GDPR and patient-centred health care

The General Data Protection Regulation (GDPR) has a significant impact on healthcare organisations: in developed countries, where healthcare organisations collect a wide range of patient information to provide better health-related outcomes, this increased attention to personal data protection has an even greater impact.

Specific challenges for health care

GDPR presents challenges to all industries, but health care is particularly emphasised here, since all data on diseases, diagnoses etc. belong to a special category of sensitive data, which should be handled with great care. These data are divided into several types:

1. Data concerning health – personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status.
2. Genetic data – personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person.
3. Biometric data – personal data resulting from specific technical processing relating to the physical and physiological characteristics of a natural person, which allow the unique identification of that natural person, such as facial images, fingerprints etc.

Healthcare organisations that typically manage healthcare data therefore have an additional burden of maintaining data concerning health, genetic data and biometric data at a higher standard of personal data protection.

GDPR prohibits the processing of these data unless one of the following conditions is met:

• The data subject has given explicit consent to the processing of such data.
• Processing is necessary for the purpose of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care etc.
• Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

Processing of personal data

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processing of personal data must be lawful, fair and transparent, while the purpose for which personal data are processed should be explicitly stated, justified and specified at the time of data collection. During processing, it is very important to reduce the amount of data collection and limit the period for which the personal data are stored to a strict minimum (in order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for storage and erasure).

Consent to the processing of personal data must be demonstrable, unambiguous, exclusive, voluntary and must include the possibility of withdrawal at any time.

Each person must be informed of the purpose for which the personal data are provided and whether the provision of such data is really necessary, and must also be aware of the dangers that may arise should the data be used for the wrong purpose.

Identity theft

Identity theft is an act by which someone collects, processes or uses someone else’s (natural person’s) personal data contrary to the conditions set out by the law. In addition to being a violation of privacy, identity theft is also a criminal offense punishable by imprisonment not exceeding one year (for the basic form of that offense) – refer to Art. 146 of the Criminal Code (Official Gazette 144/12).

How to protect oneself:

• Be attentive about who you give personal data to and why.
• Think about where you provide personal data.
• Protect personal data from unauthorised access with strong passwords.
• Leave only the required personal data because you have the right to know why you are being asked to provide a specific set of personal data.

In its operations and business management, Marti Farm Ltd is well-acquainted with the issues and importance of personal data protection. In addition, through our patient support programs, we provide all the necessary support and patient-centred approaches while ensuring the optimal utilisation of healthcare services and the protection of sensitive personal data. The fundamental importance of patient support programs stems from non-adherence to therapy, which is a very common and widespread phenomenon that can be a major obstacle to achieving product efficacy, and is also a significant obstacle to the safe, effective and rational use of medicines.

If you recognise the importance of adherence to therapy and are looking for a competent partner to implement a patient support program, connect with us.