The General Data Protection Regulation (GDPR) is based on the empowerment of actors and the role given to the consent of individuals. One of the objectives of the GDPR is to strengthen the rights of individuals and to make actors accountable. The health sector, where controllers and processors collect health (=sensitive) data, is a sector very much concerned by this European regulation. Companies and Data subjects must understand the rights in order to be able to correctly address or access to it.
Health Data Collection
In the Life Sciences sector, we can find the best examples of how data tracking and analysis change the world for the better. The use of Big Data in medicine is motivated by the necessity to solve both local organizational issues, such as reducing workloads and increasing profits of a medical agency but also the global problems of humanity, such as forecasting epidemics and combating existing diseases more efficiently.
Health Data Collection allows health systems to personalize treatments, advance treatment methods, facilitate collaboration between doctors and patients and enhance health outcomes. There are so many perspectives and opportunities that we know we must all continue to work together for this improvement. This is also important to understand the risks linked to this evolution, and to be able to put in place everything necessary to keep these data safe and avoid dramatic data breaches.
Patients data collected by Life Sciences companies must be adequate, relevant and limited to what is strictly necessary for the purpose (prevention, diagnosis and care). For example, the collection of information about a patient’s family life is in principle not appropriate.
There is a variety of healthcare data collection methods, from questionnaires and observations to examining documents. Today, the information is mostly gathered with the help of digital channels and numerous applications available in the market.
No need to remind that health data must be protect with extra care! A breach of sensitive data could have a terrible impact for the Data Subject.
Enforcement of Data Subjects rights
Life Sciences companies must understand their role and comply with security rules to protect patient data against unauthorised or unlawful access and against accidental loss, destruction or damage. They must put in place appropriate technical and organisational measures to preserve the confidentiality and integrity of the data (e.g. use of the health professional card, personal password, use of a strong encryption system when using the internet, pseudonymization, etc.).
If they use a service provider who processes data on their behalf (e.g. data hosting by an approved or certified health data host, etc.), this service provider must, as a subcontractor, guarantee a level of security appropriate to risks. This is very important to well choose the companies with who we chose to work and collaborate, data protection must be a daily common objective.
The GDPR and other Data Protection laws around the world increasingly grant individuals the right to access, correct, restrict or delete their personal data. For example, Article 15 of the EU GDPR and Sections 999.312 and 313 of the California Consumer Privacy Act (CCPA), in particular, have prompted companies to develop more effective means of means of managing data rights and fulfilling data subject access requests, while prioritizing data transparency to subjects.
In order to make sure that the company, as a whole, understand and respect all the Data Protection & Privacy rules put in place, this is important to train everyone. An appropriate and dedicated training could avoid many human mistakes. This is why MyData-TRUST, thanks to its GDPR e-learning platform, created a new course “GDPR for clinical research professionals”. This course has been specifically designed by experienced Data Protection Officers and Clinical Research Professionals for people managing personal health data who would like to understand their role in this European Regulation and its implementation.
