Data security is essential to the safety and success of our partners who are implementing digital health programs to improve the quality of healthcare globally. Many of the programs our partners implement includes providing case management services to individuals accessing health care by community or facility health workers in developing countries. We have always taken the security and privacy of these clients very seriously. As you may have heard, a new regulation called the General Data Protection Regulation (GDPR) recently came into effect on May 25, 2018. While this applies to EU Citizens within the boundaries of the EU, we believe it represents a global best practice and have updated our policies and procedures to be fully compliant with the regulation. We are happy to announce that D-tree is fully compliant with the GDPR, and describe this in more detail below.
There are five main principles of the GDPR which include:
Right to access data & data portability
Right to be forgotten
Privacy by design
Consent: all future projects will obtain affirmative consent when registering clients and include an option for clients to withdraw consent after registration. For example, the first step when registering a new client in a family planning program would include a question asking: “To give appropriate family planning recommendations, the system must record and track the personal and health information that you give us. Do you consent to allow D-tree and partner(s) to use your information for family planning recommendations and program analysis?” We will work with our partners to engage in user-centered design activities to determine the most understandable way to introduce this topic in the local language so that program participants understand the language and can truly give informed consent.
Breach notification: in the case of a data breach, D-tree will notify all affected partners within 72 hours and we will work together to develop a plan on how to inform affected clients. While data breaches have never been an issue in the past and we do not anticipate an increased risk in the future, we are vigilant about the risk as the safety and security of our program clients is our 100% priority.
Right to access data & data portability: D-tree will provide an export of all data related to specific clients upon request. We can provide an excel spreadsheet that will include all data points related to the client, their visits in the system, and any other data related to the client that is recorded during the project.
Right to be forgotten: Upon request, D-tree can delete all data related to a client. When a user inactivates a client, we still save the client’s information in case it needs to be reactivated later and for ongoing data analysis. If the client withdraws consent and no longer wants to participate in the program, we can also hard-delete any identifying information so it is completely removed from our databases.
Privacy by design: we include data protection and security at the onset of planning our projects and implement all appropriate measures. For example, this will include discussions with partners on how to create passwords for end users that are both secure and easily memorable for the user.
Please reach out to your D-tree representative if you would like to discuss the GDPR, how it affects you and your project, and what, if any, changes you would like to incorporate into your project. Please contact firstname.lastname@example.org for additional information.