The one who is a physician and want to appoint a DPO

Private practitioners are responsible for a multitude of personal data: information recorded in patient records, collected for appointment scheduling, exchanged with colleagues, providers and employees... Healthcare digitalization is growing fast, it becomes particularly vulnerable to cybercriminals, technical failures and human error. What can you do to protect yourself against these risks?

HEALTH DATA FACING MAJOR RISKS

2021 had been marked by several cyberattacks on hospitals and the leakage of medical information of 500,000 patients from about 30 analysis laboratories (France). In 2022, healthcare data is still at risk, as evidenced by the recent massive data leak from the French health insurance company, Assurance Maladie. Attackers stole the personal information of 510,000 insured people by forcing access to the Amelipro accounts of some 20 healthcare professionals.

Generally uninformed and unprotected, private physicians are not immune to the risks of data leakage. The two most common breaches are failure to secure data and unauthorized copying.

Since the medical information they process is personal data, relating to identified or identifiable natural persons, private physicians must comply with the GDPR. If they are negligent, the consequences are severe:

• Administrative fine from the CNIL of up to 4% of the turnover

• Judicial penalty ("The fact, including by negligence, of processing or having processed personal data without the prior formalities for their implementation provided for by law having been respected is punishable by five years' imprisonment and a fine of 300,000 euros"1 )

• Disciplinary sanction pronounced by the French National Council of Physicians

• Tarnished reputation

• Risk of patients filing a class action

THE DPO, AN ALLY OF CHOICE FOR SECURING YOUR DATA

To best comply with the RGPD, it is advisable to be accompanied by a DPO (Data Protection Officer).

First, the DPO can help you fight against the risks of cyber-attacks. Aware of the precautions to be taken, he or she can advise you on data security tools and techniques. It is important to know that a physician who is the victim of a cyber-attack and who does not have a DPO will have less chances to obtain a favorable verdict, because the judge may consider that he had not implemented all the "appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk"2 .

Secondly, the DPO can establish a more balanced balance of power between data controllers (healthcare professionals) and their subcontractors (data processors). It is hard to imagine an isolated healthcare professional imposing his will on his software publisher or his online diary company. On the other hand, supported by a DPO who examines and validates contracts, his voice will carry more weight.

Finally, the DPO can conduct a privacy impact assessment. In principle, this is required when dealing with sensitive data (such as health data) concerning vulnerable individuals (such as patients). A healthcare professional who chooses not to have a DPO and not to conduct a risk analysis will have to build a solid argument to justify his decision. Moreover, in case of a problem (security breach, patient complaint...), judges will be much less understanding. It is therefore much simpler and more reassuring to be advised by a DPO, who will also look after your own personal data as a professional.

Faced with the increased risk of data leakage, the DPO is the healthcare professional's ally!

1Art. 226-16 of the French Penal Code

2Art. 32 of GDPR