How can you video record patients in compliance with GDPR? Where should you store the recordings? What platform should you use to record and store the recordings? How should you use it to ensure GDPR compliance? Let us answer all these questions while talking about Videolab, our GDPR compliant patient video recording and sharing platform.
What is the GDPR?
GDPR stands for the General Data Protection Regulation. It is a European Union (EU) law that regulates the handling of personal data of EU citizens. It gives individuals greater control over their personal data and sets strict rules for businesses on how to handle and protect personal data. GDPR aims to protect individuals’ privacy and data protection rights. When it comes to patients’ data, the GDPR regulates the handling of medical patients’ personal data, including their health records and other sensitive personal information. In order to share videos that contain patient information, a GDPR compliant healthcare video sharing platform is essential. Let us go over some of the Key Definitions and the Data Protection Principles of the GDPR, also covered in this blog about GDPR compliance in software development.
What are key definitions to understand the GDPR?
The main legal terms specified in the GDPR are:
- Personal data: Any information that relates to an individual who can be directly or indirectly identified. This can be for example names and email addresses or also ethnicity, gender, biometric data, etc. Pseudonymous data can also fall under this definition if it’s relatively easy to ID someone based on it.
- Data processing: Any action performed on data, whether automated or manual.
- Data subject: The person whose data is processed.
- Data controller: The person who decides why and how personal data will be processed.
- Data processor: A third party that processes personal data on behalf of a data controller.
What are the Data Protection Principles of the GDPR?
GDPR compliance means that one needs to follow the following data protection principles when processing data:
- Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent to the data subject.
- Purpose limitation: Data processing must be done for the purpose specified explicitly to the data subject when the data was collected.
- Data minimization: You should only collect the strictly necessary data for the purpose specified.
- Accuracy: Personal data must be kept accurate and updated.
- Storage limitation: Personally identifying data should only be stored as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in a way that ensures security, integrity and confidentiality.
- Accountability: The data controller is responsible for demonstrating GDPR compliance with all these principles.
How do you ensure you video record patients in compliance with GDPR?
GDPR compliance means that organizations handling the personal data of individuals in the EU and EEA must protect that data and respect the individual rights granted by the GDPR. This means that organizations need to comply with the principles stated above. For this, they must follow the following rules:
- Obtain explicit, freely given, and informed consent from individuals before collecting, using, or processing their personal data.
- Only collect personal data that is necessary for the specific purpose for which it is being processed.
- Protect personal data with appropriate technical and organizational measures.
- Allow individuals to access, rectify, erase, restrict, or object to the processing of their personal data.
- Allow individuals to withdraw their consent or exercise their right to data portability at any time.
- Report any data breaches to the relevant authorities within 72 hours.
- Appoint a data protection officer (DPO) if the organization is a public authority, engages in large-scale processing of special categories of data, or carries out large-scale monitoring of individuals.
- Keep detailed records of data processing activities.
Thus, respecting the rules above is important to ensure GDPR compliance when you video record patients.
How does the GDPR apply to patient video recording?
Patient videos that contain more sensitive data need to ensure GDPR compliance. For example, this could be a video where a patient consultation is being recorded for educational purposes. In this case, maintaining the privacy and security of this video is very important as it contains sensitive patient information. Complying with the GDPR can help with this. Therefore, we’ll use this example to show how each of the GDPR principles apply.
Obtain explicit, freely given, and informed consent from patients before collecting, using, or processing their personal data
This means to ask the patient for permission to record and inform them of the intended use and recipients of the recording. Obtaining consent, which can be given on paper or in video form, is necessary before beginning the recording.
Collect only the personal data that is necessary for the specific purpose for which it is being processed
In the example of recording a consultation to demonstrate communication with patients, do not record the portions of the consultation where no communication is taking place. Do not include personal information such as the name or personal identifiers.
Protect personal data with appropriate technical and organizational measure
“Appropiate technical measures” refers to using a system that follows the principles stated in Article 32 of the GDPR. To fulfill this rule, record patients using a secure software like the Videolab Recorder. Moreover, use a system like Videolab to store the patient recordings to ensure you are using the proper technical measures.
Organizational measures means to inform the individuals within your organization about the GDPR. This could be in the form of training of its principles and how to apply them. With this, you are facilitating compliance and training your staff to follow the best practices when it comes to data privacy and security.
Allow individuals to access, rectify, erase, restrict, or object to the processing of their personal data
This means, patients can access, restrict use of the video, trim the video and modify the connected information.
Allow individuals to withdraw their consent or exercise their right to data portability at any time
In our example, you should delete the recordings or stop using them for their purpose if the patients asks you to. The recordings need to then be deleted for everyone that had received access. Moreover, in this case, data portability means that patients have the right to obtain and reuse the recording for their own purposes.
Report any data breaches to the relevant authorities within 72 hours
This means that you have 72 hours to inform patients and the authorities about a data breach. This is especially the case if you know that the data breach involved the patient’s recording.
Appoint a data protection officer (DPO) if the organization is a public authority, engages in large-scale processing of special categories of data, or carries out large-scale monitoring of individuals
This means to appoint someone in the hospital or university using the patient video recording as the person responsible for GDPR compliance.
Keep detailed records of data processing activities
In this case this means to have detailed information of the uses of the recording for educational purposes.
Hopefully this illustrates well how the GDPR principles apply in a healthcare setting. Nevertheless, consulting on how the legislation applies to your particular setting might be a good idea.
Moreover, when you video record patient consultations compliance requires you store these videos in a secure and privacy aware system. It might also be of great use for you if this system provides a secure way to share the video with other members of your organization. Let me introduce you to Videolab.
Videolab – a GDPR compliant platform for your patient video recordings
Videolab is a GDPR compliant healthcare video sharing platform, following technical standards. We will explain further why this is the case in the subsequent section. The system was built to facilitate GDPR compliance, specifically for the use case of patient video recording. The Videolab Recorder app enable safe recording of the patients and the Videolab system allows a safe storage and sharing of said recordings.
Nevertheless, the use of the platform may not automatically be GDPR compliant. To comply with GDPR, your organization needs to fulfill all the principles prompted above, using Videolab accordingly. Thus, using Videolab does not guarantee GDPR compliance but rather facilitates it.
Let us go over the GDPR compliance checklist for Videolab. In this section we will explain how Videolab follows the technical standards required for GDPR compliance and how your organization should use it to ensure compliance.
Videolab GDPR compliance checklist
Controller and processor
The institution that deploys Videolab has the role of data controller and Codific has the role of data processor.
Lawfulness, fairness and transparency
To ensure lawfulness, fairness and transparency in the use of patient recordings, we have implemented the appropriate security measures you can see here.
Nevertheless, the patient must give consent (can be in video form) to the data controller before they process the recording. Make sure to check this blog post to understand what giving consent means. The patient needs to give consent before and after the recording has started.
Finally, Videolab only processes video/audio recordings that contain identifiable information on the patient, so it does not process personal identifiers in metadata.
The controller defines the purposes for which they want to video record patients. Usually, recordings are processed for the evaluation and/or training of physicians in training. To ensure GDPR compliance, the data controller must only process recordings for the specific purpose they stated. These are stated in the Data Processing Impact Assessment (DPIA) and in Data Processing Agreement (between the data controller and the data processor) .
Audio/video recordings solely contain identifiable patient data. Thus, data minimization occurs by definition. To ensure compliance, controllers must only record patients when needed, and not write personal identifiers in the meta data.
Storage limitation and data hosting
The Data Processing Officer defines a fixed period of time after which the data is automatically destroyed. The training period (e.g. 12 months) usually defines this setting. Moreover, there is a single encrypted backup of the patient video recordings which is also destroyed.
All the data is stored and encrypted within the EU. As the processor, Codific uses state-of-the art encryption and an advanced encryption key management system. A master-key access to the system follows a “two-man rule”, so rare glass-break procedures are possible.
Integrity and confidentiality (Security)
Guaranteeing data integrity and confidentiality on a technical level is Codific’s job, as privacy by design experts it is our bread and butter. The only thing you need to worry about is having good password hygiene, enforce multi-factor authentication in your organization and never share accounts.
Legally the patient always remains the owner of his data, but in Videolab we treat the doctor who made the patient video recording as the owner. This means he has a responsibility in managing the rights of the data subject. For example, he must ensure that there is adequate informed consent and must delete the video upon request.
There always is a data processing agreement that specifies al the relevant details. We have this template ready to go.
Privacy by design and by default
Pricacy by design architecture is the core expertise of Codific, you can read more about how we do this here, here and here. Following this design architecture is imperative to follow Article 25 of the GDPR.
Data protection impact assessment
The organization, typically the Data Protection Officer and his team, must conduct a Data Protection Impact Assessment analysis. Codific will provide all the technical information that goes into this analysis.
Data protection officer
Codific collaborates closely with the data protection officer (DPO) appointed by the controller.
Codific is ISO27001 certified. But we put the bar much higher for ourselves using OWASP SAMM.
With the checklist above you can see how Videolab operates as a GDPR compliant video sharing platform. Nevertheless, it is important that your organization follows the correct measures when using this application to ensure GDPR compliance. This is especially the case when video recording patients as this requires additional data privacy and security awareness.
What else do we build with GDPR in mind?
Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.
SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.
SAMMY Is a Software Assurance Maturity Model management tool. It enables companies to formulate and implement a security assurance program tuned to the risks they are facing. That way other companies can help us build a simple and safe digital future. Obviously our AppSec program and SAMMY itself is built on top of it.
We believe in collaboration and open innovation, we would love to hear about your projects and see how we can contribute in developing secure software and privacy by design architecture. Contact us.