Skip to 0 minutes and 3 secondsTRIX MULDER: In order to protect personal data or in this case sensitive health data, organisations have several general legal obligations based on the GDPR. Your GP's office, the hospital, and other health care institutions have to comply with these rules. The GDPR determines that data controllers, such as hospitals, need to implement appropriate technical and organisational measures to ensure the right level of protection. Pseudonymisation and encryption are examples of technical measures mentioned by the GDPR. Organisational measures may include, for example, a hospital's policy on access control. The GDPR, furthermore, determines that organisations have to implement measures to ensure data protection by design and by default. Data protection by design are built-in technical safeguards.

Skip to 0 minutes and 51 secondsFor example, when a health care institution wants to develop a new system, they have to take the rights of the patients into account from the design stage of the system. Data protection by default means that only personal data which are necessary for the specific processing purpose are processed. For example, a receptionist working in a hospital should not be able to access a patient's file. Because this is not necessary for performing the assigned task of the receptionist. Furthermore, health care institutions need to be able to show compliance with these general obligations, meaning that the national supervisory authority may investigate if a hospital has taken sufficient technical and organisational measures and that there may be consequences for noncompliance.

Skip to 1 minute and 34 secondsThese general legal obligations apply to health care institutions as a whole. However, medical personnel also have obligations derived from their role. You already saw Anna's neighbour telling you about her obligations, both from the oath she took and from her contractual obligations.

Skip to 1 minute and 50 secondsCHANTAL: We don't share anything. We are bound by an oath. We have the same confidentiality as the doctors. And I wouldn't even think about sharing her personal information she shares with us.

Skip to 2 minutes and 3 secondsTRIX MULDER: The same goes for doctors who have taken the Hippocratic oath. This oath means that doctors cannot reveal any information about their patients due to doctor/patient confidentiality, which is nowadays often not only an oath but also a legal obligation. We asked Anna's doctor what doctor/patient confidentiality is and how it works.

Skip to 2 minutes and 25 secondsDOCTOR: Well, in fact, it means that everything a patient tells me is a secret. So I can't talk about it. And there are only exceptions to the rules when there is danger for this person or when there is a huge danger for society. But luckily, I never get into this situation.

Skip to 2 minutes and 44 secondsTRIX MULDER: And how does doctor/patient confidentiality work with electronic health data? Is there a difference between electronic and hard copy patient files?

Skip to 2 minutes and 51 secondsDOCTOR: No, I don't think there's a difference. But the risks are different. Because if you have a paper and you forget it somewhere because you get in an emergency situation for example and you run off, it's still there. But the same applies to my computer. Because if I run off and it's still open, then someone can see it. I think the only problem is when people are looking for it to get into the data. Then if they really want to, I think there's opportunities in any way. And the exact way how it's protected, I'm not really sure. You should ask our security officer. Because they know exactly how to best protect protection for these data work.

Skip to 3 minutes and 31 secondsTRIX MULDER: We will ask the information security officer of Anna's hospital how health data is protected from a technical perspective in Week 2. But for now, let's continue with the obligations for sensitive data.

Obligations for organisations and medical professionals

In order to protect personal data, or in this case, sensitive health data, organisations have several general legal obligations based on the GDPR. The GDPR determines that data controllers, such as hospitals, need to implement appropriate technical and organisational measures (such as pseudonymisation, encryption and policies on access control) to ensure the right level of protection.

The GDPR furthermore determines that organisations have to implement measures to ensure data protection by design (built in technical safeguards) and by default (only personal data which are necessary for that specific processing purpose can be processed).

These healthcare institutions need to be able to demonstrate compliance with these general obligations, meaning that a national supervisory authority may investigate if a hospital has taken sufficient technical and organisational measures and that there may be consequences for non-compliance.

These general legal obligations apply to healthcare institutions as a whole. However, medical personnel also have obligations derived from their role. Confidentiality means that doctors cannot reveal information about their patients due to doctor – patient confidentiality.

Share this video:

This video is from the free online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

University of Groningen