Health data security is a topic that frequently makes headlines due to the rising threat of cyberattacks targeting healthcare systems.
But let's face it: data protection breaches in healthcare are nothing new.
And healthcare continues to be the worst sector. The ICO's 2022/23 statistics show that this sector represents the majority of all personal data breaches (21.40%), although this is partly due to mandatory reporting.
Make sure everyone is clear about what constitutes sensitive personal data (or special categories of personal data under the GDPR).
The definition is broad under the General Data Protection Regulation (GDPR) and includes:
Personal information cannot be shared or accessed by anyone for any reason. This is not negotiable; it is an essential part of protecting individuals' sensitive information.
This is an obligation whenever there are high risks to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need the data protection authority to sanction where risks are high.
If access is required to enable them to do their job. If additional access is required to information, this should be re-evaluated to establish the business case.
Make appropriate disclosures and obtain explicit consent in advance so data subjects understand who else will see their information and for what purpose. Decide how this information will be communicated.
Always use extra security measures (such as encryption) when sending information electronically. Sensitive data should be given additional consideration and protection.
You can't expect employees to stay compliant without providing the right tools.
So, ensure your IT controls are up to scratch, not just at network level but on individual devices. And store data in an appropriate way, such as a secure database, avoiding Excel and Word.
The disappearance of Nicola Bulley in 2023 led to a widespread investigation. Her body was found in the River Wyre about three weeks after she went missing.
However, the police who investigated this case were criticised for releasing private medical information about Ms Bulley. The officer leading the investigation revealed that Ms Bulley had "some significant issues with alcohol" and "ongoing struggles with menopause".
Following the release of this private information, many reacted on social media, from MPs to legal experts and privacy campaigners. Lancashire police commented that Ms Bulley was categorised as "high-risk" as soon as she went missing due to some vulnerabilities, and they wanted to expand on that.
The release of sensitive information is not easily justified, because it is very unusual to make such information public - the police faced a backlash after their decision.
"People are asking rightly how the reproductive status of a woman who has gone missing relate to the bid to find her and would that same information be put in the public domain if she were a man."
- Zoë Billingham, chairwoman of an NHS mental health trust
Per Article 4, “an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Because misuse could seriously impact an individual’s rights, such as privacy. Under Article 9, health data gets extra protection.
If there’s a legal basis, per Article 6, or an exemption (per Article 9), such as explicit consent, medical necessity, public health reasons or employment law obligations.
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.