Data protection rules

Data protection rules for research data and hospital data: compliance with GDPR and DSGVO

For compliance with GDPR (General Data Protection Regulation)/DSGVO (Datenschutz-Grundverordnung) in Germany, the approach to data protection in research and healthcare settings must be adjusted to align with the specific legal and regulatory frameworks of the European Union and Germany. These regulations set forth strict guidelines for the handling of personal data to ensure the privacy and protection of individuals while still enabling the effective use of data for research and healthcare purposes. Here's how the key principles and practices adapt within the German context, along with references to relevant German authorities and regulations:

Key principles:

• Robust access controls: ensure that only authorized personnel can access patient and research data, safeguarding confidentiality and data integrity. This involves implementing strong authentication and authorization mechanisms.
• Data encryption: personal data should be encrypted both during transfer and at rest to protect against unauthorized access and data breaches.
• Regular system updates: systems must be regularly updated to mitigate security vulnerabilities, with a particular focus on healthcare and research IT infrastructures.
• Data pseudonymization/anonymization: employ pseudonymization or anonymization techniques to reduce the risk of re-identification of individuals, especially in research datasets.
• Clear data protection policies: develop and maintain comprehensive data protection policies tailored to the specific requirements of the GDPR and DSGVO across the organization.
• Staff training: conduct regular training sessions for staff to ensure they are informed about data protection laws, obligations, and best practices.

Transparency and informed consent

• Organizations must be transparent with patients regarding how their data is used and must obtain explicit consent for specific processing activities in line with GDPR and DSGVO stipulations.

Managing data breaches

• Develop and implement effective security measures and incident response plans to address potential data breaches promptly.

Rights of patients under GDPR/DSGVO

• Patients in the EU and specifically in Germany have rights, including access, rectification, erasure, and restriction of processing of their personal data.

Data processing and sharing

• A lawful basis for processing data must be clearly established, with consent and necessity for the performance of a contract being primary considerations in healthcare.

Guidance and further information

• Bundesdatenschutzgesetz  (BDSG): The updated German Federal Data Protection Act aligns with GDPR requirements and provides specific rules for data protection in Germany.
• Bundesamt für Sicherheit in der Informationstechnik (BSI): Offers guidelines and resources for securing IT systems that are relevant for healthcare and research data protection.
• Datenschutzkonferenz (DSK): The conference of independent German federal and state data protection supervisory authorities provides guidelines and recommendations for GDPR and DSGVO compliance.
• Gesellschaft für Datenschutz und Datensicherheit (GDD): Provides resources, training, and guidance for organizations on implementing GDPR and DSGVO compliance strategies.

By adhering to these principles and utilizing resources from authoritative bodies, organizations in the research and healthcare sectors can ensure compliance with GDPR and DSGVO, thus safeguarding personal data against unauthorized access and breaches while maintaining the integrity and confidentiality of the data they handle.