1 / 25

Personal data protection requirements for the health sector

EU Twinning Project Expert : Dr. Ulrich Stockter Project Activity 3.7 (training courses) Date: 25/03/2019 This project is funded by the European Union. Personal data protection requirements for the health sector. Personal data protection requirements for the health sector Overview.

lee
Download Presentation

Personal data protection requirements for the health sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. EU Twinning Project Expert: Dr. Ulrich Stockter Project Activity 3.7 (training courses) Date: 25/03/2019 This project is funded by the European Union Personal data protection requirements for the health sector

  2. Personal data protection requirements for the health sector Overview Contents Introduction II. Legitimation III. Principles IV. Implementation V. Enforcement VI. Code of Conduct

  3. Introduction – Legitimation – Principles – Implementation – Enforcement – Code of Conduct European Provisions – Legal framework in Moldova – Definitions European Provisions General Data Protection Regulation (GDPR) cameintoforce on 24th March 2016, fullyapplicablesince 25th March 2018 (foradoptionreasons) Directive 2011/24/EU on theapplicationofpatients’ rights in cross-borderhealthcare Selected provisionswith a specialreferencetohealthdataas a specialcategoryof personal data Art. 4 No. 15 Definition of personal healthdata Art. 9 Processing ofspecialcategoriesof personal data Art. 22 (4) automated individual decision-making, includingprofiling (specialprovisionsfortheuse personal healthdata)

  4. Introduction – Legitimation – Principles – Implementation – Enforcement – Code of Conduct European Provisions – Legal framework in Moldova – Definitions Legal framework in Moldova 1. Legislation on Personal Data Protection Law no. 133 of 08.07.2011 on Personal Data Protection Draft Law an Personal Data Protection, 1st reading in parliament 2018 (Draft Law) on Health Issues Law no. 411-XIII of 28.03.1995 on Health Protection Law no. 263-XVI of 27.10.2005 on Patients’ Rights and Responsibilities Government Decision no. 586 of 24.07.2017 for the Regulationonthe holding oftheMedicalRegister (GD no. 586) 2. Otherlegaldocuments Draft Code of Conduct/Recommendation

  5. Introduction – Legitimation – Principles – Implementation – Enforcement – Code of Conduct European Provisions – Legal framework in Moldova – Definitions Definition of health data recital (35, 53 f.), Art. 3 no. 15 GDPR, Article 3 (6) Draft Law healthinformationofanycontentandquality: a disease, disability, diseaserisk past, currentorfuturephysicalor mental healthstatus on registrationforortheprovisionofhealth care services identificationdata(e.g. numberorsymbol) testresultsandbiologicalsamples; independentofitssource: hospital, physicianorotherhealth professional a medicaldeviceor an in vitro diagnostictest

  6. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Legitimation requirement General constitutional approach: everything is allowed which is not forbidden In the field of data protection: everything is forbidden which is not allowed  every data transmission has to justified Furthermore: Personal health data are special category If you want to process personal health data, you need a specified legitimation in addition to the medical informed consent Specified legal ground for data processing If necessary: Explicit consent to the data processing

  7. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Obligation to secrecy Professional secrecy obligation Art. 9 (3) GDPR; Art. 9 (3) Draft Law History: antique! Hippocratian oath, see also confessional secret confidentiality as basis of the physician-patient relation Legal frame: Special rules of professional conduct (e.g. Art. 12 Law no. 263 on Patients’ Rights and Responsibilities) possibly sticter (!) than data protection rules Purpose: Violations of the obligation to secrecy not only: detriment of the individual but also: detriment to the professional group Forms of violation: Not only by intent, but also by negligence (e.g. Patient documents in the garbage) relevant data: e.g. sole information about the medical treatment by a certain person or the kind of treatment; not: anonymized data (e.g. numbers of injured persons)

  8. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Catalogue of possible legal grounds Art. 9 (2) Draft Law/ Art. 9 (2) GDPR explicit consent employment and social protection vital interests of a person incapable of giving consent; not-for-profit body with a political, philosophical, religious or trade union aim manifestly made public by the data subject exercise or defence of legal claims substantial public interest, for the purposes medical diagnosis and treatment (legal entitlement or contract); i) for reasons of public interest in the area of public health, j) for archiving, scientific or historical research, or statistical purposes

  9. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Legal grounds Typical legitimation in the health sector: Preferably no consent to appropriate data processing based on Art. 9 (2) (h) GDPR There should be an information about the data processing • h) for • the purposes of preventive or occupational medicine, • for the assessment of the working capacity of the employee, • medical diagnosis, the provision of health or social care or treatment or • the management of health or social care systems and services • on the basis of Union or Member State law or pursuant to contract with a health professional …;

  10. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Consent (1) Free, specific, informedandexplicit mightbealso byelectronicmeans Distinction between: (medical) informed consent to the necessary medical diagnosis and treatment (data protection) explicit consent to the necessary processing of personal health data

  11. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Consent (2) Example 1: medical treatment of a injured person (medical) informed consent to the necessary medical diagnosis and treatment Legally based for data processing in the course of medical treatment Art. 9 (2) (h) GDPR NO demand for an explicit consent Art. 9 (2) (a) GDPR INSTEAD: Information about the respective legal grounds Example 2: medical treatment of a unconscious injured person after an accident consent cannot be received Legally based data processing in vital interest of the data subject without consent Art. 9 (2) (c) GDPR

  12. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Consent (3) Example 3: billing in the framework of the national health insurance data processing for billing the health service Art. 9 (2) (h) GDPR BUT: data processing within the national health insurance is foreseeable for the patient because of the legal basis Therefore: Explicit consent is NOT needed Also therefore: No breach of the professional obligation to secrecy So e.g. in Germany Example 4: billing for privately paid health service by collection agency data processing for billing the health service Art. 9 (2) (h) GDPR BUT: engagement of collection agency is not foreseeable for the patient Therefore: Explicit consent might be needed, Art. 9 (2) (a) GDPR also because of the professional obligation to secrecy e.g. in Germany

  13. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Legitimation requirement – Obligation to secrecy – Catalogue – Legal grounds – Consent Consent (4) Example 5: Scientific research personal medical data might be needed (e.g. because of the need of retraceability) No data processing in the course of medical service does not include research Art. 9 (2) (h) GDPR BUT: legal ground for research with existing personal health data Art. 9 (2) (j) GDPR Information about the research project and the respective data processing Possibly explicit consent is needed Art. 9 (2) (a) GDPR dependent on the research design, e.g. additional health information of the data subject is needed Additional Informed an explicit consent

  14. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Purpose Limitation – Data Minimisation – Accuracy – Storage Limitation – Others Purpose Limitation Art. 5 (1) (b) GDPR, Art. 4 (1) (b) Draft Law  prohibitionofdisclosure generally within the purpose of medical treatment Transmission for purposes of medical treatment between two medical units examples for possible doubt cases: Transmission to governmental or law enforcement authorities Processing of treatment data for research purposes Processing medical or treatment data for purposes of marketing (of the hospital e.g.)  the recipients need their own legal ground for receiving the data!

  15. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Purpose Limitation – Data Minimisation– Accuracy – Storage Limitation – Others Data Minimisation Art. 5 (1) (c) GDPR, Art. 4 (1) (c) Draft Law No transmission of unnecessary data to third parties e.g. medical attests for the employer in cases of unemployability generally without medical diagnosis  Safeguarding confidentiality and breaches of the professional secrecy obligation

  16. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Purpose Limitation – Data Minimisation – Accuracy – Storage Limitation – Others Accuracy Art. 5 (1) (d) GDPR, Art. 4 (1) (d) Draft Law Precise medical data Data quality management (four-eye-principle)  Avoidingmedicalmistreatment

  17. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Purpose Limitation – Data Minimisation – Accuracy – Storage Limitation – Others Storage Limitation Art. 5 (1) (e) GDPR, Art. 4 (1) (e) Draft Law Storage limitations have to be explicitly set Possible provisions for archiving: Medical, possibly dependent on the treatment and the diagnosis method Mercantile Taxes Effective ways of destroy paperbound and electronic information  technical standards!  avoidingpossiblemisuseofmedicaldata

  18. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Purpose Limitation – Data Minimisation – Accuracy – Storage Limitation – Others Other data protection principles (Article 6 GDPR) Lawfulness, fairnessandtransparencyArt. 6 (1) (a) GDPR  see also legitimationand Implementation (datasubject‘srights) IntegrityandconfidentialityArt. 6 (1) (f) GDPR  see also obligationtosecrecy Accountability (onusofproofhasthecontroller) Art. 6 (2) GDPR

  19. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Technical und organisational measures – Rights of the Data Subject Technical und organisational Measures (1) by design andbydefaultArt. 25 GDPR; Art. 30 Draft Law ensureamostappropriatelevelof security an integrityin relationtotherisk see e.g. dataprotectionprovisionsfortheMedicalRegisterGD no. 586 Personnel: obligatorydesignationofthedataprotectionofficerArt. 37 (1) (c) GDPR; Art. 42 (1) (c) Draft Law Special attentiontotheengagementofdataprocessorsArt. 28, 29 GDPR; Art. 33, 34 Draft Law DutyofCooperationwiththesupervisoryauthorityArt. 31 GDPR Documents: obligatorymaintenanceofrecordsofprocessingactivitiesArt. 30 (9) GDPR; Art. 35 (5) Draft Law obligatorydataprotectionimpactassessmentArt. 35 (3) (b) GDPR; Art. 40 (3) (b) Draft Law preferably: Drawing up a codeofconductArt. 40 GDPR; Art. 45 Draft Law

  20. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Technical und organisational measures – Rights of the Data Subject Technical und organisational Measures (2) Technical: Protectionfromanyillegaloraccidentaldestruction,lossorimpairment: Access onlybyauthorisiedperson (passwords, lockablerooms) Logfiles Auditprocedures Availabilityandresilience, i.e. properanduninterruptedfunctioningofthesystem Confidentiality Encryptionandpseudonymisationasappropriate Special secrecyagreementswithpersonnel Special requirementsfore-mailcorrespondence(seeDraft Code ofConduct)

  21. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Technical und Organisational Measures – Rights of the Data Subject Rights of the data subject Transparencyandmodalities Information andaccessto personal data Information andrightofaccessbythedatasubjectArt. 13-15 GDPR Rectificationanderasure (section 3) RighttorectificationArt. 16 GDPR Righttoerasure („righttobeforgotten“) Art. 17 GDPR RighttorestrictionofprocessingArt. 18 GDPR RighttodataportabilityArt. 20 GDPR Righttoobject an automated individual decision-makingArt. 22 GDPR

  22. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Enforcement by actions of authorities and courts Enforcement by supervisory Authorities Investigations, notifications, approvements, orders, etcArt. 58 GDPR, Art. 75 ff. Draft Law DutyofcooperationwiththesupervisoryauthoritiesArt. 31 GDPR DamagesfortheviolationofpersonalityrightsArt. 82 GDPR Administrative finesArt. 83 GDPR PenaltiesArt. 84 GDPR Right to an effective judicial remedy against a controller or processor Art. 87 Draft Law Right to Compensation and Liability Art. 88 Draft Law Administrative liability for breach of the provisions of this law Art. 89 Draft Law Court decisions

  23. Introduction– Legitimation – Principles – Implementation – Enforcement – Code of Conduct Elaboration – Cooperation – Advantages Textualisiation Currentrevisionandsupplementation Listing andprioritisationof relevant questions Practicabilityandacceptance Preferably at an earlystage: The supervisoryautheritiesunderstandtheuncertaintyofthecontrollers The readinessforcooperationishigherthan after havingdevelopedroutines

  24. Introduction – legitimation – Principles – Implementation– Enforcement – Code of Conduct Elaboration – Cooperation – Advantages Cooperation see also draftcodeofconduct/recommendation Round tablewithintheownmedicalunit/entreprise interdisplinarymeetings withpersonsof different professions (medical, social, legal) and functions (management, commissioners, staff) Exchange withothermedicalunitsandenterprises Certificationbythesupervisionaryauthority

  25. Introduction – legitimation – Principles – Implementation– Enforcement – Code of Conduct Elaboration – Cooperation– Advantages Advantages A higherdegreeofpractabilityandaceptance Betterweighingofinterests byinterdisciplinaryworkandgatheringexpertise Networking andworksharing Reassuranceforthedataprotectionpolicy withintheownmedicalunit togetherwithothermedicalunits/enterprises bysupervisoryauthorisities(i.e. approvement)

More Related