Skip main navigation
We use cookies to give you a better experience, if that’s ok you can close this message and carry on browsing. For more info read our cookies policy.
We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip to 0 minutes and 3 secondsMELANIA TUDORICA: Processing personal data leads to risks to the rights and freedoms of persons, even more so if it concerns sensitive data like health data. As you learned this week, the GDPR provides for legal measures to limit the impact of these risks. It provides data subjects with rights and controllers and processors with obligations. You may recollect Anna's doctor explaining that there are risks involved with processing personal data both in the online and offline worlds. In the offline world, doctors can leave a hard copy patient file unattended while running off to an emergency. The same goes for leaving a computer with a patient file open, unlocked, and unattended.

Skip to 0 minutes and 42 secondsHowever, technical measures can be put in place to make sure the computer locks itself after a certain amount of time. This is also required by the GDPR. It requires controllers to take appropriate technical and organisational measures, depending on the severity of the risk for the rights and freedoms of persons. These measures need to be organisation specific, as the information security officer of Anna's hospital will explain in Week 2. Organisations such as hospitals need to assess their data security risk by considering the risks involved in processing personal data. The recitals of the GDPR mention risks such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access.

Skip to 1 minute and 23 secondsThink, for example, of a data breach when a receptionist of a hospital accesses a patient file. This would entail a data breach, because she does not need to have access to treatment information for carrying out her tasks as a receptionist. Due to the very nature of modern technologies, unauthorised access can, however, also take place from outside the hospital. One of the most well-known risks are cyber crimes-- for example, when hackers target health data records, which can be sold for a lot of money on illegal online marketplaces. Hackers can also use ransomware to target hospitals by placing lockwires on the hospital's main server to block the entire system.

Skip to 2 minutes and 1 secondThis way, hospitals are completely prevented from carrying out their daily operations and are blackmailed to pay a high amount of ransom. As you may imagine, these risks put a high strain on the IT department of the hospital. Another risk inherent of modern technologies is the use of health data by individuals. We saw Anna using a running app, posting her run on social media, and using a search engine to inform herself about pregnancy. What happens behind the scenes of these websites is that her digital footprint is tracked and used by profilists to generate her profile and sell it to the highest bidder. Anna sees the output come back to her in targeted advertisements on baby products.

Skip to 2 minutes and 41 secondsYou can imagine that these profiles are not only interesting for advertisement purposes, but also, for example, for insurance companies. Finally, also inherent to modern technologies is that data is not limited to countries' borders, because data can be transferred and stored anywhere in the world. Offering a similar level of protection within the EU is one of the reasons why the GDPR was created. However, when personal data moves across borders outside the EU, there is an increased risk to maintain the high level of protection offered by the GDPR. It might be, for example, more difficult for people to exercise their data protection rights.

Skip to 3 minutes and 17 secondsThis is why the GDPR provides for strict rules for transfer outside the EU, and you will learn more about this in Week 2.

Risks involved with processing health data

Processing personal data may lead to risks to the rights and freedoms of persons. Even more so if it concerns sensitive data, like health data. The GDPR provides for legal measures to limit the impact of these risks. It provides data subjects with rights and controllers and processors with obligations. The GDPR requires controllers to take (organisation specific) technical and organisational measures depending on the severity of the risks for the rights and freedoms of persons.

Risks include accidental or unlawful destruction, loss, alteration, unauthorised disclosure and unauthorised access (data breach). A data breach may be internal or external due to the very nature of modern technologies. One of the most well-known external risks are cybercrimes. These risks put a high strain on the IT department of a healthcare institution.

Another risk inherent to modern technologies is the use of health data by individuals. What happens behind the scenes of websites is that digital footprints are tracked and used by profilers to generate profiles which can be sold to the highest bidder. The result of this is most often targeted advertisements. People are mostly not even aware of this.

Finally, also inherent to modern technologies is that data is not limited to countries’ borders. Data can be transferred and stored anywhere in the world. Offering a similar level of protection within the EU is one of the reasons why the GDPR was created. However, when personal data moves across borders outside the EU, there is an increased risk to maintain the high level of protection offered by the GDPR. It might be for example more difficult for people to exercise their data protection rights. This is why the GDPR provides for strict rules for transfer of data outside the EU.

Share this video:

This video is from the free online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

University of Groningen

Contact FutureLearn for Support