations as data controllers are required to have in place over the handling of the data of their staff and service users. Organisations which already have robust measures in place to comply with the current data protection regime (under Data Protection Act 1998) will be well on the way to meeting the requirements of the GDPR, but there are some important changes and additional measures to consider.
Under GDPR, in an important change in terminology, the concept of “sensitive personal data” under DPA 1998 is replaced with “special categories” of data. These are subject to a higher standard of protection than general personal data.
It is important to note that the new regime will come with significantly higher penalties for non-compliance attached. Fines can be imposed to a maximum of 20 million Euros or 4% of turnover. However, for a healthcare organisation, the accompanying adverse publicity and loss of trust are also likely to be extremely damaging.
What will GDPR mean for healthcare bodies?
Under the GDPR, healthcare bodies will be required to:
- Appoint a Data Protection Officer (see below)
- Carry out a Data Protection Impact Assessment (DPIA) before any new process, system or way of working goes live (where ‘high risk’ processing which may impact on the rights of individuals may be involved. Note that any mass processing of health data is likely to be ‘high risk’)
- Be able to demonstrate compliance with data protection law (under the new concept of ‘accountability’)
- Keep records of data processing activities
- Adhere to specific requirements for transparency and fair processing of data
- Be aware that the use of ‘consent’ as a basis for processing data will be much more limited and consider whether an alternative basis for processing is appropriate in some circumstances
What does GDPR say about health data?
The GDPR treats health data as a “special category” of personal data, which is considered to be sensitive by its nature. Processing of such data is prohibited unless exceptions apply.
The three “special categories” of data which have particular relevance to healthcare organisations are as follows:
- Genetic data – This means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (Art.4(13))
- Biometric data – This means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. (Art.4(14)) (NB: dactyloscopic data refers to data related to fingerprint identification)
- Personal data concerning health – This means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. (Art.4(15))
The ICO website provides further information on the lawful bases for processing data and the exemptions to prohibitions on processing data.
Processing health data
Under GDPR, The processing of “special categories” of data is subject to conditions. For healthcare purposes, the processing of these three categories of data is prohibited unless one of three conditions applies:
- The data subject must have given “explicit consent” to the processing
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
It is not clear how explicit consent will differ from the usual high standards of consent imposed under the GDPR. According to ICO guidance, the threshold for obtaining employee consent is high across the board. However, the key difference between the two is likely to be that, while consent in general may be made either by a statement or clear affirmative action, explicit consent will require “a very clear and specific statement of consent” which must be “expressly confirmed in words, rather by any other positive action”. Therefore, a simple tick box will not satisfy the requirements of explicit consent… READ FULL ARTICLE