How about some training on personal data?
How about some training on personal data? Carers will be provided with some simple definitions relating to privacy and GDPR.
Ethics play a pivotal role in our profession as carers. The implementation of GDPR and the use of new technologies require extra training and invite us to rethink our profession. The following definitions are a good starting point for carers. Please read our article.
Ethics play a pivotal role in our profession as carers. The implementation of GDPR (the General Data Protection Regulation) and the use of new technologies and computers require extra training and invite us to rethink our profession. This article will clarify certain concepts regarding the protection of personal data and how they relate to ISA. It will go on to deal with the issue of consent and patient information when it comes to fall detection for the elderly.
It is important to have a good understanding of certain concepts to be able to convey them to patients:
What is personal data?
We are talking about any piece of information that enables a person to be identified. A name, a photo or a tattoo are all examples of personal data. But the term also includes any piece of indirect information which enables the person to be identified by cross-checking it with other sources.
ISA collects only data that is strictly necessary for it to operate (data minimisation principle). For example:
Images (in this case, videos of falls);
Data relating to what happens in the room (alarms, sensor number, name of institution, patient movements).
What is a processing activity?
This refers to any data-related activity – the data may be collected, stored, transferred, communicated to third parties or simply read.
What is meant by the purpose of data processing?
The data is processed for a specific purpose. As far as the care team is concerned, the purpose is the obligation to provide suitable care for its patients. Individual pieces of data are compared with other pieces in order to make a diagnosis, identify a risk or simply ensure a patient’s safety.
Who is the data controller?
The data controller is any private person or legal entity, public authority, service or any other organisation which, acting on its own or with others, determines the purpose and means of processing. In this case, MintT and the hospital share the responsibility for processing the data.
What are our obligations when we process private data?
The key principles underlying data processing are the non-disclosure of data without consent, data minimisation and IT security.
The transfer of data to third parties: the law requires a contract to be concluded in writing with subcontractors. On no account may the data leave the European Economic area.
Legal justification: GDPR requires that all private data is processed lawfully and that there are legal grounds for processing the data. Written consent is an example of valid legal grounds. It can also be justified if vital interests are being safeguarded or if it is based on the data controller’s legitimate interests.
As far as ISA is concerned, the data serves several purposes. MintT uses personal data in order to:
Provide its detection service in an effective manner;
Continuously improve the quality of its service;
Manage fall alerts and make its analyses available.
All of these purposes serve the legitimate interests of either the hospital or MintT. As far as the former is concerned, it helps it to respect its legal obligation of surveillance. And as far as the latter is concerned, it helps it to meet its obligations to the hospital and to improve the quality of its services.
Security: make the access to personal data secure by ensuring that only persons who need it to be able to perform their duties are able to access and process it.
In ISA’s case, images are only recorded if there is a fall. MintT encrypts the communication between the servers and will therefore not make personal data available to the public.
Duration of conservation of personal data. Personal data is erased (or anonymised) after a period of time which starts after the last processing – in other words, normally at the end of the contract or when the patient or nursing home resident leaves.
GDPR requires data controllers to take the appropriate technical and organisational steps to ensure that only the personal data that is required for each specific purpose is processed.
The personal data which is processed needs to be suitable, relevant, and limited to what is necessary for the purpose for which it is being processed (data minimisation).
What rights do patients have?
Correction/deletion. The person concerned must be able to access his or her data in order to check, modify or, if incorrect, remove it, if, for example, the data is no longer required for the purpose for which it was collected.
Withdraw their consent. Patients can withdraw their consent at any moment when processing requires consent. Withdrawing consent must be just as easy as giving it.
Portability. Patients have the right to transfer their data to another data controller.
Make a complaint to a supervisory authority in the Member State of the European Union in which the habitual residence, the place of work, or the place in which the infringement was allegedly committed, is located, if the person considers that the processing of his/her personal data is in breach of the applicable legislation.