Health data is by definition and function sensitive data, but as anyone seeing patients knows, it is not always practical to get consent when treating a sick patient.
It is not necessary to encrypt or anonymise patient data if:
- The patient as given express consent.
- It is in the vital interest of the patient, and the patient is unable to give consent. E.g., an unconscious patient arrives in the ER or if the patient is a minor.
- The professional processing the data to provide health care is already under a professional obligation to treat patients according to a code of confidentiality. This is the Hippocratic oath and all other versions which have followed.
When you do find out more information about, for example, an unconscious patient, you are under the obligation to update records immediately. Again standard practise for medical professionals before the GDPR was brought in.
It’s a short article because it’s a short message.
Don’t let the fear of data protection legislation stop you saving lives!
Dr Alice Byram 