7 Ways to Protect Health Data under GDPR

Health data security is a topic that frequently makes headlines due to the rising threat of cyberattacks targeting healthcare systems.

But let's face it: data protection breaches in healthcare are nothing new.

And healthcare continues to be the worst sector. The ICO's 2022/23 statistics show that this sector represents the majority of all personal data breaches (21.40%), although this is partly due to mandatory reporting.

Key takeaways

• Strengthening health data GDPR controls involves seven steps. The first three: raise awareness of what is covered, remind everyone of the need for privacy, and conduct a Data Protection or Privacy Impact Assessment.
• The last four: only share information on a 'need to know' basis, take extra care when sharing health data with third parties, ensure special categories of data are adequately protected, and use the right tools for the job.
• A recent related case involved the disappearance of Nicola Bulley, when the officer leading the investigation revealed sensitive private information about her.

How to strengthen health data GDPR controls

1. Raise awareness of what is covered

Make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under  the GDPR).

The definition is broad under the General Data Protection Regulation (GDPR) and includes:

• Past, present and future physical or mental health
• Information from testing
• Examination of a body part or bodily substance
• Genetic and biological samples
• Information on diseases or risk
• Disability, medical history, clinical treatment, and so on
  
  

2. Remind everyone of the need for privacy

Personal information cannot be shared or accessed by anyone for any reason. This is not negotiable; it is an essential part of protecting individuals' sensitive information.

3. Conduct a Data Protection or Privacy Impact Assessment

This is an obligation whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need the data protection authority to sanction where risks are high.

4. Only share information on a 'need to know' basis

If access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.

5. Take extra care when sharing health data with third parties

Make appropriate disclosures and obtain explicit consent in advance so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.

6. Ensure special categories of data are adequately protected

Always use extra security measures (such as encryption) when sending information electronically. Sensitive data should be given additional consideration and protection.

7. Use the right tools for the job

You can't expect employees to stay compliant without providing the right tools.

So, ensure your IT controls are up to scratch, not just at network level but on individual devices. And store data in an appropriate way, such as a secure database, avoiding Excel and Word.

Health data protection news

The disappearance of Nicola Bulley in 2023 led to a widespread investigation. Her body was found in the River Wyre about three weeks after she went missing.

However, the police who investigated this case were criticised for releasing private medical information about Ms Bulley. The officer leading the investigation revealed that Ms Bulley had "some significant issues with alcohol" and "ongoing struggles with menopause".

Following the release of this private information, many reacted on social media, from MPs to legal experts and privacy campaigners. Lancashire police commented that Ms Bulley was categorised as "high-risk" as soon as she went missing due to some vulnerabilities, and they wanted to expand on that.

The release of sensitive information is not easily justified, because it is very unusual to make such information public - the police faced a backlash after their decision.

"People are asking rightly how the reproductive status of a woman who has gone missing relate to the bid to find her and would that same information be put in the public domain if she were a man."

Protecting health data under GDPR: FAQs

What is a data subject?

Per Article 4, “an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Why is health data deemed special category data by the GDPR?

Because misuse could seriously impact an individual’s rights, such as privacy. Under Article 9, health data gets extra protection.

Under what circumstances is it legal to process health data?

If there’s a legal basis, per Article 6, or an exemption (per Article 9), such as explicit consent, medical necessity, public health reasons or employment law obligations.

Want to learn more about GDPR?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:

• General Data Protection Regulation (GDPR) Training Course
• Data Protection Training Course
• Information Security Training Course
• Cybersecurity Training Course

We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.