Healthcare Solutions

PrivacyAid

The General Data Protection Regulation (GDPR) recognises data concerning health as a special category of data and provides a definition for health data for data protection purposes.

There are specific safeguards for personal health data processes that foster innovation and better-quality healthcare. Such as clinical trials & mobile health which need robust data protection safeguards in order to maintain the trust and confidence of individuals in the rules designed to protect their data.

The Data Security and Protection (DSP) Toolkit

From April 2018, the Data Security and Protection Toolkit replaced the Information Governance (IG) Toolkit as the standard for cyber, data security and data protection for healthcare organisations.

PrivacyAid’s consultants are fully conversant with the demands of the DSP Tookit and have referenceable clients that have attained the Standards Exceeded level.

What you should know about protecting health data in the workplace

Health data refers to personal information (also called personal data) that relates to the health status of a person. This includes both medical data (doctor referrals and prescriptions, medical examination reports, laboratory tests, radiographs, etc.), but also administrative and financial information about health (the scheduling of medical appointments, invoices for healthcare services and medical certificates for sick leave management, etc.). Health data is considered sensitive data and is subject to particularly strict rules and can only be processed by health professionals who are bound by the obligation of medical secrecy. Furthermore, the organisation shall take the necessary security measures to ensure that the health data is protected and not subject to any unauthorised disclosure.

At UK/EU-level institutions and bodies collect and process health data of staff and sometimes members of their family for several purposes, such as pre-recruitment medical examination, annual medical visits, sick leave management, request to work part time to care for a seriously ill or disabled family member, etc.

What are the main data protection issues?

Data Quality

It is important not to process more personal data than necessary. How? By only collecting relevant – and not more information than necessary – in the first place. In addition, health data (such as medical certificates and other medical data) should be handled only by the medical service of the organisation- not by the HR department. The latter should only receive the administrative data necessary to process the sick leave (for example the number of days of sick leave). Learn more…

Right of information

Staff members must be informed about their rights and for what purposes their health-related information is processed. Such information must be specifically communicated to staff members when a new procedure is introduced and made permanently available for example via the intranet of the organisation. This ensures that staff members always have access to the information. Learn more…

Right of access

Staff members have the right to access their medical files and other health-related information to be able to verify whether it is accurate and to rectify any inaccurate or incomplete information. They must also be informed on how they may exercise their rights. Learn more…

Retention period

Organisations must make sure that information relating to health is not kept on their files for longer than necessary. Clear retention periods must be established. These can vary in accordance with the reason for processing the health data. Learn more…

Data security

Given the sensitivity of health data, it should only be processed by health professionals who are bound by the obligation of medical secrecy and all HR staff dealing with administrative or financial procedures in this respect should sign a specific confidentiality declaration and they should be reminded of their confidentiality obligations regularly. Furthermore, organisations should carry out a risk assessment and develop, where necessary, specific security measures on access control and management of all the information processed in the context of health data. Learn more…

More information

The following non-exhaustive list is a selection of documents for further reading:

EDPS Guidelines:

EDPS Guidelines on the processing of health data in the workplace by EU institutions and bodies

EDPS Guidelines on the Rights of Individuals with regard to the Processing of Personal Data

EDPS prior-check Opinion:

Joint Prior Check Opinion on the processing of health data in the workplace (case 2010-0071).

EDPS Opinion on the processing of health data in the context of disability establishment and reasonable accommodation at the European Parliament (case 2015-0366)

EDPS Opinion on the EU Platform for rare diseases registration at the Joint Research Centre Ispra (case 2015-0982)

EDPS Opinion on the processing of health data at the European Securities and Markets Authority (ESMA) (case 2013-0927)

EDPS Opinions on the recruitment procedure for contract staff and trainees with a disability at the European Parliament (cases 2013-0607 and 2013-0608)

Get in touch...

Business Name

Name

Contact Number

Message

By ticking this box you are opting in to communications from PrivacyAid regarding your enquiry. We are committed to keeping your data safe, more information on how we protect your data can be found in our privacy policy below.

View our privacy policy here

DSP Toolkit

HIPAA

Privacy Policy

Cookie Policy