7 Ways to Protect Health Data under GDPR

Posted by

Lynne Callister

on 06 Mar 2024

Health data security is a topic that frequently makes headlines due to the rising threat of cyberattacks targeting healthcare systems.

7 Ways to Protect Health Data under GDPR

Let's face it: data protection breaches in healthcare are nothing new.

And healthcare continues to be the worst sector. The ICO's 2022/23 statistics show that this sector represents the majority of all personal data breaches (21.40%), although this is partly due to mandatory reporting.

Free GDPR Training Presentation

How to Strengthen Health Data GDPR controls

1. Raise awareness of what is covered

Make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under GDPR).

The definition is broad under GDPR and includes past, present and future physical or mental health; information from testing or examination of a body part or bodily substance; genetic and biological samples; information on diseases or risk, disability, medical history, clinical treatment, and so on.

2. Remind everyone of the need for privacy

Personal information cannot be shared or accessed by anyone for any reason. This is not negotiable, and it is an essential part of protecting individuals' sensitive information.

3. Conduct a Data Protection or Privacy Impact Assessment

As we are all obliged to do whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough, and you may also need processing to be sanctioned by the data protection authority where risks are high.

4. Only share information on a 'need to know' basis

If access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.

5. Take extra care when sharing health data with third parties

Make appropriate disclosures and get explicit consent in advance so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.

6. Ensure special categories of data are adequately protected

Always use extra security measures (such as encryption) when sending information electronically. Sensitive data needs to be given additional consideration and protection.

7. Use the right tools for the job

You can't expect employees to stay compliant without providing the right tools.

So ensure that your IT controls are up to scratch, not just at a network level but on individual devices. And hold data in an appropriate way, such as a secure database. Remember that does not mean Excel or, worse, Word.

Data Protection Principles Checklist

Health data protection news

The disappearance of Nicola Bulley last year led to a widespread investigation. Her body was found in the River Wyre about three weeks after she went missing.

However, the police who investigated this case were criticised for releasing private medical information about Ms Bulley. The officer leading the investigation revealed that Ms Bulley had "some significant issues with alcohol" and "ongoing struggles with menopause".

Following the release of this private information, many reacted on social media, from MPs to legal experts and privacy campaigners. Lancashire police commented that Ms Bulley was categorised as "high-risk" as soon as she went missing due to some vulnerabilities, and they wanted to expand on that.

The release of sensitive information is not easily justified as it is very unusual to make such information public - the police faced a backlash after their decision.

"People are asking rightly how does the reproductive status of a woman who has gone missing relate to the bid to find her and would that same information be put in the public domain if she were a man."

- Zoë Billingham, chairwoman of an NHS mental health trust

GDPR Self Assessment Questionnaire

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning.

Download your free training aid