GDPR recently made the news in the Netherlands when the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP) issued a €460000 fine to a hospital in The Hague. The Haga Hospital did not adequately protect the medical records of a TV celebrity, who entered the hospital in 2018 after a suicide attempt. No less than 197 staff at the hospital were found to have “snooped” at the well-known patient’s records.
The fact that a sizeable GDPR fine has been levied at a Dutch hospital comes as no surprise, as the AP had previously announced its focus on public and health sectors. On top of the initial fine, the Haga Hospital will be liable for a further €100000 every fortnight after October 2nd 2019 if it hasn’t improved the data security of patients by that date (up to €300000).
You can always argue that hefty fines against hospitals are immoral. Maybe that amount of money would be better spent elsewhere, but part of patient care should always be a respect for privacy. In fact, this is the first GDPR fine which the Dutch Data Protection Authority has issued, so it hasn’t been undertaken lightly.
The Haga Hospital breached Article 32 of the GDPR. This demands a level of security which corresponds to the level of risk posed by the data in question. Health-related data is considered high risk because it has a more significant potential to harm individuals if leaked. For instance, it might affect the subject’s job prospects or their reputation. Like all data, it needs managing and mapping, so that the hospital or organisation knows where it is and who has access to it.
The risks associated with processing medical data, and all aspects of its handling, (e.g. who has access, IT security, the security of premises, anonymisation), must be assessed to avoid the type of GDPR breach which occurred at the Dutch hospital. Small to medium-sized companies or bodies can use GDPR compliance software to assist them in these steps.
The Dutch Data Protection Authority found that the Haga Hospital did not use two-factor authentication and failed in control of logging. This is a breach of GDPR Article 32, but what does it mean?
There have been several high-profile GDPR infractions recently. Hospital data breaches tend to shock because of the sensitivity of the data. In Portugal, the Centro Hospitalar Barreiro Montijo was fined €400000 last year under similar circumstances. Too many people had easy access to patient records. This poses a particular risk to high-profile patients but is disconcerting to all. The GDPR threat at both hospitals came from a lack of security within.
In a healthcare setting, patients have an absolute right to expect confidentiality, regardless of who they are. And that can only happen if data is accessible on a need-to-know basis; a key factor in keeping it secure. Raising staff awareness is paramount in protecting data.
Similar principles apply to all companies. GDPR offers a chance to show customers that you respect their data and process it responsibly. Using the right software can help; why not begin the compliance process today?