Data protection is an issue that we regularly discuss with clinicians, clients, patient registry owners and healthcare organisations.

And it’s with data protection in mind that we put this article together. If you are designing a registry, how you collect and store data is so important. And it’s about to get even more important.

Data protection laws around the EU differ significantly from country to country. Current law is based on Directive 95/46/EC (we’ll call this the Directive from now on) which is around since 1985. As it was a Directive, each member state interpreted the law differently so we have a patchwork of data protection laws.

This will change on 25 May 2018 when the EU General Data Protection Regulation (we’ll call this the GDPR from now on) comes into force. This GDPR will replace the Directive. It was initially published in January 2012 and adopted on 27 April 2016. Organisations holding data have only 19 months left to amend their data protection policies, procedures and rules before the Regulation is in force. As it’s a Regulation, it will be immediately applicable across the EU without individual member states having to implement national legislation.

We thought we’d share some of the most important points that relate to you as a patient registry owner and healthcare organisation. We’ve given reference information at the end.

1. The Definition of Personal Data

Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. In addition, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the person which are guaranteed by EU law. This is the fundamental basis of the law.

The definition of personal data has been extended under the GDPR and is more detailed than the previous Directive. It now includes an identification number, location data and online identifier. So if any of those can connect back to a person, it’s included as personal data.

2. Extension of Sensitive Data

The GDPR extends the definition of sensitive data to include “genetic data” and “biometric data”. This is in addition to data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

As with the Directive, sensitive data is afforded more protection and requires more stringent conditions to be satisfied.

3. Anonymised Data

Anonymised data, which is data that doesn’t relate to a person or to personal data rendered anonymous, is not considered to be “personal data” and therefore falls outside the scope of the GDPR.

4. Introduction of the Concept of Pseudonymisation

While we talk about and use the concept of ‘pseudonymisation’, the GDPR introduces it into the Regulation. The GDPR defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical [such as encryption] and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person” .

That’s the legalese. But in essence, personal data which has undergone pseudonymisation should be considered to be information on an identifiable natural person

However, pseudonymised data will be afforded certain relaxations from the requirements of the GDPR. So for example, where data is pseudonymised and encrypted, a company will not be required to inform the data subject should a breach occur.

5. Strengthened Notion of Consent

The GDPR introduces a higher bar for relying on consent. Like the Directive, the GDPR refers to “consent” and “explicit consent”. The difference between them is vague as both now require some form of clear affirmative action.

The GDPR defines “consent” as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.

Again, that’s the legalese. But an example of such affirmative action include ticking a box when visiting an internet website rather than having a pre-ticked boxes, silence or inactivity. Those last three will not be sufficient enough to constitute consent.

The GDPR also includes more stringent conditions for information society services (e.g. online businesses) to rely on consent to process children’s data. It requires service providers to verify parental consent to the processing of the child’s data where the child is less than 16 years old. Individual member States may provide by law for a lower age, so long as that age is not below 13 years old.

6. Data controller and data processor

The GDPR also continues with the Directive’s terminology of data controller and data processor, which are used throughout the law.

A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially accepting data from the data subject.

A data processor is then anyone who processes data for the controller. The GDPR specifically includes storage as a processing function, so that takes into account, say, cloud-based virtual storage.

The GDPR applies to controllers and processors. It places new legal obligations on processors, with the result that they will be share liability if breaches occur.

7. Operational outside EU

If your health or patient organisation is outside the EU but monitors EU residents, then the new Regulation applies to you too. This is a significant change to the law. The GDPR expands the territorial scope of existing EU data protection laws.

8. Significant Fines

There are new penalties introduced in the GDPR which include fines up to the higher of €20million or 4% of total annual worldwide turnover.

Information Sources

There are good sources of information to learn more about your responsibilities:

If you are a healthcare organisation storing or processing personal data from EU citizens, then we suggest that you look at the European Commission site for more information. http://ec.europa.eu/justice/data-protection/index_en.htm

European Commission – http://ec.europa.eu/justice/data-protection/index_en.htm

A&L Goodbody – http://www.algoodbody.com/EU_General_Data_Protection_Regulation