Telemedicine: The role of data protection laws

Less obvious information can also be considered personal data in the right context, such as appointment details at a specialist eye hospital, invoices for physiotherapy sessions, or an NHS number.

Given that the delivery of telehealth services generally involves the handling of personal data, in Europe it is imperative that such processing aligns with the provisions laid out in the General Data Protection Regulation (GDPR) supplemented by local rules and supervisory authority guidance. Furthermore, depending on the specific nature of the telehealth services, Privacy and Electronic Communication Directive (2002/58/EC) may also come into play, regulating the utilization of electronic communications services in this context. Regarding data security obligations, there exists a pan-European initiative known as the Code of Practice for Telehealth Services in Europe, introduced to establish a benchmark standard against which telehealth service providers can seek accreditation. This initiative operates at the European Union level and aims to enhance the security and quality of telehealth services.

In addition to this, the EU wide NIS2 Directive has been implemented, imposing more stringent cybersecurity requirements across critical sectors essential to our economy and society, particularly those heavily reliant on ICT, such as healthcare. Under this directive, operators of essential services within these vital sectors are obligated to undertake appropriate security measures and report significant incidents to relevant national authorities.

This processing of patient personal data is regulated in the UK by the UK GDPR and Data Protection Act 2018 (Data Protection Law), with the relevant NHS Trust, private company or institution delivering healthcare, undertaking trials or research, responsible for compliance. Data Protection Law has an extensive remit, applying from data collection until destruction. The sector is subject to close regulatory scrutiny from the Data Protection Law regulator, the Information Commissioner’s Office (ICO) who sees use of health data as high risk, given the sensitive and very private nature of information being processed, significant potential for harm to individuals if their data is misused or subject to a breach incident (such as discriminatory treatment). In real world terms, there is also arguably a higher likelihood of patient complaints and claims as a result.

Data Protection Law considerations become even more crucial when telemedicine solutions are digitalised, for example where care is delivered in-app (with or without AI technologies) or via on-line platforms, especially where operated by third parties. As we reported in our 2021 publication, Shaping the Future of Digitalization, based on our survey1:

• organisations operating in the healthcare and pharmaceutical sectors were most likely to form strategic technology partnerships: 76% intended to do so by November 2023, compared with 59% in the TMT sector
• cybersecurity, data breaches and the associated litigation were ranked as the most concerning risks for board members when considering digitalization plans

Telemedicine will also involve additional collection of data relevant to the online interaction between provider and patient, much of which is also increasingly likely to be viewed by regulators as personal data. Even where details collected online are not ‘personal’, additional privacy law obligations, in the UK also overseen by the ICO, will normally also apply.

Failure to mitigate Data Protection Law risks can have serious consequences, including enforcement action from the ICO such as orders to stop processing data (grinding businesses to a halt), regulatory audit, and the much hyped fining power of the higher of £17M or 4% of global annual turnover. All regulatory action is published by the ICO and this can have significant reputational impact. Privacy breaches attract additional risks.

For healthcare providers, their strategic partners, and other companies providing telemedicine services, developing and maintaining a clear Data Protection Law and privacy governance strategy which is embedded in the build process from product inception to roll out helps ensure a solid foundation for lawful care delivery. This is also where legal and regulatory obligations interface with ethical and responsible development of technology.

It is important to stress that Data Protection Law and privacy issues should not be seen as a barrier to telemedicine and development in the sector – good compliance and accountability frameworks allow healthcare providers and those working with them to use the data they have in the ways they want to, including for research and development – provided that the right compliance strategy is adopted and applied following consideration at an early stage. Retrofitting compliance is always challenging, less effective and more costly.

< View previous "Potential risks to patients"

> View next "The European Health Data Space and looking forward"

Visit the context page of this Telemedicine collection