Privacy Update! Do you want to keep hearing from us? Your Personal Data and how we manage it. Sound familiar? My email inbox is FLOODED with requests from companies that I opt-in to receiving their emails, promotions and information regarding services or reminders that I can opt out at any time by the unsubscribe button. Wondering why?
GDPR EFFECTIVE May 25th, 2018 for Greater Protection of EU Citizens Personal Data.
This Friday, May 25th is the day when General Data Protection Regulation or GDPR comes into practice. This does not mean that your personal data has not been protected before now. By coming into force as a regulation, “data protection authorities will have harmonised powers and will be able to impose fines to businesses up to 20 million EUR or 4% of a company’s worldwide turnover” 1.
GDPR: People First
The new regulation first and foremost protects your personal data and secondly it requires all businesses dealing with the personal data of an EU citizen to follow the same rules.
Personal Data includes any information that can be used to identify you. This includes your name, home address, ID card number, Internet Protocol (IP) or computer address. Health data includes: Genetic information; Biometric information and any information regarding your health status must also be protected and used only with your full consent.
GDPR has now set out a list of rules that businesses and organisations need to follow so that your personal data is protected. First of all they need to tell you very clearly why they are keeping your data, how or where they are storing it, what specific reason they are using it, how you can access your data to take it back, have it corrected or have it erased. Having read and understood their policy you must give your consent for some or all of their data processing.
What does it mean for healthcare providers and organisations?
GDPR applies when a person’s data is collected, used and stored digitally or in a structured filing system on paper2. So all healthcare providers should be making their patients aware of how they manage personal data.
The HSE have a publicly available guide to understanding GDPR which is available at this link.
“Healthcare providers in particular should be aware that some sensitive data, such as data concerning health, racial or ethnic origin, political opinions and sexual orientation, has special protection. It can be collected and used only under specific conditions, for instance because someone has given you explicit consent or the national law allows it”2.
According to the Information Governance Alliance “in many health and social care contexts obtaining GDPR-compliant consent (which is
stricter than that required for confidentiality) may not be possible. Health and social care professionals may not need to change consent practices that meet confidentiality requirements where their organisation does not rely on consent as the basis for lawful processing for
GDPR purposes”3. Where you are unsure and you work for the HSE you should contact the appropriate Data Protection Officer whose contact information is below. Alternatively the office of the Data Protection Commissioner has more information on the gdprandyou.ie website.
If you are thinking of switching to an Electronic Healthcare Record and you are contracting someone to turn paper files into digital files there are some important considerations as shown in the following infographic from the GDPR Coalition in Ireland4.
HSE and GDPR
The HSE privacy statement is available on the HSE Website3. It outlines the legal basis for processing health data as follows
- The processing is necessary in order to protect the vital interests of the person (referred to as the data subject in Data Protection language). This would apply in emergency situations such as in the Emergency Department when unconscious, sharing information with other emergency services for rescue or relocation in storms etc.
- The processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller; for the HSE this official authority is vested in us through the Health Act 2004 (as amended).
Accessing personal information held by the HSE
If an individual wishes to access the personal data held by the HSE they can submit a Subject Access Request or SAR if they wish to obtain the following information7:
- the reasons why their data is being processed;
- the description of the personal data concerning them;
- anyone who has received or will receive their personal data; and
- details of the origin of their data, if it was not collected directly from them
Where to get data protection advice?
The HSE is developing a National data protection office and will appoint an independent Data Protection Officer. Deputy Data Protection Officers (DPO’s) within the Consumer Affairs division can provide advice and will determine if escalation to the National data protection office is appropriate5.
Know your Rights and Responsibilities
Whether you are an individual whose data is being protected or a business who needs to protect an individuals data, it is important to know your rights and responsibilites. Hopefully the information and links here will help you to understand more about GDPR and what personal data means.
- EU Data protection Factsheet changes https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf
- EU Data Protection Overview for Citizens https://ec.europa.eu/commission/sites/beta-political/files/data-protection-overview-citizens_en.pdf
- Information Governance Alliance file:///C:/Users/caoim/Downloads/igagdprconsent.pdf
- HSE GDPR Policy and Training Materials https://www.hse.ie/eng/gdpr/hse-data-protection-policy/
- Contact information for Deputy Data Protection Officers https://www.hse.ie/eng/gdpr/gdpr-faq/
- HSE Privacy Notice for patients and service users. https://www.hse.ie/eng/gdpr/hse-data-protection-policy/hse-privacy-notice-patients-and-service-users-pdf.pdf
- HSE GDPR FAQ https://www.hse.ie/eng/gdpr/gdpr-faq/
- Infographics were obtained from the GDPR Awareness Coalition – a not-for-profit, fixed-term initiative gdprcoalition.ie