When organizations process or have processed personal data, they must investigate whether that processing leads to risks for patients or clients, and whether there are ways to eliminate those risks. Such an investigation is called a data protection impact assessment, or DPIA. Sometimes a DPIA is mandatory and sometimes it is not. Even if it is not mandatory, it can be useful. Check out this overview of when a DPIA is mandatory.
A DPIA focuses on the privacy risks to the patient/client rather than the risks faced by the healthcare institution.
The healthcare institution also faces risks such as fines and reputational damage. The DPIA is all about what can happen if the patient/client's data is misused. So the possible consequences for the patient/client. Because a lot of medical data is processed in healthcare, the consequences can be significant. A DPIA helps to consider how big these risks are and whether the risks can be made smaller. For example, by making data anonymous or storing it for a very short period of time.
Healthcare is a sector to which extra rules and regulations apply. Think, for example, of medical confidentiality. The sensitivity of the data also means that extra attention is needed if suppliers are used who process the data outside the European Union.
You can view a DPIA as an aid to making a decision to process data. Therefore, start the DPIA as early as possible. If possible, as early as when making the plans or project in which your healthcare facility will process data.
So you can determine for which existing processing operations it is recommended to conduct a DPIA. And then link the DPIA to the specific processing so you can demonstrate that you have conducted a DPIA for all of your high-risk processing.
This way you can save time and ensure a certain quality of information. The format in Privacy Nexus uses closed questions whenever possible, limits the use of legal terminology and "takes you by the hand" throughout the process.
If your organization has an FG, he/she should advise on the DPIA. Also make sure this advice is documented. In Privacy Nexus, as an FG, you can use the FG review functionality that allows you to review the DPIA and approve or reject it.
Many other healthcare organizations will do similar processing activities. The processing operations of one mental health/health care home will probably not be much different from another. Look at what is available in terms of public information. Industry organizations such as NFU, NVZ and the Dutch mental health industry may offer templates or DPIAs conducted for the industry. See, for example, the advisory document from the health and safety houses. Templates are also available in Privacy Nexus. Finally, consider sharing or publishing your DPIAs as well. By doing so, you will help others.