Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU Data Protection Legislation Managing The Security of Medical Data

Published byStephany Harris Modified over 6 years ago

Similar presentations

Presentation on theme: "EU Data Protection Legislation Managing The Security of Medical Data"— Presentation transcript:

1 EU Data Protection Legislation Managing The Security of Medical Data
Presenter: Hugh Jones

2 Context Social Technological Medical Commercial Historical

3 Personal Data means …… data relating to a living individual
who is or can be identified either directly from the data itself or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller Article 29 Working Party Definition

4 Sensitive Personal Data
means personal data relating to the Data Subject, namely - their racial or ethnic origin their political opinions their religious or philosophical beliefs whether the Data Subject is a member of a trade union, Information relating to their physical or mental health The condition (orientation) or sexual life of the Data Subject Information on the commission or alleged commission of any offence by the Data Subject Data on any proceedings for an offence committed by the Data Subject

5 The Data Protection Rules
The DP Characters 1. Acquire Fairly 2. Specified Purpose 3. Compatible Processing 4. Keep Safe 5. Keep Accurate 6. Adequate Processing 7. Retain / Destroy 8. Allow Access

6 The “Squeeze” Regulatory Society Peers Competitors The Data Controller

7 Data Protection and ‘the Brand’

8 The enemy within… 70% of breaches are caused by the deliberate, non-malicious actions of staff “That’s the way we have always done it” “I don’t know what we do it that way” “To think creatively, we must be able to look afresh at what we normally take for granted” – George Keller “Complacency is nothing but an awesome trigger of mediocrity and failure” Ernest Agyemang Yeboah

9 Key Principles – very subjective
Fundamental, but not an absolute right Expectation of lawful processing Right to be left alone “Fairness” of acquisition “Appropriateness” of processing “Adequacy” of Security “Quality” based on operational need “Proportionality” of processing “Necessity” of retention schedule

10 Minimum standard of transparency
What is “Fair”? Identity of the Data Controller or third party The purpose(s) for processing, with reference to legislation Intended recipient(s) or categories of recipients Existence of the right of access to one’s data Contact details for the Data Controller Any other information which will make the processing fair

11 Strategies for Meeting Regulatory Pressure
Not just with ODPC! HSE, HIQA, JCI, International Standards Other consumer protection organisations Proactive data management programme Privacy Impact Assessments Relationship Management Positive Profile Evidence of a ‘culture of compliance’

12 Peers and ‘Competitors’
Pressure of maintaining Competitive Advantage Cost of damage to brand, reputation Cost of competitive response Majority of breaches are self-inflicted The patient is most vulnerable when you meet them You are most vulnerable immediately post- incident

13 Strategies for Peers/Competitors
Evidence of Best Practice data management Adoption of Standards Regular oversight and governance Proven data quality – complete and up-to-date Sound analysis of data – quality diagnostics Accurate, mature decision-making Visible signs of data security – virtual and physical Well-tested Incident Management solution Appropriate, timely data destruction programme

14 Changing Societal Profile
Increased awareness of rights Increased concern for data security Increased media attention to breaches Increasing concern re. profiling, intrusion Increasing incidence of access requests Data being used as a ‘weapon’

15 Strategies for Social Pressure
Clear, transparent language in correspondence Constructive expectation management Consistent Fair Processing Notice Regular, beneficial communication Balanced Relationship Management Responsive to requests for clarity, assistance

16 Data Security Considerations
Data Security Policy Information Security strategy Security in proportion to value, volume Physical and Environmental Security Communications and Operations Management Appropriate Access Controls, Authorisation levels Business Continuity Management Disaster Recovery Compliance with standards

17 Where to start? Appropriate Processes and Procedures
Encryption of hardware Timely Monitoring Service Level Agreements Staff training Mandatory Breach Notification process Adoption of Relevant Standards HIQA JCI PCI DSS ISO 27001

18 Accountability Role of Data Controller Role of Data Processor
Primary point of compliance Responsible for staff awareness Role of Data Processor Mandatory contract in place Role of Data Protection Officer Dedicated role within the organisation Not necessarily an employee Individual accountability of Board members

19 Revision of Key Roles Must be able to demonstrate compliance processing Evidence of Privacy by Design or by Default Possibility of Processor being a ‘Joint Controller’ Obligations for non-EU based Data Controller Required clauses for Data Processor Contract Control over sub-contracting

20 So why comply with the Legislation?
‘It’s the law of the land!’ Protection of brand Avoid risk to reputation Protection of trust Patients Employees Suppliers and Contractors Enables better decision-making Makes good business sense Delivers business value

21 Sytorus Ltd. – who we are Data Protection Consultancy – Training Introductory level training for all staff DPO Primer Certification Modular training on individual topics Enterprise Data Protection Assessments Privacy Impact Assessments Interim Data Protection Officer Liaison with national DP Agencies/Commissioner

22 Questions?

Download ppt "EU Data Protection Legislation Managing The Security of Medical Data"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.

Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
‘EU Data Protection Regulations Future Challenges’

‘EU Data Protection Regulations Future Challenges’
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.

INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
1 Role of the Data Protection Officer Donald Henderson Information Compliance Manager 30 September 2010.

1 Role of the Data Protection Officer Donald Henderson Information Compliance Manager 30 September 2010.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:

Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.

Similar presentations

Ads by Google