When organizations process personal data (or have personal data processed), they must investigate whether that processing leads to risks to patients or clients, and whether there are ways to eliminate those risks. Such an investigation is called a data protection impact assessment, or DPIA. Sometimes a DPIA is mandatory and sometimes it is not. Even if it is not mandatory, it can be useful. Check out this overview of when a DPIA is mandatory.
DPIA in healthcare
A DPIA focuses on the privacy risks to the patient/client and thus not the risks faced by the healthcare institution. The healthcare institution also faces risks such as fines and reputational damage.
The DPIA is about what can happen if the patient/client's data is used incorrectly. So the possible consequences for the patient/client. Because a lot of medical data is processed in healthcare, the consequences can be significant. A DPIA helps to consider how big these risks are and whether the risks can be made smaller. For example, by making data anonymous or storing it for a very short period of time.
Healthcare is a sector subject to additional rules from laws and regulations. Think, for example, of medical confidentiality. The sensitivity of the data also means that extra attention is required when using suppliers who process the data outside the European Union.
1. Conduct the DPIA before you decide to process the data
You can think of a DPIA as a tool for making a decision to process data. Therefore, start the DPIA as early as possible. If possible, already when making the plans or project in which your healthcare institution will process data.
2. Use the DPIA recommendation in Privacy Nexus
This allows you to determine for which existing processing operations it is recommended to conduct a DPIA. And then tie the DPIA to the specific processing so you can demonstrate that you have conducted a DPIA for all of your high-risk processing.
3. Use a standardized questionnaire for conducting DPIAs
In this way, you can save time and ensure a certain quality of information. The format in Privacy Nexus uses closed questions whenever possible, limits the use of legal terminology and "takes you by the hand" throughout the process.
4. Ask the Data Protection Officer (DPO) for advice.
If your organization has a DPO, they should advise on the DPIA. Also make sure that this advice is documented. In Privacy Nexus , as the DPO, you can use the DPO review functionality that allows you to review the DPIA and approve or reject it.
5. Make use of existing information
Many other healthcare organizations will do similar processing activities. The processing operations of one mental health/health care home will probably not be much different from another. See what public information is available. Industry organizations such as NFU, NVZ and the Dutch mental health industry may offer templates or DPIAs conducted for the industry. See, for example, the advisory document from the health and safety houses. Templates are also available at Privacy Nexus. Finally, consider sharing or publishing your DPIAs as well. That way you help others.