CRSTEuro_department_blues-NEW
Today's Practice | Feb 2017

Think Twice Before Oversharing

New EU regulations on data protection are coming.

Social media are ever-present in our daily lives. We tweet, post, and blog, and we retweet, like, and respond to an exorbitant amount of material. Sometimes we do so without taking a second to think about the nature of our posts—and, sometimes, the lines between personal and professional become blurry.

Take, for instance, the following three scenarios.

Scenario No. 1

After examining the cutest baby in the neonatal intensive care unit for a retinopathy of prematurity screening, a retinal physician in Italy posts a picture of the child on her Facebook wall with no mention of the patient’s name.

Scenario No. 2

While visiting a practice in the United Kingdom to observe laser-assisted cataract surgery cases, a cataract surgeon from Germany snaps a selfie in the operating room and posts it on Instagram, not realizing that the patient’s information is visible on the computer screen in the background.

Scenario No. 3

A nurse working in a Spanish hospital who helped save the eye of an alleged rapist blogs about the experience, using caution not to mention her employer, the patient, or the victim by name.

These three seemingly innocent scenarios are not so innocent. They are all intrusions on patient privacy that, in fact, can lead to serious repercussions, including the fining or firing of the health care professionals involved, regardless of where those persons live. Patient privacy laws of some type are in effect in every country. In the European Union (EU), the Directive on Data Protection (DDP) prohibits disclosure of any personal details, including health care data, to any foreign entities not meeting the EU’s data safeguard guidelines.1

But, since the DDP was adopted in 1998, many changes have been made to privacy acts, and many more are coming. The EU’s General Data Protection Regulation (GDPR), adopted in April 2016, will go into effect in May 2018 and replace the DDP. This new regulation is an attempt by the European Parliament, the Council of the European Union, and the European Commission to strengthen and unify data protection for individuals within the EU and to address the exporting of personal data outside the EU. Once this regulation is in effect, data protection regulations will be the same throughout the EU, and fines for noncompliance will increase by up to 5%.3

Under the GDPR, four basic sanctions can be imposed if an individual is found guilty of noncompliance:4

A written warning for first-time offenders and unintentional noncompliance;
•Regular periodic data protection audits;
•A fine of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater; and
•A fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

What personal data is protected under the GDPR? According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”5

In today’s digital age, one in which oversharing on social media is so commonplace, health care professionals need to be especially careful to uphold patient privacy. In the accompanying article, Michael Sopher, the president and cofounder of Rendia, shares some do’s and don’ts that health care professionals should keep in mind when participating in social media.

1. Guiliano S. Beyond HIPAA: International health data protection. Atlantic Net. May 5, 2014. www.atlantic.net/blog/beyond-hipaa-international-health-data-protection/. Accessed January 31, 2017.

2. Commission proposes reform of data protection rules to increase users’ control of their data and to cut costs for businesses [press release]. European Commission. January 25, 2012. http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en. Accessed January 31, 2017.

3. Albrecht JP. Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). October 22, 2013. http://www.janalbrecht.eu/fileadmin/material/Dokumente/DPR-Regulation-inofficial-consolidated-LIBE.pdf. Accessed January 31, 2017.

4. [no authors listed] Regulation (EU) 2016/679 of the European Parliament and of the Council. Journal of the European Union. April 27, 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1. Accessed January 31, 2017.

5. Interinstitutional File: 2012/0011 (COD). Council of the European Union. June 11, 2015. http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf. Accessed January 31, 2017.

NEXT IN THIS ISSUE