The healthcare sector is undergoing an exciting period of digital transformation with the adoption of innovative technologies such as artificial intelligence (AI)-enabled healthcare solutions, AI in personalised medicine, wearable devices for health monitoring, blockchain electronic health records, and telemedicine.

This age of digital transformation was accelerated by the Covid-19 pandemic, which resulted in an unprecedented shift to healthcare being delivered outside the traditional clinical settings and directly into the patient’s home thanks to digital technology.

However, while the use of digital technology in the care sector enables the implementation of more efficient processes, it also brings its own challenges and risks. It must be remembered that data protection and cybersecurity are paramount to the successful implementation of digital technologies and it is imperative that care organisations review their processes to ensure regulatory compliance.

 

Obligations for care providers under the UK GDPR

Personal data concerning health is classed as ‘special category data’ under the UK GDPR and is afforded extra protection due to its sensitive nature and the potential risks posed to an individual’s fundamental rights and freedoms. 

Organisations in the care sector process vast amounts of special category data and must be aware of their obligations to protect this data. To lawfully process special categories of personal data, the data controller must establish a legal basis for processing under Article 6 of the UK GDPR and a separate condition for processing under Article 9 of the UK GDPR. 

 

Security

It is crucial that care organisations implement appropriate technical and organisational measures that recognise the heightened risk associated with processing individuals’ health data and ensure the level of security is in line with this risk. They should also ensure that the personal data collected is limited to what is necessary, is not further processed for purposes incompatible with the original purpose, and is not stored for longer than required.

 

A risk-based approach

It is important to apply a risk-based approach when considering the use of new technologies in this sector. Under Article 35 of the UK GDPR, a Data Protection Impact Assessment (DPIA) is required where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals.

A DPIA must be carried out if the processing involves (1) systematic and extensive profiling with significant effects (2) large scale processing of special category data or personal data relating to criminal convictions and offences (3) systematic monitoring of a public area on a large scale.

Reviewing your data protection and cybersecurity procedures ahead of any digitalisation process is in the best interests of your organisation. It will allow you to ensure compliance with regulatory requirements and enhance trust among your patients and the wider community.

 

If you would like to find out more information you can contact Xpert DPO at info@xpertdpo.com.

Xpert DPO are one of the leading providers of outsourced data protection officer services in the UK and Ireland. Xpert DPO provides data security, governance, risk and compliance, GDPR and ISO consultancy to public and private sector organisations.