Skip to 0 minutes and 4 secondsMy name is Boudien Sieperda, and I'm the Data Protection Officer, DPO in short, at the University Medical Centre in Groningen. Within the UMCG, I am part of the Privacy Work Organisation, which is a subdivision of our Office of Legal Affairs. With this Privacy Work Organisation, I work with a number of colleagues with different backgrounds and expertise, including lawyers and information security officers. Hospitals process large amounts of sensitive health data. This is why the GDPR provides that the DPO needs to be appointed. My colleagues involve me whenever an issue relating to the protection of personal data arises within the hospital Organisation. As DPO, I have a number of main tasks.

Skip to 0 minutes and 47 secondsI supervise all issues related to the processing of personal data within the UMCG and monitor compliance with the principles of the GDPR and other policies and regulations of data protection, and I inform and provide advice to all staff members on how best to handle issues relating to privacy in such a way that it does not affect their day-to-day job. I enable them to process personal data while being compliant to the GDPR. I furthermore provide advice when data protection impact assessments need to be carried out, and then go operate and act as a contact person for the supervisory authority. The best part of my job is, however, to raise awareness and train my colleagues in data protection aspects of processing operations.

Skip to 1 minute and 30 secondsI help my colleagues to identify risks and find the appropriate safeguards. This is fun and challenging because you need to strike the right balance between privacy protection on the one hand and providing good health care on the other hand. The UMCG is a health care institution where privacy and confidentiality are crucial aspects to provide our patients with a safe environment. Privacy and confidentiality are therefore very much part of the job for our staff members. While we have high regard for matters of privacy, because health data needs to be handled with care, our policy should not impede healthcare because people's health and lives are on the line.

Skip to 2 minutes and 8 secondsThis is why we need to think carefully about which measures to take to protect personal data and mitigate the privacy risks involved for our patients, while not impeding the work of our doctors and nurses.

Meet the Data Protection Officer

Hospitals process large amounts of sensitive health data. This is why the GDPR provides that a Data Protection Officer (DPO) needs to be appointed. The DPO is involved whenever an issue relating to the protection of personal data arises within the hospital organisation.

A DPO has a number of main tasks based on Article 37 GDPR:

  1. To supervise all issues relating to the processing of personal data and monitor compliance with the principles of the GDPR and other policies and regulations of data protection;

  2. To inform and provide advice to all staff members on how best to handle issues relating to privacy;

  3. To provide advice when data protection impact assessments need to be carried out;

  4. To cooperate with and act as a contact person for the supervisory authority;

  5. To raise awareness and train staff members in data protection aspects of processing operations

The job of a DPO is not to limit processing, but to enable it while being compliant to the GDPR. He or she helps to identify risks and find the appropriate safeguards.

This job needs to be done with care considering that the right balance needs to be stricken between privacy protection and providing good healthcare. When lives are on the line, policies should not impede healthcare. This is why measures need to be well thought through in order to protect personal data and mitigate the privacy risks involved while not impeding the work of doctors and nurses.

We would like to hear from you. Do you know whether you have a DPO in your place of work? Or have you had any training on data protection yourself? Please feel free to share your experiences with other learners. We do of course ask you to do this in a respectful manner and please do not share any information that might be contentious. This is after all a course on data protection!

Share this video:

This video is from the free online course:

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

University of Groningen