The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) comes into force on 25 May ‘18.  It is a Europe wide law.  It replaces the Data protection Act 1998.  In the last 20 years the volume and ease of access to information about us has increased exponentially.  This has become an intrusive fact of life.  The GDPR is being introduced to give a new protection against the new modalities of identifying facts about individuals.  It applies to all human interactions and most importantly it applies to medical practice.

GDPR is based on a number of principles.  There needs to be transparency for data subjects.  The organization must have a legitimate purpose for processing the data in its possession.  The data must be limited and relevant to a specific purpose.  The data collection must be accurate and fit for purpose.  The data storage must not be replicated.  The information must be erased when no longer required.  There must be good governance of the data set.

Perhaps the biggest change the GDPR will make is in relation to consent.  It aims to give control to citizens over their personal data.  It brings a new set of digital rights for those living in the EU.  It gives a new recognition to the economic value of personal data in the digital age.  The Economist magazine has stated that ‘the world’s most valuable resource is no longer oil, but data’.  The giants that deal in data are now the most profitable companies in the world.

Personal data is any information relating to an individual whether it relates to his or her private, professional, or public life. Commentators state that it is a ‘fine tuning’ rather a big step change.  In Ireland the Data Protection Commissioner is responsible for supervising data protection in Ireland.

The new regulation strengthens the rights of individuals to access their personal data.  It strengthens data security and accountability.  Compliance will have to be actively demonstrated by those who hold other persons’ data.  When individuals pass on personal details in order to access services they must be able to trust the people that they share it with.  Those collecting data must inform subjects how they will use and protect their data.  Only data that is needed to provide the service should be requested.  No additional, unnecessary can be collected.  The information must not be used or shared with others for an unrelated purpose.  It must be kept safe from hacking or theft.  It must be maintained in an accurate, up-to-date format.

There are 2 types of data, personal data and special category personal data.  Personal data can identify a living person and it includes a subject’s name, phone number, bank details, and medical history. The special category personal data is about sensitive information.  It relates to the patient’s physical, mental or sexual health.  Other sensitive data include religion, membership of a trade union, or past legal history.  The processing of special category data will be prohibited unless the data subject has given his/her explicit consent.

GDPR compels one to make an inventory of all personal data that one holds on other subjects.  The purpose for keeping the information must be assessed.  One must have the patient’s consent for holding the data.  In the case of minors one needs the consent of their guardians.  There must be in a plan in place on how to deal with a data breach.  In the case of a public authority holding large amounts of data, the facility must have a Data protection Officer.

The introduction of GDPR brings new terminology that will be unfamiliar to many doctors.  Identifiers are pieces of information which are closely connected with a particular individual which could be used to single him out.  The terms anonymisation and pseudonymisation have become central stage.  In the world of security there is a clear distinction between the 2 terms.  This reflected in the way that the GDPR classifies them in relation to regulation.

Anonymisation is where data is irreversibly and effectively anonymised.  The process destroys any way of recognizing the subject information.  The data is no longer personal and the data protection principles do not have to be complied with in respect of such data.

Pseudonymised data, on the other hand, remains personal data.  The pseudonym replaces the identifying characteristics but it only provides limited protection.  It is still possible that the individual could be identified using indirect means.  Pseudonymised data can be restored to its original state with the addition of information that could allow individuals to be re-identified.

Encryption is a process that renders the original data unintelligible, and the process cannot be reversed without access to a specific decryption key. The medical profession is familiar with importance of patient confidentiality.  It forms part of the Hippocratic oath.  On a daily basis, patients tell us private and personal facts about themselves.  These doctor-patient interactions frequently take place at a vulnerable time in the patients’ lives.  This patient confidentiality can be threatened by the multiple new forms of communication including fax, text, email.  There needs to be a heightened vigilance about medical data protection.

All doctors will need to be careful about the disclosure of any confidential health care data to any organisations such as insurance companies or legal firms.  There must a clear legal basis for any disclosure of a patient’s file.  In the absence of a clear legal basis for the request, the information should not be passed on.  The new default position is to say no unless the patient is fully aware and has given specific consent.

Sponsors of clinical trials need to be able to publish their trials while still complying with GDPR.  It will be necessary to look at the processes in which they obtain patient consent and data impact assessment.  There needs to be clarity around the 3 levels of patients data.  Firstly, direct identifiers such as biometrics information.  Secondly, indirect identifiers such as date of birth.  Thirdly, the risk of data links by the combination of more than one data point.

Patient confidentiality and medical data protection is set to become more complex.  The bar has been set higher for all doctors in clinical practice.  The security of the collected data is important and data holders must ensure that confidential information is safe.  On the other hand, the ethical aspects of confidentiality, privacy, and consent are not changed by the legislation.

JFA Murphy