Obligations for organisations and medical professionals
In order to protect personal data, or in this case, sensitive health data, organisations have several general legal obligations based on the GDPR. The GDPR determines that data controllers, such as hospitals, need to implement appropriate technical and organisational measures (such as pseudonymisation, encryption and policies on access control) to ensure the right level of protection.
The GDPR furthermore determines that organisations have to implement measures to ensure data protection by design (built in technical safeguards) and by default (only personal data which are necessary for that specific processing purpose can be processed).
These healthcare institutions need to be able to demonstrate compliance with these general obligations, meaning that a national supervisory authority may investigate if a hospital has taken sufficient technical and organisational measures and that there may be consequences for non-compliance.
These general legal obligations apply to healthcare institutions as a whole. However, medical personnel also have obligations derived from their role. Confidentiality means that doctors cannot reveal information about their patients due to doctor – patient confidentiality.
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
