Risks involved in processing health data
As Anna’s doctor explained, using commercial apps in a medical context is not always as easy or well-recommended as one might think. Three elements are of importance when using modern technologies in a professional setting: access, storage and accuracy. From a professional point of view, it is very important that the devices used are tested and that the three elements are met, considering that healthcare professionals will use the information in a patient’s treatment plan.
Processing health data
By now you are probably aware of the fact that processing health data is not limited to the medical context. Health data can also be processed by individuals measuring their own health via, for example, modern technologies. In a previous step you discussed with other learners that although health data is considered to be sensitive data, it can still be processed if explicit consent is given by a data subject, like Anna.
The healthcare industry is highly data intensive. Both inside and outside the medical context there are risks involved in using modern technologies for processing health data. For as long as health data has been collected, there have always been risks involved with processing sensitive health data. However, due to modern technologies, these risks have changed. For a healthcare institution, like a hospital, this means that new protocols and new technical and organisational measures have to be taken. We will hear more about this from the security officer of Anna’s hospital later this week.
Beside the risk of health data being used or sold for a commercial aim, there is the risk of data breaches. The health sector is the most affected sector: in 2015 almost 2,000 incidents involving 392 million health data records were reported. Most of these health data records can be found and bought online via illegal market places. This is why the GDPR provides for the notification of a data breach to the national supervisory authority (Article 33 GDPR).
In case of a data breach the controller, such as a hospital or app company, has to inform the competent supervisory authority about the data breach. This has to be done within 72 hours after becoming aware of the data breach. Article 33 (3) provides for guidelines on what the notification needs to contain. The notification has to include the nature of the personal data breach, the likely consequences and the measures taken to address the data breach. Especially this last condition helps the controller to think about what measures can be taken to try and avoid a future data breach. This way, the GDPR helps organisations to think about their technical and organisational structure.
Have you by any change heard of any data breaches in the news lately? If so, please share your story on the discussion board.
© Univeristy of Groningen