Let's face it, data protection breaches in healthcare are nothing new.
And healthcare continues to be the worst sector. The ICO's 2021/22 statistics show it represents 20.23% of all personal data breaches, although this is partly due to mandatory reporting.
Recent health data protection news
The disappearance of Nicola Bulley led to a widespread investigation. Over three weeks since she went missing, her body was found in the River Wyre.
However, the police investigating this case have been criticised for releasing private medical information about Ms Bulley. The officer leading the investigation revealed that Ms Bulley had "some significant issues with alcohol" and "ongoing struggles with menopause".
Following the release of this private information, many reacted on social media, from MPs to legal experts and privacy campaigners. Lancashire police commented that Ms Bulley was categorised as "high-risk" as soon as she went missing due to some vulnerabilities, and they wanted to expand on that.
The release of sensitive information is not easily justified as it is very unusual to make such information public - the police face a backlash after their decision.
"People are asking rightly how does the reproductive status of a woman who has gone missing relate to the bid to find her and would that same information be put in the public domain if she were a man."
How to strengthen health data GDPR controls
1. Raise awareness of what is covered
Make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under GDPR).
The definition is broad under GDPR and includes past, present and future physical or mental health, information from testing or examination of a body part or bodily substance, genetic and biological samples, information on diseases or risk, disability, medical history, clinical treatment, and so on.
2. Remind everyone of the need for privacy
Personal information cannot be shared or accessed by anyone for any reason.
3. Conduct a Data Protection or Privacy Impact Assessment
As we are all obliged to do whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need processing to be sanctioned by the data protection authority where risks are high.
4. Only share information on a 'need to know' basis
If access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.
5. Take extra care when sharing health data with third parties
Make appropriate disclosures and get explicit consent in advance, so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.
6. Ensure special categories of data are always adequately protected
Use extra security measures (such as encryption) when sending information electronically.
7. Use the right tools for the job
You can't expect employees to stay compliant without providing the right tools to do so. So ensure that your IT controls are up to scratch, not just at a network level but on individual devices. And hold data in an appropriate way such as a secure database. And remember that does not mean Excel or worse, Word...
Want to learn more about GDPR?
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.