The GDPR includes the notion of “medical data” in its definition of personal data concerning health. How do your organisational processes respond to the imperatives of formalism and governance?
Health data is already required to meet many protection and management obligations in a broad sense. It falls into the realm of sensitive personal data. There are already laws and regulations in place that are close to the GDPR framework:
- The French ‘Loi Informatique et Libertés’ (Information and Freedoms Act) establishes mandatory declaration, authorisation and protection provisions for the handling of personal data, with the possible appointment of a Data Protection Correspondent (‘CIL’).
- The ‘RGS’ (General Security Referential) already sets out a mandatory security homologation framework, placing risk analysis at the heart of health institution (Administrative Authority) accountability. This approach is, of course, limited to data handling in the sense of teleservices for citizens and administrative authorities. Nevertheless, the homologation process (analysing risks and protective measures, accepting residual risks) is extended to any handling/application under the Information Systems Security Policy (‘PSSI’) of the Ministry for Social Affairs (‘MCAS’).
Moreover, the modalities for the use of health data correspond to a precise framework with terms of consent, especially when it comes to its use for research purposes (the MR003 Reference Methodology for Research, published by the CNIL last year, potentially meshes with this framework).
Finally, all institutions approved for hosting health data (and soon to be certified) must meet specific requirements in terms of protection and, in particular, enhanced confidentiality.
So what does the GDPR change for health establishments?
Firstly, the viewpoint and risk analysis. Under the GDPR, the viewpoint moves from that of the establishment to that of the data subject, i.e. the patient in the context of medical data.
The PIA (Privacy Impact Assessment: https://www.cnil.fr/fr/PIA-privacy-impact-assessment) is a data protection impact study. This is a central aspect of the new regulation, which considers the data subject’s interest to be a key protection issue. The PIA and its protective measures are thus designed to foster trust. This analysis of security needs right from the project stage (based on the Ebios methodology adapted to the GDPR, c.f. CNIL guides with the previous PIA link) must become a necessary step, also allowing for verification of the requirements of privacy by default and by design.
A legal compliance section then complements these provisions. This dimension is extended to the relationship with suppliers, who also have to comply with the GDPR, as well as contracts or agreements that must specify these responsibilities.
Legal measures (extract from the CNIL website: PIA guide, method):
Identify or determine the measures chosen (existing or planned) to meet the following legal requirements (including an explanation of how they will be implemented):
- Purpose: a determined, explicit and legitimate purpose;
- Minimisation: reducing data to only that which is strictly necessary;
- Quality: preserving the quality of personal data;
- Storage duration: the time necessary to fulfil the given purpose, unless there are other legal obligations requiring the data to be kept for longer;
- Information: respecting the data subjects’ right to information;
- Consent: obtaining the data subjects’ consent, or the existence of another legal basis to justify the handling of their data;
Finally, the obligation to inform (alert) the authorities and the data subjects in the event of any incidents or information leaks completes this desire to create a climate of transparency, and therefore trust.
The authorities must be rapidly alerted in the event of a data leak (within 72 hours maximum). In addition, the information to be provided to the data subjects is much more strictly controlled, and potentially individual, requiring evidence to be kept and communicated. The ability to manage a crisis in order to react quickly and limit its impacts must also be demonstrated during an incident.
How would you assess the level of development of your existing devices for the protection of personal, and therefore health, data?
The level of development will vary according to the previous measures taken by each establishment. The fact of being ISO 27001 certified and authorised to host health data is naturally a decisive element.
AP-HM already has these certifications and authorisations. The CIL and CISO have been working together for over 6 years. As a result, we already have some existing devices that can be reused.
The CNIL proposes a well-documented 6-step approach, and many guides are beginning to be circulated to assist establishments in implementing this approach (https://www.cnil.fr/fr/principes-cles/reglement-europeen-se-preparer-en-6-etapes):
- Identify a coordinator;
- Map the current IS;
- Prioritise actions;
- Manage risks;
This new regulation will lead to the appointment of a Data Protection Officer (DPO). How is this appointment being prepared internally? Will there be a single officer for all your establishments?
We have been reflecting on this with our CIL over several months to identify how the compliance actions required under the GDPR can best be implemented:
- Identifying the processes and data concerned – CIL/CISO;
- Analysing the risks (impacts on people) – CISO;
- Checking the level of protection (by default, by design);
- Verifying compliance (lawfulness/practices and laws) – CIL/Legal Officer;
- Ensuring that subcontractors are on the same page (GDPR compliance) – Procurement/Legal Officer;
- Detecting and managing (notification of) incidents (crisis management: protecting, recovering, alerting the authorities and the data subjects) – CISO/CIL…
The role of DPO actually brings together the skills of a CIL, CISO and legal officer. For this reason, we are leaning towards a DPO team with a DPO (our current CIL), a deputy DPO (our CISO, for a part of his activities) and a legal officer for specific interventions. All members of this team will be involved in a proportion of their activities (a total body of work corresponding to around 1 to 1.5 FTE).
It is also important to note that we have chosen a doctor for our CIL, which represents a valuable advantage when analysing the lawfulness of medical data.
Guaranteeing that we have all the resources to fully implement these actions is a key issue in ensuring that the GDPR will be genuinely effective. The DPO team should thus have a dedicated budget to cover:
- Training for the DPO team to cascade down organisational concerns and best practices to those involved in the IS. We can currently draw upon our existing ‘IS security awareness’ e-learning module and our ISS communications during training days for new members of staff;
- Audits to verify the level of protection (external service provision).
When it comes to employee awareness, do you organise or plan to organise training modules in Information Systems protection to meet the requirements of the GDPR?
As is the case under the French ‘Loi Informatique et Libertés’, it is essential to raise the awareness of all those involved in the IS to ensure a homogeneous and consistent level of security, making it everyone’s business.
First and foremost, the publication of the processing register (on the intranet and institutional website) allows for ongoing information to be provided on the data used. We are considering updating our Web applications designed for patients or staff members that require entering personal data.
The use of e-learning modules, with activities dedicated to the GDPR according to one’s role in the establishment, provides a response to concerns over cutting down the time doctors and carers have to spend with patients.
The charter and ‘PSSI’ will also be a way of registering the inclusion of the organisation and the rights and duties of everyone involved in the context of the GDPR.
Lastly, communication campaigns targeting the issue of confidentiality will go hand in hand with the organisational set-up and data analysis (PIA)/protection actions.
To conclude, we can appreciate that the scope of the GDPR is enormous when it comes to a health establishment, covering the majority of the IS, including the HRIS for personal data concerning staff. Thus, although the steps already taken to secure our health data hosting authorisation, ISO 9001 security certification for IS management and ISO 27001 for hosting have given us a reusable framework, there are still many projects associated with the GDPR, with several dozen eligible applications. We can also see that the subcontractor compliance obligation opens up this scope to a wide pool of bodies engaging in data publishing and maintenance, with implications for public procurement. An action plan prioritising the most critical areas of work will be necessary to ensure progressive compliance with the GDPR.
- In addition, certain questions specific to the health field remain unanswered:
- What will be the conditions for health data portability?
- How could data be anonymised or pseudonymised without negatively impacting upon patient access to care?
- What level of coherence must be ensured between the GDPR and the research arena?
- How capable will all subcontractors be of complying with the new requirements?
This interview was realized and published in CECEM Magazine n°11 – September/October 2017