Important - Medical Data is considered a ‘Special Category’ under the GDPR
There is a physio across the road from our office, his name is John. He is excellent. He has fixed my back problems and I have recommended him to family and friends. John is a young guy, and technology savvy. He uses an Electronic Medical Record (EMR) system called Cliniko (www.cliniko.com). Cliniko is loved by thousands of healthcare practitioners worldwide. It's particularly popular with Osteopaths, Chiropractors, Physiotherapists, Podiatrists, Psychologists, Naturopaths and Massage Therapists.
This is a smart move by John, by using the technology he can focus on helping his patients, while Cliniko helps him run his practice. John is the controller of the Data and Cliniko is the processor. As this is medical data – under the GDPR it is “data concerning health” – a special category of data.
Article 9 – Processing Special Categories of personal data
John is ok to use Cliniko to process the medical data because he is only doing this for his patients and it is in the course of the controllers "legitimate activities”. It might be best practice for Cliniko to have a double opt-in where Cliniko email any customer that John adds, and ensure that they have the data subjects consent.
What does John (the Controller) need to do?
The controller needs to interrogate Cliniko to see if they are GDPR ready. Namely:
- Where is the data stored? Cliniko is in Australia (a 3rd country), so this presents a challenge. It might require specific consent from the data subjects for this.
- What is Cliniko’s policy around data security?
- As Cliniko does not appear to have an EU entity. Who is their GDPR EU Representative?
- If John gets a Subject Access Requests (SAR) from a patient, can Ciniko output this information quickly and efficiently?
- Does Clinko have a Data Protection Officer (DPO)?
Does Cliniko need a DPO?
The GDPR states that (Article 37) that a DPO needs to be designated when a controller or processor are dealing with medical data on a “large scale”.
- John might have 100+ customers. Is this considered large scale? Probably not.
- Cliniko has over 20,000 customers. Is this considered large scaled? In my view – Yes.
To the best of knowledge, the EDPB have not given any guidance here but Cliniko would be wise to get a DPO soon.
So what next?
John is the controller and is accountable, but I don’t think it’s fair to make this his problem to solve. The onus should be on Cliniko, as the processor of the data, to ensure that they have addressed the above concerns. Processors like Cliniko need to be pro-active here and give controllers like John the right information. This should all be in place well before the May 25th deadline. For many EMR companies – much work needs to be done.
Any questions about the GDPR - get in contact with us using the form below: