MANUAL ON
GDPR
IMPLEMENTATION
1
Imprint Executive Board Batool Al-Wahdani Nebojša Nikolic Ahmed Taha Ivan Fabrizzio Canaval Diaz Georg Schwarzl Marian Sedlak José Chen Small Working Group Daniel Jaffal Konstantinos Theocharis Marie-Claire Wangari Michał Chołubek Poorvaprabha Patil Layout Design Akshay Raut
Publisher
International Federation of Medical Students’ Associations (IFMSA)
IFMSA The International Federation of Medical Students’ Associations (IFMSA) is a nonprofit,
non-governmental
representing
associations
organization of
in 1951 and currently maintains 136 National Member Organizations from 126 countries six
continents,
representing
a
network of 1.3 million medical students. IFMSA envisions a world in which medical students unite for global health and are equipped
with
the
knowledge,
skills
International Secretariat:
and values to take on health leadership
c/o IMCC, Norre Allé 14, 2200 Kobenhavn N., Denmark
roles locally and globally, so to shape a sustainable and healthy future.
Email: gs@ifmsa.org Homepage: www.ifmsa.org
IFMSA is recognized as a non-governmental organization within the United Nations’ system and the World Health Organization; and works in collaboration with the World
2Contact Us
vpprc@ifmsa.org
Medical Association.
© 2019 - Only portions of this publication may be reproduced for non political and non profit purposes, provided mentioning the source.
medical
students worldwide. IFMSA was founded
across
This is an IFMSA Publication
Disclaimer This publication contains the collective views of different contributors, the opinions expressed in this publication are those of the authors and do not necessarily reflect the position of IFMSA. The mention of specific companies or of certain manufacturers’ products does not imply that they are endorsed or recommended by the IFMSA in preference to others of a similar nature that are not mentioned.
Notice All reasonable precautions have been taken by the IFMSA to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material herein lies with the reader. Some of the photos and graphics used in this publication are the property of their respective authors. We have taken every consideration not to violate their rights.
Why
Contents
www.ifmsa.org
Page 4
What (Definition of Terms) Page 6
How Page 9
What If Page 15
Tips and Tricks Page 18
Based on the General Data Protection Regulation
3
Revised by DLA Piper
Why Personal data today is, in a way, the currency of the web. Almost any organisation today has enormous amounts of customer data, employee data, data on prospects and other personally identifiable information (PII), stored for various purposes. The challenge is that as data has soared in value we have seen a parallel rise in attacks and threats designed to steal data. The General Data Protection Regulation “GDPR� regulates how personal data is used by organisations in this modern landscape. It places some controls on how personal data is collected, used and shared by organisations in order to protect the rights and freedoms of the individuals behind the data. GDPR has had a big impact on organisations, it places an obligation of accountability on those that process
4
data as well as cultivating a practice of transparency about how personal data is used. It also updates the concept of consent and states that any consent captured by an organisation must be freely given, specific for a named purpose and clear. Example 1 So, for example, a healthcare provider that provides a liposuction procedure cannot pass patient data on to a gym that wants to attract that person to become a member and sees a correlation between a person wanting that liposuction procedure and seeking to get fit. Example 2 Sending group emails: when consent has not been obtained to share their email addresses, make sure the emails are in BCC and not in recipient so that the emails are not shared with all the recipients against their will.
5
What / Definition of Terms
1.
Personal Data
Means any information relating to an identified or identifiable natural person
2.
Data Subject
The person to whom the personal data relates to
3. Processing Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
6
4.
Profiling
Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
5.
Third Party
Means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
6. Consent Consent of the data subject means any
7
freely given, specific, informed and unambiguous indication of the data subject’s wishes.
7.
International Organisation
Means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
8. Cybercrime It is defined as a crime in which a computer is the object of the crime (hacking, phishing, spamming) or is used as a tool to commit an offense.
9.
Right of Access
It entitles the data subjects to have access to information about the personal data being processed by the data controller.
10. Pseudonymisation The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
References : No. 1 - 6 : DLA Piper GDPR Android App No. 8 - 9 : https://www.ucl.ac.uk/legal-services/gdpr-glossary-terms-and-definitions
8
How 1. Processing data lawfully The GDPR sets out 6 ‘lawful bases’ on which personal data can be processed. Whenever you use personal data you should ensure it is for a specific purpose and it is justified under one of the lawful bases. It is important that you consider which lawful basis you are relying on and record this before undertaking the activity. • Consent; • Necessity (for performance of a contract) • Necessity (to comply with a legal obligation) • Necessity (to protect the vital interests of the data subject or another person) • Necessity (for a task carried out in the public interest) • Necessity (in order to achieve something which is in the organisation’s legitimate interests).
9
Where you rely on consent of the data subject you need to make sure the consent wording is clear enough so that the individual knows who is gathering the data (You/Your NMO), and what they are specifically consenting to. The GDPR requires all consent to be freely given, specific and informed.
2. Special Category Data The GDPR recognises that some personal data is more sensitive than others and that the loss of this data could cause significant harm. This data includes data relating to health, biometric data, data relating to ethnicity, political opinions, or sexuality. You should only collect this special category data when absolutely necessary, and only use it in accordance with the additional rules about processing special category data under the GDPR.
3. Transparency Where you are responsible for processing data, the GDPR requires that you are transparent about that use. You must provide the following information at the same time as when you acquire the data:
10
1. The Purposes of the Processing; 2. The Categories of Personal Data concerned; 3. The Recipients or Categories of Recipient to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organiza- tions; 4. Where possible, the envisaged period for which the Personal Data will be stored, or, if not possi- ble, the criteria used to determine that period 5. The existence of the right to request from the controller rectification or erasure of Personal
Data or restriction of processing of Personal Data concerning the data subject or to object to such processing
6.
The right to lodge a complaint with a supervisory authority
7. Where the personal data are not collected from the data subject, any available information as to their source 8.
the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject shall have
the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. A good way to ensure this is by adding disclaimers at the beginning of a form or before a person provides you with their personal data. The disclaimer could include: reason for collecting the data, who will have access, and a hyperlink to your document on personal data protection and code of conduct (which includes all the other required information). Moreover, and more importantly, access to the Privacy Policy is provided at all times collection of personal data takes place.
4. Data Subject Rights Data subjects also have a number of other rights under the GDPR. These include:
11
• the right to request a copy of the personal data undergoing processing, • the right to have incorrect data corrected, • the right to request their personal data is deleted. You should make sure you are able to recognise when a data subject makes a request and have a procedure in place for handling such requests. You should respond to data subject requests as soon as possible and within one month of receiving the request. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy referred to above paragraph shall not adversely affect the rights and freedoms of others. The data subject has the right to request the erasure of personal data concerning
them without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
5. Security
2. the data subject withdraws consent on which the processing is based and where there is no other lawful basis for the processing; 3. the data subject has exercised their right to object to processing activities (where the lawful basis is the NMO’s legitimate interests or the public interest) and there are no overriding legitimate grounds for the processing; or the data subject has objected to the use of their data for direct marketing purposes; 4. the personal data have been unlawfully processed;
12
You need to ensure the security of the data that you have, it needs to be securely stored, shared, and processed. The GDPR says that you should have appropriate technical and organisational measures in place to protect the personal data you are responsible for. For example, you need to make sure it is stored in dedicated and secure database, and that if you are sharing it with parties that have the right to receive it, and it is done through secure channels.
6. Data transfering Any transfer of personal data to a third country or to an international organisation outside of the European Economic Area
sshall take place only if the transfer is compliant with the GDPR this includes for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. There are some territories which the Commission has decided has an adequate level of protection (for example, transfers to New Zealand, Japan, Canada, Switzerland, Argentina, and Israel). Such a transfer shall not require any specific authorisation. Where the third country has not been recognised as having an adequate level of protection a you may transfer personal data to a third country or an international organisation only if you have appropriate safeguards in place, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
13
Important Documents: • Data Protection Addendum Partners or for NMOs; • Standard Contractual Clause
for
7. Data Protection Officer and Code of Conduct for GDPR Compliance The GDPR allows for the appointment of an official Data Protection Officers to ensure that your whole structure is working in line with the GDPR. For NGOs not mandatory, to have a Data Protection Officer but you can of course appoint one if you choose to. If you decide not to appoint an official Data Protection Officer, you should appoint someone who is generally responsible for overseeing the protection of personal data within the NGO. That can be anyone from your TO, and that person will have the job to ensure all your data is secure,
all your sharing methods are secure, all the data that you have is not shared or used for purposes different than what the owners of the data had agreed to. Also they would be the ones who will need to coordinate the data subject rights requests and to ensure they are made in time. Also it will help if you have a CoC and data protection document that will guide how you handle all the above mentioned processes to use as a ready explanation whenever asked for it, and to have a guideline which to follow to ensure you are always in line. Example : Code of Conduct for GDPR Compliance Privacy Policy
14
What If It might happen that your NMO will make a mistake, which makes your NMO GDPR-noncompliant. Those can include, among others, failure to delete personal data when requested, gathering unnecessary personal data, using them in other ways than specified during their gathering or leaking / losing control of personal data you’ve gathered or even simply emailing personal data to the wrong person. Having good procedures in place for dealing with data breaches, handling rights requests or correcting poor data-processing practices will help you to deal with these. Sometimes, where a complaint has been made or a data breach has a occurred, the supervisory authority of your country may become involved. A supervisory authority in the European Union has many legal powers and can take one of many actions, which you should be aware of.
15
The smallest consequences have to do
with so called corrective powers of the supervising authority. In simplified terms, those are: -
A warning, if your actions could potentially infringe GDPR
-
Reprimands, if it already happened
-
An order to comply with data subject’s request regarding their Personal Data, if you fail to do so in the first place
-
An order to comply with GDPR in the way and timeframe the superv- isory authority deems appropriate
-
An order to inform data subjects if their personal data have been leaked or misused
-
To impose a limit or ban on your right to process Personal Data
-
An order to limit or erase personal data of a given subject
-
It’s not the first time this problem emerges
-
To withdraw a certification (won’t apply to most NMOs, it’s a very specific case).
-
You don’t cooperate with the supe- rvising authority;
-
Affected personal data are consid- ered sensitive;
-
You didn’t inform the authority about a severe infringement your self, but someone else did
-
Above-mentioned, non-financial measures were taken against you, but you didn’t resolve the problem
-
You break the codes of conduct or certification mechanisms (applica- ble only in specific cases)
-
When you gained something from the infringement, especially financially.
The supervising authority may decide to impose fines, in addition to or instead of the above-mentioned measures. This is decided on a case-by-case basis based on factors such as:
16
-
The gravity of the mistake is too great
-
It was done on purpose
-
You didn’t take proper measures to mitigate the damage
-
You didn’t take proper preventive measures
Whilst a supervisory authority will take your actions to comply with the law and prevent data loss, mitigate any damage and learn from mistakes into consideration (and this may reduce the likelihood of your NMO receiving a fine) it is important to be aware that ultimately the supervisory authority has discretion over whether or not it awards a fine (and the amount of that fine). The maximum fines imposed on you for noncompliance with GDPR can reach up to 20 000 000 EUR, which would have a crippling effect on any NMO. Whilst it would be highly usual to see such a high fine where you have taken reasonable steps to comply with the law, it highlights the importance of getting advice, creating logs of when personal data was collected and deleted, and ensuring data is stored safely.
17
Aside from the fines imposed by the supervising authority, GDPR also enables any person who has suffered material or non-material damage as a result of an infringement of the regulation, the right to receive financial compensation for the damages. Last, but not least, GDPR gives EU Member States the right to add additional penalties to their laws based on GDPR. In short, please check your “national version� of GDPR to ensure you’re aware of all the additional consequences you might face in your country!
Tips and Tricks
18
1. Have a ready disclaimer that you can add to documents and forms and edit to meet your needs whenever you are gathering personal information, and a privacy policy in place which should include:
2. All the data must have a deletion date. Thus, identify dates of storage and create a deadline to store it. Store that information in a separate folder with the deadline stated in the name, and erase them when the deadline comes.
• Who the controller of the personal data is • What specific personal data being collected • Special categories of data (if applicable) • The aim of collection (if not specified before) • The lawful basis for the processing • Who the data is shared with • Whether any data is transferred outside the EEA (and what safeguards are in place to protect it) • Deletion / Anonymisation Date • The data subject’s rights • Who to contact with any questions or rights requests
3. Sending group emails: make sure the emails are in BCC and not sent in recipient so that the email addresses are not shared with all the recipients.
4. Store all data in a secure location and make sure any transfers are completed securely and you do not share access to this information with anyone who should not have it.
5. When accessing personal data from a new device, always use private 5. / incognito mode, and make sure you delete your login details.
9. Always ask yourself if the data you are sharing is personal data that can be used to identify a subject, and if you have lawful basis to use it.
6. You can streamline the personal data being collected (email, student ID, name in a particular language) so that you can easily locate all the data for one person whenever a subject rights request is initiated.
10. Make sure you’re always in control over who has access to the personal data you gather! For example, never make documents with someone’s personal data open-access. Use passwords and encryption where necessary.
7. Assess which personal data variables you need to collect; never collect more data than needed (e.g. do not collect driver license ID if you are not going to use it afterwards)
11. When gathering personal data is necessary or essential for the given process (like signing up as an NMO member or applying for an exchange), don’t ask for consent to process their data. Instead, inform them that it’s necessary for them to provide you their personal data in order to complete the process, in accordance with Art. 6.1.b of GDPR.
8. Appoint a someone responsible for following up on data protection compliance with all the EB members, and conduct trainings on GDPR with the rest of the members that have access to data.
19
12. Have a registry of when you gathered, deleted or modified any data, along with all the places where it is stored. As long as you limit who has access to the document, you will have a perfect tool for managing any requests about personal data. For additional security, you could, assign each member a “member number” instead of using their names in the file! 13. Practice “clear table policy”. Never leave physical documents that contain personal data unattended or where unauthorised people could have access to it. If you have an office, keep those documents locked and always mind who has access to the key. 14. For online security, ensure you always have secure passwords and that you do not share those passwords with anyone. You could try using password managers which can
20
randomly generate passwords for each site/service, keeping them stored in one place. 15. Try to keep proof of everything you do to comply with GDPR. Be it archived documents, bylaws or anything else. In case of a control from a supervising authority, the more proof of trying your best you can provide, the lesser the consequences of your mistakes. 16. Ensure the proper handover! No matter if you appoint a Data Protection Officer or not, make sure you share your experience and practices about GDPR with your successors. Try to think of a proper way to provide this handover long before your term is due!
21
Albania (ACMS) Algeria (Le Souk) Argentina (IFMSA-Argentina) Armenia (AMSP) Aruba (IFMSA-Aruba) Australia (AMSA) Austria (AMSA) Azerbaijan (AzerMDS) Bangladesh (BMSS) Belgium (BeMSA) Bolivia (IFMSA-Bolivia) Bosnia & Herzegovina (BoHeMSA) Bosnia & Herzegovina – Republic of Srpska (SaMSIC) Brazil (DENEM) Brazil (IFMSA-Brazil) Bulgaria (AMSB) Burkina Faso (AEM) Burundi (ABEM) Cameroon (CAMSA) Canada (CFMS) Canada – Québec (IFMSA-Québec) Catalonia - Spain (AECS) Chile (IFMSA-Chile) China (IFMSA-China) China – Hong Kong (AMSAHK) Colombia (ASCEMCOL) Costa Rica (ACEM) Croatia (CroMSIC) Cyprus (CyMSA) Czech Republic (IFMSA-CZ) Democratic Republic of the Congo (MSA-DRC) Denmark (IMCC)
Dominica (IFMSA Commonwealth of Dominica) Dominican Republic (ODEM) Ecuador (AEMPPI) Egypt (IFMSA-Egypt) El Salvador (IFMSA-El Salvador) Estonia (EstMSA) Ethiopia (EMSA) Finland (FiMSIC) France (ANEMF) Georgia (GMSA) Germany (bvmd) Ghana (FGMSA) Greece (HelMSIC) Grenada (IFMSA-Grenada) Guatemala (IFMSA-Guatemala) Guinea (AEM) Haiti (AHEM) Honduras (IFMSA-Honduras) Hungary (HuMSIRC) Iceland (IMSA) India (MSAI) Indonesia (CIMSA-ISMKI) Iran (IMSA) Iraq (IFMSA-Iraq) Iraq – Kurdistan (IFMSA-Kurdistan) Ireland (AMSI) Israel (FIMS) Italy (SISM) Ivory Coast (NOHSS) Jamaica (JAMSA) Japan (IFMSA-Japan) Jordan (IFMSA-Jo) Kazakhstan (KazMSA) Kenya (MSAKE) Korea (KMSA)
Kosovo - Serbia (KOMS) Kuwait (KuMSA) Latvia (LaMSA) Lebanon (LeMSIC) Lithuania (LiMSA) Luxembourg (ALEM) Malawi (MSA) Malaysia (SMMAMS) Mali (APS) Malta (MMSA) Mauritania (AFMM) Mexico (AMMEF-Mexico) Montenegro (MoMSIC) Morocco (IFMSA-Morocco) Nepal (NMSS) The Netherlands (IFMSA NL) Niger (AESS) Nigeria (NiMSA) Norway (NMSA) Oman (MedSCo) Palestine (PMSA) Pakistan (IFMSA-Pakistan) Panama (IFMSA-Panama) Paraguay (IFMSA-Paraguay) Peru (IFMSA-Peru) Peru (APEMH) Philippines (AMSA-Philippines) Poland (IFMSA-Poland) Portugal (ANEM) Qatar (QMSA) Republic of Moldova (ASRM) Republic of North Macedonia (MMSA) Romania (FASMR) Russian Federation (HCCM) Russian Federation – Republic of Tatarstan (TaMSA)
www.ifmsa.org
medical students worldwide
Rwanda (MEDSAR) Saint Lucia (IFMSA-Saint Lucia) Senegal (FNESS) Serbia (IFMSA-Serbia) Sierra Leone (SLEMSA) Singapore (SiMSA) Slovakia (SloMSA) Slovenia (SloMSIC) South Africa (SAMSA) Spain (IFMSA-Spain) Sudan (MedSIN) Sweden (IFMSA-Sweden) Switzerland (swimsa) Syrian Arab Republic (SMSA) Taiwan - China (FMS) Tajikistan (TJMSA) Thailand (IFMSA-Thailand) Tanzania (TaMSA) Togo (AEMP) Trinidad and Tobago (TTMSA) Tunisia (Associa-Med) Turkey (TurkMSIC) Turkey – Northern Cyprus (MSANC) Uganda (FUMSA) Ukraine (UMSA) United Arab Emirates (EMSS) United Kingdom of Great Britain and Northern Ireland (SfGH) United States of America (AMSA-USA) Uruguay (IFMSA-Uruguay) Uzbekistan (Phenomenon) Venezuela (FEVESOCEM) Yemen (NAMS) Zambia (ZaMSA) Zimbabwe (ZIMSA)