We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip main navigation

Obligations for organisations and medical professionals

This video discusses the obligations for organisations (including measures to be taken) as well as obligations for medical professionals.
3.2
TRIX MULDER: In order to protect personal data or in this case sensitive health data, organisations have several general legal obligations based on the GDPR. Your GP’s office, the hospital, and other health care institutions have to comply with these rules. The GDPR determines that data controllers, such as hospitals, need to implement appropriate technical and organisational measures to ensure the right level of protection. Pseudonymisation and encryption are examples of technical measures mentioned by the GDPR. Organisational measures may include, for example, a hospital’s policy on access control. The GDPR, furthermore, determines that organisations have to implement measures to ensure data protection by design and by default. Data protection by design are built-in technical safeguards.
51
For example, when a health care institution wants to develop a new system, they have to take the rights of the patients into account from the design stage of the system. Data protection by default means that only personal data which are necessary for the specific processing purpose are processed. For example, a receptionist working in a hospital should not be able to access a patient’s file. Because this is not necessary for performing the assigned task of the receptionist. Furthermore, health care institutions need to be able to show compliance with these general obligations, meaning that the national supervisory authority may investigate if a hospital has taken sufficient technical and organisational measures and that there may be consequences for noncompliance.
94.4
These general legal obligations apply to health care institutions as a whole. However, medical personnel also have obligations derived from their role. You already saw Anna’s neighbour telling you about her obligations, both from the oath she took and from her contractual obligations.
110.4
CHANTAL: We don’t share anything. We are bound by an oath. We have the same confidentiality as the doctors. And I wouldn’t even think about sharing her personal information she shares with us.
123.4
TRIX MULDER: The same goes for doctors who have taken the Hippocratic oath. This oath means that doctors cannot reveal any information about their patients due to doctor/patient confidentiality, which is nowadays often not only an oath but also a legal obligation. We asked Anna’s doctor what doctor/patient confidentiality is and how it works.
144.8
DOCTOR: Well, in fact, it means that everything a patient tells me is a secret. So I can’t talk about it. And there are only exceptions to the rules when there is danger for this person or when there is a huge danger for society. But luckily, I never get into this situation.
163.5
TRIX MULDER: And how does doctor/patient confidentiality work with electronic health data? Is there a difference between electronic and hard copy patient files?
171.2
DOCTOR: No, I don’t think there’s a difference. But the risks are different. Because if you have a paper and you forget it somewhere because you get in an emergency situation for example and you run off, it’s still there. But the same applies to my computer. Because if I run off and it’s still open, then someone can see it. I think the only problem is when people are looking for it to get into the data. Then if they really want to, I think there’s opportunities in any way. And the exact way how it’s protected, I’m not really sure. You should ask our security officer. Because they know exactly how to best protect protection for these data work.
211.4
TRIX MULDER: We will ask the information security officer of Anna’s hospital how health data is protected from a technical perspective in Week 2. But for now, let’s continue with the obligations for sensitive data.
In order to protect personal data, or in this case, sensitive health data, organisations have several general legal obligations based on the GDPR. The GDPR determines that data controllers, such as hospitals, need to implement appropriate technical and organisational measures (such as pseudonymisation, encryption and policies on access control) to ensure the right level of protection.
The GDPR furthermore determines that organisations have to implement measures to ensure data protection by design (built in technical safeguards) and by default (only personal data which are necessary for that specific processing purpose can be processed).
These healthcare institutions need to be able to demonstrate compliance with these general obligations, meaning that a national supervisory authority may investigate if a hospital has taken sufficient technical and organisational measures and that there may be consequences for non-compliance.
These general legal obligations apply to healthcare institutions as a whole. However, medical personnel also have obligations derived from their role. Confidentiality means that doctors cannot reveal information about their patients due to doctor – patient confidentiality.
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education