Skip main navigation

Data security

Watch Trix Mulder and an information security officer explain more about data security.
3.2
TRIX MULDER: While following Anna on her medical journey, we saw that questions of confidentiality were raised when she saw her neighbour in the hospital. Anna’s doctor explained how doctor-patient confidentiality works in practice. She explained that are always risks involved when working with personal data if it’s an electronic or hard copy patient file. This is why the GDPR provides for professions relating to security of personal data. To ensure an adequate level of protection, an organisation, such as hospital, has to take appropriate technical and organisational measures. This includes pseudonymisation and encryption of data. But there’s more. Let’s hear from the information security officer at Anna’s Hospital
43.1
BERT MOORLAG: My name is Bert Moorlag. And I’m the corporate information security officer at the University Medical Centre in Groningen. University Medical Centre is a hospital and a Centre for medical research and education and is one of the largest organisations in north of the Netherlands, with more than 10,000 employees. As a corporate information security officer, I advise and help the organisation with information security and for my security cover three aspects– confidentiality. Are you allowed to see the data? Integrity. Is the data correct and complete? And Availability. Can your access to data at time and place you need it?
81.9
TRIX MULDER: These three aspects are also mentioned by the GDPR, which determines that an organisation like a hospital must ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and surfaces. Each organisation has their own policy in this regard.
100.5
BERT MOORLAG: Information security helps to assure that the quality of the data is in accordance with the need of the organisation. In the hospital, the quality of data is very important for patient safety. In the Netherlands, there is an information security standard for health care. Based on the international standard for information security, ISO-27000 Risk cannot always be avoided, but you need policy on how to handle them.
125.6
TRIX MULDER: These policies need to be organisation-specific, meaning that it needs to address the risks of processing of that particular organisation. This might be different for hospitals, pharmacies, and your GP’s office. But even varies between hospitals depending on external and internal factors. For example, in Anna’s hospital, account needs to be taken of the possibility of earthquakes, which could affect the availability of the data. A hospital in Amsterdam does not need to take this risk into account. One of the ways to tackle risks is to anonymise data. As we heard from the research nurse, research data is anonymised when it is shared between institutions.
164.7
However, patient data cannot be anonymised, because a doctor needs to know that a particular test result belongs to that particular patient.
172
BERT MOORLAG: Patient data is used for health care. This is why it cannot be anonymised. The data identify patients and health care professionals who need to identify patients to provide the right treatment to the right patient. Only staff who needs to use data have access to patient files. As a security officer, I don’t need the data. And therefore, I don’t have access to patient data.
195.3
TRIX MULDER: If it does happen that a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This data breach needs to be notified to the national supervisory authority. And in some cases communicated to the patient. Another way to prevent a data breach is to not keep the data longer than necessary. When health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data.
222.5
BERT MOORLAG: By law, patient data is generally kept for 15 years. Some data has to be kept for a longer period of time. The data stored on the information system of the hospital treated the same as patient data as saved in a readable digital format.
239.9
TRIX MULDER: We will discuss data retention later this week. But first, we would like you to think about the question in the next step.
There are always risks involved when working with personal data, if it’s an electronic or hardcopy patient file. This is why the GDPR provides for provisions relating to security of personal data. Information security covers three aspects:
  1. Confidentially;
  2. Integrity;
  3. Availability.
To ensure an adequate level of protection, the GDPR provides that appropriate technical and organisational measures need to be taken. This may include anonymisation, pseudonymisation or encryption of data, but also organisation specific policies which address the risks of processing of that particular organisation. These policies are necessary considering that risks can’t always be avoided.
One of the risks involved is unauthorised access. If a patient file is accessed by someone who is not authorised, the GDPR determines that there is a data breach. This breach needs to be notified to the national supervisory authority and in some cases communicated to the patient.
Another way to prevent a data breach is not to keep data longer than necessary. When the health data is no longer necessary for the treatment of the patient, the GDPR determines that the patient has the right to request erasure of that data. It is furthermore required by law that data is kept for a maximum amount of time. We will discuss data retention later this week.
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education