The General Data Protection Regulation (GDPR) is a European Union (EU) data protection law that provides a set of rules on how personal data should be gathered and handled. Any business that collects, keeps and analyses data sourced from EU citizens should follow the GDPR guidelines.
The main aim of the GDPR is to make sure that patients own their data at all times and use it for purposes for which they have given direct informed consent. Furthermore, the GDPR protects the following rights:
- Right to erasure: a person has the right to request erasure of own personal data, for instance, where data are no longer necessary for the purposes for which they were collected or when consent was withdrawn.
- Right of data portability: You have the right to receive your personal data from an organisation in a commonly used form so that you can easily share it with another.
- Right not to be profiled: Unless it is necessary by law or a contract, decisions affecting a person cannot be made on the sole basis of automated processing.
Employers, the public sector and some organisations whose core activities relate to regular and systematic monitoring of personal and sensitive data on a large scale will have to comply with the GDPR obligations and rights.
How does this relate to clinical practice?[edit | edit source]
All patient information should be collected and used appropriately and according to the requirements of the GDPR to protect personal and sensitive data. This may require organisational and technical security measures to protect patient data in clinical records against unauthorised disclosure or processing.
The same applies to digital services, such as telehealth services. Third parties may be used to process or store patient data for e.g. assessment and exercise programmes software or electronic medical records. These third parties should process and store the data in their systems according to GDPR requirements.
The History of the General Data Protection Regulation[edit | edit source]
The EU adopted the GDPR in 2016, as a replacement of the 1995 Data Protection Directive. EU’s data protection laws have long been recognised as gold standard across the world. However, a lot of changes have taken place over the last 25 years. Technology has advanced immensely and this has brought huge transformations in modern societies that nobody could imagine. The new GDPR came into force on 25th May 2018. Since 2016, member states had 2 years to ensure its full implementation. GDPR is now recognised as law across the EU.
Key highlights in the history of GDPR include the following:
-24th October 1995: The European Data Protection Directive (Directive 95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is adopted.
-22nd June 2011: The European Data Protection Supervisor publishes an Opinion on the European Commission’s Communication.
-25th January 2012: The European Commission proposes a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy.
-7th March 2012: The European Data Protection Supervisor adopts an Opinion on the Commission’s data protection reform package.
-23th March 2012: The Article 29 Working Party adopts an Opinion on the data protection reform proposal.
– 5th October 2012: The Article 29 Working Party provides further input on the data protection reform discussions.
-12th March 2014: The European Parliament demonstrates strong support for the GDPR by voting in plenary with 621 votes in favour, 10 against and 22 abstentions.
-15th June 2015: The Council reaches a general approach on the GDPR
-27th July 2015: The European Data Protection Supervisor publishes his recommendations to the European co-legislators negotiating the final text of the GDPR in the form of drafting suggestions. He also launches a mobile app comparing the Commission’s proposal with the latest texts from the Parliament and the Council.
-15th December 2015: The European Parliament, the Council and the Commission reach an agreement on the GDPR.
-2nd February 2016:The Article 29 Working Party issues an action plan for the implementation of the GDPR.
-27th April 2016: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation.
-24th May 2016: The Regulation enters into force, 20 days after publication in the Official Journal of the EU.
-10th January 2017: European Commission proposal of two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (currently Regulation 45/2001) that align the existing rules to the GDPR.
-6th May 2018: Members States must have transposed the Data Protection Directive for the police and justice sectors into national legislation. Application from this day.
-22nd May 2018: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC [First reading] – Preparation for the trilogue.
-25th May 2018: Corrigendum to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Corrigendum to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
-25th May 2018: The General Data Protection Regulation will apply from this day
GDPR – Rights and Obligations[edit | edit source]
The Data Controller and Data Processor[edit | edit source]
The Data Controller is the the natural or legal person or organisation who owns the data and sets the rules on how it is to be collected and processed. They are responsible for keeping a record of all processing activities and designating one or more data processors that can, in the name of the data controller, collect and process the data.
The Data Protection Officer (DPO)[edit | edit source]
The DPO safeguards that the organisation is processing personal data in compliance with GDPR rules by advising the controller and processors about how to comply with GDPR. The DPO designation is made on the basis of professional qualities and knowledge of data protection law and practices. Sometimes, the data controller is required to appoint a data protection officer. This happens if:
- Public authorities are responsible for the processing of data
- the core activities of the controller or the processor require “by virtue of their nature, their scope and/or their purposes, regular and systematic monitoring of data subjects on a large scale” (Art. 37, (1) b) or
- the core activities of the controller or the processor consist of processing, on a large scale, special categories of data or personal data relating to criminal convictions
- national legislation might specifies further cases where there is an obligation to appoint a DPO.
GDPR follows seven guiding principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Data Ethics and GDPR – Chartered Society of Physiotherapy, UK