Adding value to healthcare data resulting from collaboration with hospitals , thanks to GDPR

GDPR compliance has become a key criterion in healthcare: compliant companies have a competitive advantage over non-compliant ones.

📕Hospitals have become wary of sharing their data, but for healthcare companies, access to this data is an essential step in their survival. 

They need them to validate the contribution of their solutions or to provide their services (medical research, decision-support tools for doctors, etc.).

With this in mind, a webinar hosted by Raphaël Buchard, GDPR expert and CEO of Dipeeo, and Dorothée Uriet, Chief Regulatory & Clinical Affairs Officer of Braintale, was organized to offer valuable insights into these topics, with a particular focus on healthcare data.

🔐 What is personal data?

Personal data is any information relating directly or indirectly to a natural person. It can take various forms, such as names, addresses, telephone numbers, e-mail addresses, online identifiers, location data, biometric identifiers, physical characteristics, medical information, political opinions, etc. 🔑

📄 How does the GDPR make it possible to secure your data?

📣 The main aim of the GDPR is to strengthen the protection of individuals' personal data within the European Union. The GDPR establishes a clear legal framework for the processing of personal data and imposes obligations on organizations that collect, process and store it.

The GDPR strengthens the security of personal data by imposing appropriate technical and organizational measures to prevent data breaches. It also encourages the implementation of data protection practices by design (privacy by design) and by default (privacy by default). This means that organizations must integrate data protection right from the design stage of their systems and services, ensuring that only the necessary data is collected and that appropriate security measures are in place to protect this data. 💼

In addition, the GDPR strengthens the rights of individuals regarding their personal data.

Individuals have the right to access their data, to rectify it if inaccurate, to request its erasure, to object to its processing in certain circumstances, and to exercise their right to data portability.

Organizations are obliged to respect these rights and put in place procedures to meet them.

Distinction between personal data and health data🩸

It is important to distinguish between personal data and health data. Personal data refers to any information that makes it possible to identify a person, while health data refers specifically to information linked to a person's health, whether physical or mental. 📜

Health data is considered a special category of personal data under the GDPR, as it is more sensitive and requires enhanced protection. This includes information such as medical history, current treatments, medical test results, prescriptions, allergies, etc.

🔔 It should be noted that some personal data may become health data depending on the context. For example, a hospital room number would not generally be considered health data in itself, but if this number is used as part of a medical records management system to identify a patient's location, it may be considered health data, as it is then linked to specific medical information.

🚀 GDPR compliance is mandatory for working with hospitals

🏥 Hospitals have a duty to protect their patients' healthcare data, which is why they choose to work exclusively with General Data Protection RegulationGDPRPR)-compliant providers. Here are the reasons why compliance is mandatory for working with hospitals:

Partner audits: Hospitals conduct compliance audits to assess the data protection practices of their partners. They ensure that providers comply with the GDPR when processing healthcare data. Without proper compliance, they won't sign and will break their contracts with existing providers.

Winning tenders: hospitals carry out tenders to select service providers. During these processes, GDPR compliance becomes a key criterion. Providers who can demonstrate their compliance are more likely to win tenders, as they offer additional assurance regarding the protection of healthcare data.

Signing the Data Processing Agreement (DPA): The DPA is a data processing agreement that establishes the responsibilities and obligations of the parties involved in the processing of personal data. When working with hospitals, service providers are required to sign a DPA that defines the specific terms and conditions relating to the protection of health data. The presence of a DPO (Data Protection Officer) is important to negotiate the clauses of the DPA and thus avoid taking on disproportionate responsibilities.

💡 Solutions for processing and using healthcare data

📕 Being GDPR compliant is not enough to be able to process and use health data shared by hospitals. It is often necessary to obtain patient consent for the use of their data and/or to pseudonymize or anonymize the data. This enables hospitals to share data with third-party providers while protecting patient confidentiality.

When health data is adequately anonymized, it is no longer considered personal data and is therefore excluded from the scope of the GDPR. 🔓

As for pseudonymized data, it retains its character as personal data because it can be linked to a person by means of a correspondence table that re-establishes the links between pseudonyms and identifiers. However, this is a very effective protection measure, as without the mapping table, no identification is possible. 

🏆 Anonymization of personal data: Outside the scope of the GDPR.

Anonymization of personal data is a process whereby information that can be used to identify a person is removed or altered so that it is no longer possible to associate it with a specific person, either directly or indirectly. Anonymization aims to make data completely unidentifiable and, as a result, it falls outside the scope of the GDPR. This means that the principles and obligations of the GDPR no longer apply to this data, as it can no longer be used to identify the individuals concerned. 📖

🔔 It should be noted, however, that data anonymization is not an easy task and requires appropriate technical and organizational measures to ensure that data cannot be re-identified.

For example, for blood test results, it would be necessary to remove all direct identifying information, such as names, social security numbers, addresses and so on. However, this is not enough to guarantee adequate anonymization. In fact, age, sex, date of birth or geographical information can be used to trace a person using external information. 

📢 Anonymization must be performed irreversibly, so that there is no possibility of restoring identifying information.

🥇Pseudonymization of personal data: a security measure

🔐 In contrast, pseudonymization is a personal data processing process that uses a mapping table, which records the relationship between direct identifiers and pseudonyms. This table is stored securely. It can remain in the hands of the hospital, for example, and can be used to re-establish the links between pseudonyms and direct identifiers when necessary, for example, as part of medical research or patient follow-up.

Unlike anonymization, pseudonymization does not completely remove the possibility of identifying individuals, but makes this identification more difficult without the use of additional information such as the mapping table. 🚀

Pseudonymization is often used as a security measure to protect personal data . It reduces the risks associated with data processing by limiting access to direct identifiers and ensuring the confidentiality of sensitive information.