What is the General Data Protection Regulation, when and to whom does it apply?
The General Data Protection Regulation (GDPR) is a directly applicable European Union (EU) legal act, which started to apply on 25 May 2018. The purpose of the GDPR is to improve the protection of the rights and freedoms of EU citizens, to ensure the free and secure movement of data across Europe, to increase corporate responsibility for improper processing of personal data, to establish uniform data protection requirements across the EU and to give individuals more possibilities to control where and how their data are used.
The GDPR is relevant to all organizations that maintain databases of personal data (e.g. patient data), send newsletters, conduct video surveillance, record telephone conversations, offer loyalty programs, process the personal data of their employees, and so on. The GDPR applies to the processing of personal data wholly or partly by automated means (for example, by use of video cameras, recording of telephone conversations, accumulating data in databases) and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (e.g. in medical records, files).
The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, the processing of personal data of deceased persons, data of legal entities (except for personal data of the employees of legal entities), also in other cases provided for in the GDPR.
What new requirements are set in the GDPR and to what extent are they relevant for health care institutions?
The GDPR provides for a number of novelties in the area of data protection. One of the more important GDPR novelties is data protection impact assessment (DPIA). It is a process intended to determine a possible impact on persons, whose data are processed, to identify possible threats and risks and ways to manage them. The DPIA is an important reporting instrument – the State Data Protection Inspectorate, when inspecting personal data processing operations, will require presentation of a DPIA report. The GDPR provides for fines to be imposed for failure to perform the DPIA.
The GDPR provides that DPIA must be performed before starting personal data processing that is likely to result in a high risk to the rights and freedoms of natural persons, and gives a non-finite list of such operations, e.g. processing on a large scale of special categories of data (data concerning health, biometric data, genetic data, etc.), a systematic monitoring of a publicly accessible area on a large scale. In addition, the State Data Protection Inspectorate by its order of 14 March 2019 approved a list of cases, when a DPIA is required: (i) processing of personal image data, when video monitoring is performed in health care institutions; (ii) when telephone conversations are recorded (e.g. during registration of patients); (iii) when employees’ personal data are processed for monitoring or control purposes, monitoring their communication, behaviour, location or movement (e.g. GPS tracking of vehicles; monitoring of employees’ activities by use of information systems of a company); (iv) in other cases provided for in the list of the State Data Protection Inspectorate (e.g. processing of genetic data for evaluation of personal properties or for assignment of points, including profiling and forecasting). All health care institutions, that plan the above-described personal data processing activities, must perform a DPIA at first. Even if these data processing operations started before the application of the GDPR, taking into account the sensitivity of processed personal data, it is recommended to perform a DPIA according to the GDPR requirements in order to assess possible risks and measures necessary for management of these risks.
Another novelty brought by the GDPR is the office of the Data Protection Officer. This person is kind of an internal auditor of the organisation, whose task is to help to ensure the organisation’s compliance with the GDPR requirements, to advise the management and other employees on data protection issues, to be a contact person for the State Data Protection Inspectorate and data subjects. An employee of the institution can be appointed as the Data Protection Officer, however in such a case it is important to avoid a conflict of interest. A conflict of interest could arise if the employee of the institution also held the office of the head of the institution, the head of the administrative personnel, the Chief Financial Officer, the head of human resources, the head for IT or a similar executive office. Functions of the Data Protection Officer can also be performed by an external service provider. In this case, it must also be ensured that when he performs the tasks and duties of the Data Protection Officer, such performance does not result in a conflict of interest (e.g. this person cannot represent the institution in courts in legal proceedings in connection with data protection). If functions of the Data Protection Officer are performed by an external service provider – another legal entity, it is recommended to have a services agreement which would provide for clear distribution of tasks and to appoint one specific person as a key contact person responsible for the institution. When appointing a person as the Data Protection Officer, it is recommended to take into account his professionalism, ability to perform his tasks, having expert knowledge in data protection law and practice (e.g. understanding of data processing operations performed, good knowledge of information technologies and data security, etc.). The appointment of the Data Protection Officer must be notified to the State Data Protection Inspectorate.
Another novelty provided for in the GDPR and which is relevant for health care institutions is records of data processing activities, where the performed personal data processing must be described in detail (e.g. processing of personal data of patients, employees of the health care institutions, employees of counterparties, etc.). These records of activities carry out kind of the function of the internal register of data processing in a company or organisation – they describe all categories of processed data and processing operations.
Do health care institutions have to appoint the Data Protection Officer?
Yes, the GDPR provides that all the organisations, the core activities of which involve processing on a large scale of special categories of personal data, must have a Data Protection Officer.
What are organisational and technical security measures and why is it important to have them in place in the activities of the institution?
Organisational and technical security measures (internal procedures for data protection, employee training, data encryption, making of back-up copies, etc.) help to ensure the protection of processed personal data and prove compliance with the GDPR.
We have already seen the first GDPR fines for failure to have such measures in place. On 17 July 2018, a fine of EUR 400,000 was imposed on the Portuguese hospital Centro Hospitalar Barreiro Montijo as all doctors working in the hospital, irrespective of their specialisation, had unlimited access to all patient data, the hospital information system had more user accounts than the actual number of employees, and profiles of doctors, who were no longer working in the hospital, continued to be used, their access rights were not cancelled, the hospital also did not have any approved internal legal acts, establishing the procedure of creation and use of the information system. Quite recently, a fine of EUR 460,000 was also imposed on the Hague hospital in the Netherlands for failure to ensure adequate protection of patients’ personal data. The Dutch supervisory authority also instructed the hospital to ensure security of patients’ personal data by 2 October 2019. If this instruction were not obeyed by the indicated date, an additional fine of EUR 100,000, payable every two weeks, was to be imposed on the hospital, setting the maximum fine of EUR 300,000 for failure to obey the instruction in time. Thus, the total fine that the Hague hospital may have to pay for the non-compliance with the GDPR is EUR 760,000.
How to know if the institution has the necessary organisational and technical security measures in place?
The GDPR does not give an express and clear answer what specific security measures must be in place. This responsibility rests on the organisation, which in each specific case must assess itself the character and goals of the data processing carried out by it and possible risks to the rights and freedoms of natural persons and select the most adequate security measures.
The State Data Protection Inspectorate has approved several guidelines in this area: the Guidelines for Ensuring Security of Personal Data Processed in Health Care Institutions of 2017 and the Guidelines for Implementation of Proper Organisational and Technical Data Security Measures of 2018. These documents can be a perfect starting point in assessing what is most relevant for each specific health care institution.
What is personal data breach and what to do if it happens?
Probably many of us still remember the incident in a plastic surgery clinic in 2017, when patients’ personal data of special categories, regarding health care services provided to them, diagnoses, treatments given, were stolen and afterwards made public. It is a typical personal data breach. Personal data breaches also include cases of accidental or unlawful destruction, modification of personal data, unauthorised disclosure of or unauthorised access to personal data. For example, if a patient’s blood test data are sent to a person not entitled to get them, the patients’ database is accidentally destroyed beyond recovery, a portable computer with patients’ personal data is lost.
In such cases, the GDPR provides for a duty to notify the State Data Protection Inspectorate within 72 hours after becoming aware of the personal data breach, unless such personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When the personal data breach is likely to result in a high risk, persons whose rights and freedoms are at risk must be informed without undue delay.
In order that a health care institution would be able to identify, investigate, manage personal data breaches and to notify about them properly and in time, it is important to have clear procedures ready and to train employees. Everyone, from administrative personnel to doctors, should know what a personal data breach is, that it is necessary to inform the Data Protection Officer or another responsible person within the institution about it without delay. If a health care institution defaults on these requirements, fines provided for in the GDPR may be imposed. The amounts of fines provided for in the GDPR are really impressive – non-compliance with the GDPR, depending on the character of the infringement, can be subject to administrative fines of up to 4 % of the total worldwide annual turnover of the preceding financial year or EUR 20,000,000, whichever is higher.
What is happening in Lithuania?
As previously, the State Data Protection Inspectorate actively carries out its functions and duties as a supervisory authority: starts investigations on its own initiative, examines persons’ complaints regarding improper processing of personal data or improper exercise of their rights and imposes fines and/or gives instructions. However, after the GDPR started to apply, interest in this area grew a lot. Accordingly, the State Data Protection Inspectorate is also more attentive in its activities, especially when there are reasonable suspicions that personal data are processed disregarding legal requirements.
Therefore, today it is no longer enough just to have formal rules on personal data processing in the institution. It is important to responsibly review personal data processing processes carried out in your institution, to assess risks, organisational and technical security measures, to train employees in responsible processing of personal data and to form the organisational culture of personal data processing in general.
The interview was carried out by Ramutė Pečeliūnienė from the magazine Lietuvos gydytojo žurnalas. The article is the property of Lietuvos gydytojo žurnalas.