The European Union (EU) General Data Protection Regulation (GDPR) will impact how healthcare organizations based in the U.S. and around the world communicate their Notice of Privacy practices to EU patients. Data controllers in any country dealing with EU resident data are expected to take “appropriate measures.” The GDPR includes a longer and more detailed list of information that must be provided in a privacy notice than what the Data Protection Act (DPA) or HIPAA require. There are also some differences in what organizations are required to provide, depending on whether they are collecting the information directly from the data subjects or from a third party.
Caring Means Sharing
Currently, when an organization collects personal data from an EU patient, it has to give the patient certain information, such as the organization’s identity and how the organization intends to use the patient’s information. This is usually done through a privacy notice. Under the GDPR, which will be fully enforced effective May 25, 2018, there are some additional requirements. For example, the organization will need to explain the legal basis for processing the data; how long the data will be retained; and that individuals have a right to file a complaint to the U.K. Information Commissioner’s Office (ICO) if they think there is a problem with the way their data was handled. The GDPR requires the information to be provided in a concise manner, using easy to understand language.
Privacy Notice Must Haves
At a minimum, a privacy notice to EU patients should include:
- Who you are
- What you are going to do with their information
- With whom their information will be shared
Additional elements of the privacy notice should include:
- Identity and contact details of the data controller and, where applicable, the controller’s representative and the data protection office
- Purpose of the data processing and the legal basis for the processing
- The legitimate interests of the data controller or third party, where applicable
- Categories of personal data
- Any recipient or categories of recipients of the personal data
- Details of data transferred to entities outside of the EU
- Retention period, and/or criteria used to determine the retention period
- List of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority within the organization
- The source from which the personal data originates and whether it came from publicly accessible sources
- Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
- The existence of automated decision-making tools, including profiling, and information about how decisions are made, the significance and consequences
Questions to Ask
To cover all the elements under the GDPR, an organization will need to consider the following questions when planning a privacy notice:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used, maintained, disclosed and deleted?
- How long will it be retained? In what medium(s)?
- With whom will it be shared?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or file a complaint?
New Methods Require New Thinking
Also, it is important to recognize that the ways in which data is collected are changing. Traditionally, data was collected directly from EU patients by way of completing a form. Increasingly, organizations use data that has not been directly provided by EU patients in this way. It might be:
- Observed, by tracking people online or by smart devices
- Derived from combining other data sets
- Inferred by using algorithms to analyze a variety of data, such as social media, location data and records of purchases in order to profile people in terms of their state of health
These new ways of acquiring and processing personal data about EU patients can make it more challenging for organizations to provide privacy information; new approaches might be required.
Time to Act
Bottom line, the GDPR privacy notice will need to be developed by all U.S. organizations that render healthcare services to EU patients. The GDPR compliance date of May 25, 2018 is coming soon!