Skip to 0 minutes and 3 seconds TRIX MULDER: While following Anna on her medical journey, we saw that questions of confidentiality were raised when she saw her neighbour in the hospital. Anna’s doctor explained how doctor-patient confidentiality works in practice. She explained that are always risks involved when working with personal data if it’s an electronic or hard copy patient file. This is why the GDPR provides for professions relating to security of personal data. To ensure an adequate level of protection, an organisation, such as hospital, has to take appropriate technical and organisational measures. This includes pseudonymisation and encryption of data. But there’s more. Let’s hear from the information security officer at Anna’s Hospital
Skip to 0 minutes and 43 seconds BERT MOORLAG: My name is Bert Moorlag. And I’m the corporate information security officer at the University Medical Centre in Groningen. University Medical Centre is a hospital and a Centre for medical research and education and is one of the largest organisations in north of the Netherlands, with more than 10,000 employees. As a corporate information security officer, I advise and help the organisation with information security and for my security cover three aspects– confidentiality. Are you allowed to see the data? Integrity. Is the data correct and complete? And Availability. Can your access to data at time and place you need it?
Skip to 1 minute and 22 seconds TRIX MULDER: These three aspects are also mentioned by the GDPR, which determines that an organisation like a hospital must ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and surfaces. Each organisation has their own policy in this regard.
Skip to 1 minute and 41 seconds BERT MOORLAG: Information security helps to assure that the quality of the data is in accordance with the need of the organisation. In the hospital, the quality of data is very important for patient safety. In the Netherlands, there is an information security standard for health care. Based on the international standard for information security, ISO-27000 Risk cannot always be avoided, but you need policy on how to handle them.
Skip to 2 minutes and 6 seconds TRIX MULDER: These policies need to be organisation-specific, meaning that it needs to address the risks of processing of that particular organisation. This might be different for hospitals, pharmacies, and your GP’s office. But even varies between hospitals depending on external and internal factors. For example, in Anna’s hospital, account needs to be taken of the possibility of earthquakes, which could affect the availability of the data. A hospital in Amsterdam does not need to take this risk into account. One of the ways to tackle risks is to anonymise data. As we heard from the research nurse, research data is anonymised when it is shared between institutions.
Skip to 2 minutes and 45 seconds However, patient data cannot be anonymised, because a doctor needs to know that a particular test result belongs to that particular patient.
Skip to 2 minutes and 52 seconds BERT MOORLAG: Patient data is used for health care. This is why it cannot be anonymised. The data identify patients and health care professionals who need to identify patients to provide the right treatment to the right patient. Only staff who needs to use data have access to patient files. As a security officer, I don’t need the data. And therefore, I don’t have access to patient data.
Skip to 3 minutes and 15 seconds TRIX MULDER: If it does happen that a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This data breach needs to be notified to the national supervisory authority. And in some cases communicated to the patient. Another way to prevent a data breach is to not keep the data longer than necessary. When health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data.
Skip to 3 minutes and 43 seconds BERT MOORLAG: By law, patient data is generally kept for 15 years. Some data has to be kept for a longer period of time. The data stored on the information system of the hospital treated the same as patient data as saved in a readable digital format.
Skip to 4 minutes and 0 seconds TRIX MULDER: We will discuss data retention later this week. But first, we would like you to think about the question in the next step.
There are always risks involved when working with personal data, if it’s an electronic or hardcopy patient file. This is why the GDPR provides for provisions relating to security of personal data. Information security covers three aspects:
To ensure an adequate level of protection, the GDPR provides that appropriate technical and organisational measures need to be taken. This may include anonymisation, pseudonymisation or encryption of data, but also organisation specific policies which address the risks of processing of that particular organisation. These policies are necessary considering that risks can’t always be avoided.
One of the risks involved is unauthorised access. If a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This breach needs to be notified to the national supervisory authority and in some cases communicated to the patient.
Another way to prevent a data breach is not to keep data longer than necessary. When the health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data. It is furthermore required by law that data is kept for a maximum amount of time. We will discuss data retention later this week.
© University of Groningen