The Right to Privacy and Data Protection, the key principles to consider when working with health data

Topic outline

• Select topic 1. Introduction

  1. Introduction

  Collapse all Expand all

  We all agree on two things: Firstly, health and health data are private, confidential, and sensitive. Secondly, it is necessary and not always forbidden to collect and process data concerning health for various reasons.

  In line with the Health Data Agency's mission to faciliate the secondary use of health data while maintaining strict privacy standards and facilitating data access requests, this training consists out of two videos and focuses on understanding the GDPR key principles and safeguards that will allow you to collect and process data with respect for the data subjects.

  In part 1, you will have an overview of the context of the GDPR. In European traditions, we aim to regulate before issues arise and our European regulations embody the willingness to work with and share data by applying the consistent principles across sectors.
  

  In part 2, demonstrates the 5 key GDPR principles to apply in your health data management: purpose specification, data minimisation, transparency, storage limitation and security.

  
  
• Select topic 2. Regulations on Data Protection

  2. Regulations on Data Protection
  • Select activity In this first video, Griet Verhenneman explains wh...

    In this first video, Griet Verhenneman explains why the European General data protection regulation (GDPR) is installed and how it is meant to ensure the protection of our fundamental rights to privacy and data protection.
    
    

    The course does not go over all the regulations, but provides the knowledge to carry out a data protection gap assessment for your organization, your department, or specific project.

     

     
    

    As explained in the video the European GDPR (General data protection regulation) is embedded in the broader context of our fundamental rights. GDPR embodies the right to protection against any unbridled use of personal data. 

    How is GDPR contextualized in the History of Legislation?

    • The convention on human rights in 1948 declared the right to respect for a person’s private and family life.
    • The European Charter on fundamental rights, declared in 2000, created two separate fundamental rights: one on the protection of private life and, one on the protection of personal data. The Charter explicitly recognizes the right to data protection (Article 8) as a fundamental right, affirming the importance of privacy and data protection within the EU legal framework. There is though a difference between Privacy and Personal Data Protection. While both rights are related to individual autonomy and privacy, the right to private life applies to broader aspects of personal autonomy, whereas the right to personal data protection focuses specifically on the handling of personal data which extends to various aspects of an individual's life, including personal but also professional information for example.
    • The Council of Europe in 1981 was the first step toward a separate framework for the protection of personal data. The CoE is an international organization separate from the EU, comprising 47 member states, including EU member states and others like Russia and Turkey. The so-called convention 108, serves as a model for data protection laws in Europe and globally.
    • The 1995 EU directive on the protection of personal data was an initiative of the European commission decided to a more harmonized approach because National legislation on the topic of data protection was booming.

    Do European Regulations stand in the way of the Economy?

    GDPR was not written to make data processing impossible or create an absolute preference for individual autonomy. GDPR was created to regulate a market based on our European fundamental rights traditions. GDPR embodies the willingness to work with data and even to share data. In the US, regulatory actions often follow the emergence of issues with new technologies, unlike in Europe where regulations are typically implemented before new technologies are entering the market. In Europe we also adopt a technology-neutral approach in data protection laws, aiming for a framework applicable across sectors. While this approach can be complex, it ensures consistency in principles across different sorts of data.

    Why apply a Data Protection by Design Approach?
    

    It's crucial to recognize certain boundaries that shouldn't be breached. However, the bulk of what's achieved in terms of data protection or privacy by design, and building trust with citizens, hinges on how you align your product or process with fundamental rights. It's about how you connect it with the people it affects, prioritizing their rights and concerns throughout.
    

    When discussing data protection, it's crucial to frame the conversation in terms of rights and obligations. Data subjects possess rights, yet they also bear certain obligations. Similarly, data controllers and processors carry obligations, but they also hold rights.

    In the next video we go deeper into the five principles that determine the legality of your data processing activities and secondly the safeguards you can implement to prevent or to overcome potential issues.

    
    

    
    

• Select topic 3. Data Protection Principles and Safeguards

  3. Data Protection Principles and Safeguards
  • Select activity When we speak of data protection, we should not sp...

    When we speak of data protection, we should not speak in terms of absolute rights. Instead we should speak in terms of rights and obligations that are acknowledged to and imposed on several parties. There is no data ownership and it is not only about informed consent. It is about rights and obligations for both data subjects and data controllers. That idea is also reflected in the structure of the GDPR.

    GDPR outlines seven principles. Instead of outlining them all individually, we'll provide a concise summary focusing on five key principles in our video. These principles should be applied in order to collect and process data with respect for the data subjects and their rights.

    
    

      

    In the video and below we explain 5 Principles of Data Protection. The principles for data protection are to be found in chapter 2 of the GDPR. The GDPR is structured as following:

    1. Chapter 1: General Provisions and Concepts
    2. Chapter 2: Principles of the Data Protection Law, focus in our video today
    3. Chapter 3: Rights of the Data Subject
    4. Chapter 4: Specific obligations for Data Controllers and Processors
    5. Chapter 5: Transfer of Personal Data to Third Countries or International Organizations
    6. Chapter 6: Independent Supervisory Authorities
    7. Chapter 7: Cooperation between Independent Supervisory Authorities
    8. Chapter 8: Remedies, Liability, and Penalties
    9. Chapter 9: Instructions for Specific Processing Situations, for example processing data for the purpose of research and statistics

    
    

  • Select activity 1. Purpose Specification PrincipleData should be c...

    1. Purpose Specification Principle
    
    

    • Data should be collected for specific, well-defined purposes, clearly communicated to the data subjects.
    • Collecting data without a defined purpose is not permitted under the GDPR.
    • Legal bases, outlined in Article 6 of the GDPR, must justify data processing activities.
    • Legal bases must be chosen based on the situation and may include options beyond informed consent.

    
    

    Article 6 of the GDPR:

    2. Data Minimisation Principle
    
    

    • Only necessary data should be collected for the defined purpose.
    • Data should be retained only for as long as necessary to achieve the defined purpose.
    • Anonymisation or pseudonymisation should be applied when identifiers are no longer needed.

    
    3. Transparency Principle
    
    

    • Data controllers should communicate transparently about data processing activities to data subjects and relevant authorities.
    • Communication should be personalized, understandable, and not limited to publishing project lists on websites.

    
    4. Storage Limitation Principle
    
    

    • A maximum storage duration should be specified for personal data.
    • Storage duration may be determined through periodic reviews rather than fixed timeframes.
    • Compliance with sector-specific laws regarding storage duration should be considered.

    
    5. Security Principle
    
    

    • Data controllers are responsible for implementing and maintaining technical and organizational security measures.
    • Technical measures include encryption, authentication, and automatic screen locking.
    • Organizational measures encompass policies, contracts, confidentiality requirements, and awareness campaigns.
    • Collaboration among various departments within an organization is crucial for effective security measures.

    
    Overall, applying to these principles ensures not only compliance with GDPR regulations but also the respect for fundamental human rights regarding privacy and data protection. Demonstrating strong efforts in data protection and security is essential for maintaining compliance and trust in data handling practices.
    
    For further assistance or to submit a data access request, please visit the Health Data Agency's website : https://www.hda.belgium.be/en/data_request
    
• Select topic About prof. Griet Verhenneman

  About prof. Griet Verhenneman
  • Select activity Prof. Dr. Griet Verhenneman is Assistant Professor...

    Prof. Dr. Griet Verhenneman is Assistant Professor of Privacy Law at Ghent University with particular expertise on the legal aspects of eHealth, privacy and data protection.
    

    Professor Verhenneman combines expert theoretical knowledge with a Data Protection Officer’s hands-on experience in the field of eHealth, privacy and data protection. Today, Professor Verhenneman is one of the collaborating professors at the Metamedica Research Unit at the University of Ghent, affiliated with the Faculty of Law and Criminology. Core topics include (health) data governance, confidentiality, and the use of (medical) information technologies, including AI.

    
    Prior to joining Ghent University, Griet worked as a legal researcher and a DPO. From 2007 to 2018, she was part of the team that developed the health research track at KU Leuven - CiTiP. Having been involved in several Belgian and European research projects, Griet worked on topics such as EHRs, mHealth, telemedicine, clinical trials, genetics, genomics, and more. In 2018, Griet accepted a position as a Data Protection Officer at the University Hospital KU Leuven. She then continued her collaboration with the Centre for IT and IP Law as an affiliated researcher.