Presentation
“Ultra-connected,” “personalized,” and “secure” health data: these are the expectations of professionals and patients when describing new medical practices and compliance with the General Data Protection Regulation (GDPR).
Currently being debated in the National Assembly, the bioethics bill includes Article 11, which enshrines the “fundamental principle of a human guarantee of digital health.” As a corollary to these new technologies, the sharing and use of health data is a major challenge.
The use and processing of the generated clinical data are proving equally crucial for the future of medical research, as it can significantly reduce research time.
As a reminder, health data is personal data relating to the past, present or future physical or mental health of a natural person that reveals information about that person’s state of health.
Personal data: Special framework for health data by the CNIL
The CNIL (French Data Protection Authority) recently published a set of documents and guides for professionals and the public regarding the specific application of the GDPR to the healthcare sector.
In fact, all healthcare facilities and independent professionals are affected by the new European regulation – the GDPR. As data controllers or processors within their organizations, they are subject to numerous obligations and duties to guarantee the protection and security of the data they process.
This includes, on the one hand, health data generated during the facility’s activities and the care of individuals, and on the other hand, all personal data – human resources data – to which the GDPR also applies.
This may include the patient’s name, surname, address, or telephone number, information about their personal life (e.g., number of children), their social security coverage (e.g., mandatory health insurance, supplemental health insurance, etc.), and especially information relating to their health (illness, diagnosis, prescriptions, treatment, etc.), as well as any professionals involved in their care.
You also hold, as part of your practice, the patients’ social security number (National Identification Number – NIR) for billing purposes.
The GDPR reiterates the various obligations to be met in this regard, including maintaining internal documentation, appointing a Data Protection Officer (DPO), implementing a data processing register supplemented by impact assessments relevant to the institution’s activities, structuring patient information channels, and ensuring procedures for securing and storing personal data.
Find all their recommendations by following the link.
Health data: 24 million medical records accessible according to a German study
An audit report by the German company Greenbone, published in September 2019, reveals alarming findings regarding personal data, particularly health data. According to the report, medical data is freely and easily accessible due to negligence in the configuration of these systems. Many lack any protection, such as passwords or encryption.
Names, dates of birth, dates and details of examinations, treating physicians, clinics, and medical analyses are all easily accessible and, in some cases, downloadable. Across servers in 52 countries worldwide, more than 47,000 patients in France are reportedly affected.
Find the full report attached.
“The Data Clinic” at Nantes University Hospital: Information and Data Security
Born from a partnership with WeData, a Nantes-based company specializing in personal data security, the Nantes University Hospital (CHU de Nantes) created a new department within its institution in 2014 called the “Data Clinic.”
A veritable repository of medical data, the public hospital has stored the medical records and documents of more than two million patients there for use in some fifty research projects launched to date. “Using this data for research purposes is a major lever for improving patient care,” emphasizes Pierre-Antoine Gourraud, head of the department.
This dedicated service has prioritized data security and confidentiality, notably through close collaboration with the CNIL (French Data Protection Authority).
GDPR: Health data and advertising on health websites
On September 3rd, a report by the NGO Privacy International published a study demonstrating the massive use of cookies by the vast majority of health websites, primarily for advertising purposes.
In France, the websites Doctissimo and PassportSanté do not appear, according to the NGO, to guarantee optimal information for users and cookie settings during their website visits: The settings menu is difficult to access and understand, information banners disappear without confirmation, and cookies are saved without user consent or action.
The NGO is referring the matter to the supervisory authorities – the CNIL in particular – to assess the compliance of the practices of the companies in question. “The way in which user data on these sites is handled is opaque and can only be identified through in-depth technical analysis,” laments Privacy International.
Find the report below.
Find more articles related to personal data
