GDPR and medical records
With less than two months now until the GDPR becomes enforceable, there is a lot of interest and concern over what preparations need to be made, and exactly what has changed.
As an occupational health provider, our main areas of expertise surround health care and medical fitness for work. Therefore we’re responsible for the processing of medical information – something that has a lot of focus within the GDPR.
As a provider leading the way with technological advances in the occupational health sector, we thought we’d focus this month’s newsletter on how medical data should be processed and stored within your organisation.
What does the GDPR say about processing medical data?
Article 6 of the GDPR lays out six pre-requisites to make the processing of data lawful. At least one of these must apply for it to be lawful to process data. In summary these pre-requisites are:
- Consent should be given
- Processing is necessary to fulfil contractual obligations
- Processing is necessary to fulfil legal obligations
- Processing is necessary to protect vital interests (such as in life and death situations)
- Processing is in the public interest
- There is a legitimate interest pursued by the data controller
However, there are certain categories of data which cannot be processed for these six reasons. These are called ‘special categories’ and as well as things like ethnic origin or political opinions, also includes medical data.
Special categories of data, including medical data, cannot be processed unless one of the following applies (Article 9, 2a – 2j):
- Explicit consent is given
- Processing is necessary to carry out obligations in the field of employment
- Processing is necessary to protect the vital interests of someone where they cannot physically or legally give consent
- Processing is necessary as part of legitimate activities by a foundation, association or not-for-profit body
- Data has been made public by the data subject
- Processing is necessary to establish, exercise or defend legal claims
- There is a substantial public interest
- Processing is necessary for preventative or occupational medicine
- Processing is necessary for the benefit of public health
- Archiving or research is in the public interest
Please see Article 9 for exact wording.
What does this mean for your organisation?
Well, contrary to popular belief, this means that in certain circumstances, namely those mentioned in Article 9, processing the medical data of your employees is fine. However there needs to be a reason, and the data should be processed fairly and securely. So what else do you need to do?
What should you do if you need to process medical data?
You and your organisation are responsible for any breaches or misuse of data. The fines for this can be very large indeed. The GDPR is also very clear about the handling of data.
We would recommend you ask yourself the following questions before processing data…
- Is it secure? Data can take many different formats, whether it’s a hand-written form, a recorded telephone call, a Microsoft Word document, or a record on your database. They’re all subject to the same law, so should all be treated with equal consideration. You need to ensure you’ve taken all reasonable precautions to make your medical data secure. This includes things like password protecting, encryption, not storing on shared areas or using shared email addresses, locking your office, not leaving your computer lying around.
- Do I need all the data I’m processing? You should minimise the data you store on record – only required data (look at Articles 6 and 9 to see whether data is required) should be processed and stored. For example, if your assessing someone’s fitness for work in relation to their history of asthma, asking for their medical records from 20 years ago relating to a broken leg they once suffered would neither be reasonable or necessary.
- How long will I be retaining the data for? You should have a retention schedule for all data, particularly your special category data. Typically this may be the length of someone’s employment, plus a further X years.
- Am I being open about my intentions? The data subjects (who will typically be your employees or customers) have a right to know what data of theirs is being processed and for what reason. To avoid any unnecessary confusion, you should be honest and open about your data processing and data retention.
- Is it easy to demonstrate? Under the GDPR, data subjects (in most instances) have a right to request all the data held about them, have a right to have their data corrected, or have a right to have their data deleted. Therefore you need to be able to easily demonstrate and release all the data held on record for your staff or customers. If it’s a long winded process to gather all of these, you may wish to look at streamlining this as subject access requests or requests to be forgotten are likely to be a lot more common. Remember, everything is discoverable, so you would be ill advised to store data that, at a later date, you wouldn’t wish the subject to see.
Working with APL Health
At APL Health we take data protection seriously. We operate according to very strict internal guidelines, and always ensure that medical data is processed fairly and lawfully. We’re always happy to help our clients handle data relating to their occupational health referrals compliantly.
If you have any questions about how the GDPR relates to your processing of medical data, email us using firstname.lastname@example.org and we’ll do our best to help. We’d also be happy to share our data policy with our customers.