7 Ways to Protect Health Data under GDPR

Health data security is a topic that frequently makes headlines due to the rising threat of cyberattacks targeting healthcare systems.

Let's face it: data protection breaches in healthcare are nothing new.

And healthcare continues to be the worst sector. The ICO's 2022/23 statistics show that this sector represents the majority of all personal data breaches (21.40%), although this is partly due to mandatory reporting.

How to Strengthen Health Data GDPR controls

1. Raise awareness of what is covered

Make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under GDPR).

The definition is broad under GDPR and includes past, present and future physical or mental health; information from testing or examination of a body part or bodily substance; genetic and biological samples; information on diseases or risk, disability, medical history, clinical treatment, and so on.

2. Remind everyone of the need for privacy

Personal information cannot be shared or accessed by anyone for any reason. This is not negotiable, and it is an essential part of protecting individuals' sensitive information.

3. Conduct a Data Protection or Privacy Impact Assessment

As we are all obliged to do whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough, and you may also need processing to be sanctioned by the data protection authority where risks are high.

4. Only share information on a 'need to know' basis

If access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.

5. Take extra care when sharing health data with third parties

Make appropriate disclosures and get explicit consent in advance so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.

6. Ensure special categories of data are adequately protected

Always use extra security measures (such as encryption) when sending information electronically. Sensitive data needs to be given additional consideration and protection.

7. Use the right tools for the job

You can't expect employees to stay compliant without providing the right tools.

So ensure that your IT controls are up to scratch, not just at a network level but on individual devices. And hold data in an appropriate way, such as a secure database. Remember that does not mean Excel or, worse, Word.

Health data protection news

The disappearance of Nicola Bulley last year led to a widespread investigation. Her body was found in the River Wyre about three weeks after she went missing.

However, the police who investigated this case were criticised for releasing private medical information about Ms Bulley. The officer leading the investigation revealed that Ms Bulley had "some significant issues with alcohol" and "ongoing struggles with menopause".

Following the release of this private information, many reacted on social media, from MPs to legal experts and privacy campaigners. Lancashire police commented that Ms Bulley was categorised as "high-risk" as soon as she went missing due to some vulnerabilities, and they wanted to expand on that.

The release of sensitive information is not easily justified as it is very unusual to make such information public - the police faced a backlash after their decision.

"People are asking rightly how does the reproductive status of a woman who has gone missing relate to the bid to find her and would that same information be put in the public domain if she were a man."

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have additional free resources such as e-learning modules, microlearning modules, and more.