Personal Data Protection Requirements in the Health Sector: EU Twinning Project Overview

This document provides an overview of the personal data protection requirements in the health sector, specifically focusing on the European Union Twinning Project. It covers topics such as legitimation, principles, implementation, enforcement, code of conduct, and European provisions, including the General Data Protection Regulation (GDPR) and specific laws in Moldova related to personal data protection and healthcare. The content emphasizes the importance of safeguarding personal health data and complying with relevant legislation.

• Data protection
• Health sector
• EU Twinning Project
• GDPR compliance
• Personal data security

elminb Follow

Uploaded on Sep 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Personal data protection requirements for Personal data protection requirements for the health sector the health sector EU Twinning Project Expert: Dr. Ulrich Stockter Project Activity 3.7 (training courses) Date: 25/03/2019 This project is funded by the European Union This project is funded by the European Union

2. Personal data protection requirements for the health sector Overview Overview Contents Contents I. I. II. II. Legitimation Legitimation III. III. Principles Principles IV. IV. Implementation Implementation V. V. Enforcement Enforcement VI. VI. Code of Conduct Code of Conduct Introduction Introduction

3. Introduction Introduction Legitimation Principles Implementation Enforcement Code of Conduct European Provisions European Provisions Legal framework in Moldova Definitions European Provisions European Provisions General Data Protection Regulation (GDPR) came into force on 24th March 2016, fully applicable since 25th March 2018 (for adoption reasons) Directive 2011/24/EU on the application of patients rights in cross-border healthcare Selected provisions with a special Art. 4 No. 15 Art. 9 Art. 22 (4) special reference referenceto to health Definition of personal health data Processing of special categories of personal data automated individual decision-making, including profiling (special provisions for the use personal health data) health data data as as a a special special category category of of personal personal data data

4. Introduction Introduction Legitimation Principles Implementation Enforcement Code of Conduct European Provisions Legal framework in Moldova Legal framework in Moldova Definitions Legal framework in Moldova Legal framework in Moldova 1. Legislation on Personal Data Protection Law no. 133 of 08.07.2011 on Personal Data Protection Draft Law an Personal Data Protection, 1st reading in parliament 2018 (Draft Law) on Health Issues Law no. 411-XIII of 28.03.1995 on Health Protection Law no. 263-XVI of 27.10.2005 on Patients Rights and Responsibilities Government Decision no. 586 of 24.07.2017 for the Regulation on the holding of the Medical Register (GD no. 586) 2. Other legal documents Draft Code of Conduct/Recommendation

5. Introduction Introduction Legitimation Principles Implementation Enforcement Code of Conduct European Provisions Legal framework in Moldova Definitions Definitions Definition of health data Definition of health data recital (35, 53 f.), Art. 3 no. 15 GDPR, Article 3 (6) Draft Law health information of any a disease disease, disability past past, , current current or or future on registration for or the provision of health identification identification data data (e.g. number or symbol) test results results and biological biological samples independent independent of of its its source source: : hospital, physician or other health professional a medical device or an in vitro diagnostic test any content content and and quality quality: : risk disability, disease risk future physical or mental health status healthcare care services services samples;

6. Introduction Legitimation Legitimation requirement Legitimation requirement Obligation to secrecy Catalogue Legal grounds Consent Legitimation Principles Implementation Enforcement Code of Conduct Legitimation requirement Legitimation requirement General constitutional approach: everything is allowed which is not forbidden In the field of data protection: everything is forbidden which is not allowed every data transmission has to justified Furthermore: Personal health data are special category If you want to process personal health data personal health data, you need a specified legitimation specified legitimation in addition to the medical informed consent medical informed consent Specified Specified legal ground for data processing If necessary: Explicit consent Explicit consent to the data processing

7. Introduction Legitimation Legitimation requirement Obligation to secrecy Legitimation Principles Implementation Enforcement Code of Conduct Obligation to secrecy Catalogue Legal grounds Consent Obligation to secrecy Obligation to secrecy Professional secrecy obligation Art. 9 (3) GDPR; Art. 9 (3) Draft Law History: antique! Hippocratian Hippocratian oath confidentiality as basis of the physician-patient relation oath, see also confessional secret Legal frame: Special rules Special rules of professional conduct (e.g. Art. 12 Law no. 263 on Patients Rights and Responsibilities) possibly possibly sticter sticter (!) (!) than data protection rules Purpose: Violations of the obligation to secrecy not only: detriment of the individual but also: detriment to the professional group Forms of violation: Not only by intent, but also by negligence relevant data: e.g. sole information about the medical treatment sole information about the medical treatment by a certain person or the kind of treatment; not: anonymized data not: anonymized data (e.g. numbers of injured persons) also by negligence (e.g. Patient documents in the garbage)

8. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legitimation Principles Implementation Enforcement Code of Conduct Catalogue Legal grounds Consent Catalogue of possible legal grounds Catalogue of possible legal grounds Art. 9 (2) Draft Law/ Art. 9 (2) GDPR a) a) explicit consent explicit consent b) b) employment and social protection employment and social protection c) c) vital interests vital interests of a person incapable of giving consent person incapable of giving consent; d) not-for-profit body with a political, philosophical, religious or trade union political, philosophical, religious or trade union aim e) e) manifestly made public manifestly made public by the data subject f) exercise or defence of legal claims legal claims g) g) substantial public interest substantial public interest, h) for the purposes medical diagnosis and treatment (legal entitlement or medical diagnosis and treatment (legal entitlement or contract) contract); i) for reasons of public interest reasons of public interest in the area of public health j) for archiving, scientific scientific or historical research research, or statistical purposes public health,

9. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legal grounds Legitimation Principles Implementation Enforcement Code of Conduct Legal grounds Consent Legal grounds Legal grounds Typical legitimation in the health sector: h) for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional ; Preferably no consent no consent to appropriate data processing based on Art. 9 (2) (h) GDPR There should be an information information about the data processing

10. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legal grounds Consent Legitimation Principles Implementation Enforcement Code of Conduct Consent Consent (1) Consent (1) Free, Free, specific specific, , informed informed and and explicit explicit might be also also by by electronic electronicmeans means Distinction Distinction between: (medical) informed consent (medical) informed consent to the necessary medical diagnosis and treatment (data protection) explicit consent to the necessary processing of personal health data

11. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legal grounds Consent Legitimation Principles Implementation Enforcement Code of Conduct Consent Consent (2) Consent (2) Example 1 Example 1: medical treatment of a injured person : medical treatment of a injured person (medical) informed consent to the necessary medical diagnosis and treatment Legally based for data processing in the course of medical treatment NO demand for an explicit consent NO demand for an explicit consent INSTEAD: INSTEAD: Information about the respective legal grounds Art. 9 (2) (h) GDPR Art. 9 (2) (a) GDPR Example 2 Example 2: medical treatment of a unconscious injured person after an accident : medical treatment of a unconscious injured person after an accident consent cannot be received Legally based data processing in vital interest of the data subject without consent Art. 9 (2) (c) GDPR

12. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legal grounds Consent Legitimation Principles Implementation Enforcement Code of Conduct Consent Consent (3) Consent (3) Example 3 Example 3: billing in the framework of the national health insurance : billing in the framework of the national health insurance data processing for billing the health service BUT: data processing within the national health insurance is foreseeable for the patient because of the legal basis Therefore Therefore: Explicit consent is NOT needed Also therefore: Also therefore: No breach of the professional obligation to secrecy So e.g. in Germany Art. 9 (2) (h) GDPR Example 4 Example 4: billing for privately paid health service by collection agency : billing for privately paid health service by collection agency data processing for billing the health service BUT: engagement of collection agency is not foreseeable for the patient Therefore Therefore: Explicit consent might be needed, also because of the professional obligation to secrecy professional obligation to secrecy e.g. in Germany Art. 9 (2) (h) GDPR Art. 9 (2) (a) GDPR

13. Introduction Legitimation Legitimation requirement Obligation to secrecy Catalogue Legal grounds Consent Legitimation Principles Implementation Enforcement Code of Conduct Consent Consent (4) Consent (4) Example 5 Example 5: Scientific research : Scientific research personal personal medical data might be needed (e.g. because of the need of retraceability) No data processing in the course of medical service does not include research BUT: legal ground legal ground for research with existing personal health data Information Information about the research project and the respective data processing Possibly explicit consent is needed dependent on the research design, e.g. additional health information of the data subject is needed Additional Informed an explicit consent Art. 9 (2) (h) GDPR Art. 9 (2) (j) GDPR Art. 9 (2) (a) GDPR

14. Introduction Legitimation Principles Purpose Limitation Purpose Limitation Data Minimisation Accuracy Storage Limitation Others Principles Implementation Enforcement Code of Conduct Purpose Limitation Purpose Limitation Art. 5 (1) (b) GDPR, Art. 4 (1) (b) Draft Law prohibition of disclosure generally within the purpose of medical treatment generally within the purpose of medical treatment Transmission for purposes of medical treatment between two medical units examples for possible doubt cases: examples for possible doubt cases: Transmission to governmental or law enforcement authorities Processing of treatment data for research purposes Processing medical or treatment data for purposes of marketing (of the hospital e.g.) the recipients need their own legal ground for receiving the data!

15. Introduction Legitimation Principles Purpose Limitation Data Principles Implementation Enforcement Code of Conduct Data Minimisation Minimisation Accuracy Storage Limitation Others Data Data Minimisation Minimisation Art. 5 (1) (c) GDPR, Art. 4 (1) (c) Draft Law No transmission of unnecessary data to third parties e.g. medical attests for the employer in cases of unemployability generally without medical diagnosis Safeguarding confidentiality and breaches of the professional secrecy obligation Safeguarding confidentiality and breaches of the professional secrecy obligation

16. Introduction Legitimation Principles Purpose Limitation Data Minimisation Accuracy Principles Implementation Enforcement Code of Conduct Accuracy Storage Limitation Others Accuracy Accuracy Art. 5 (1) (d) GDPR, Art. 4 (1) (d) Draft Law Precise medical data Data quality management (four-eye-principle) Avoiding Avoidingmedical medical mistreatment mistreatment

17. Introduction Legitimation Principles Purpose Limitation Data Minimisation Accuracy Storage Limitation Principles Implementation Enforcement Code of Conduct Storage Limitation Others Storage Limitation Storage Limitation Art. 5 (1) (e) GDPR, Art. 4 (1) (e) Draft Law Storage limitations have to be explicitly set Possible provisions for archiving: Medical, possibly dependent on the treatment and the diagnosis method Mercantile Taxes Effective ways of destroy paperbound and electronic information technical standards! avoiding avoiding possible possiblemisuse misuseof of medical medical data data

18. Introduction Legitimation Principles Purpose Limitation Data Minimisation Accuracy Storage Limitation Others Principles Implementation Enforcement Code of Conduct Others Other data protection principles (Article 6 GDPR) Other data protection principles (Article 6 GDPR) Lawfulness, fairness and transparency see also legitimation and Implementation (data subject s rights) Art. 6 (1) (a) GDPR Integrity and confidentiality see also obligation to secrecy Art. 6 (1) (f) GDPR Accountability Accountability (onus of proof has the controller) Art. 6 (2) GDPR

19. Introduction Legitimation Principles Implementation Technical und Technical und organisational organisational measures Implementation Enforcement Code of Conduct measures Rights of the Data Subject Technical und Technical und organisational organisational Measures (1) Measures (1) by design and by default ensure a most mostappropriate see e.g. data protection provisions for the Medical Register Art. 25 GDPR; Art. 30 Draft Law in relation relationto to the therisk appropriatelevel level of security an integrity in risk GD no. 586 Personnel Personnel: : obligatory designation of the data Special attention to the engagement of data Duty of Cooperation with the supervisory authority data protection protection officer data processors officer processors Art. 37 (1) (c) GDPR; Art. 42 (1) (c) Draft Law Art. 28, 29 GDPR; Art. 33, 34 Draft Law Art. 31 GDPR Documents Documents: : obligatory maintenance of records obligatory data protection impact preferably: Drawing up a code records of of processing processing activities impact assessment assessment code of of conduct conduct activities Art. 30 (9) GDPR; Art. 35 (5) Draft Law Art. 35 (3) (b) GDPR; Art. 40 (3) (b) Draft Law Art. 40 GDPR; Art. 45 Draft Law

20. Introduction Legitimation Principles Implementation Technical und Technical und organisational organisational measures Implementation Enforcement Code of Conduct measures Rights of the Data Subject Technical und Technical und organisational organisational Measures (2) Measures (2) Technical: Technical: P Protect rotection Access only by authorisied person (passwords, lockable rooms) Log files Audit procedures ionfrom any illegal illegalor or accidental accidental destruction, loss or impairment: A Availability vailabilityand andresilience resilience, i.e. proper and uninterrupted functioning of the system Confidentiality Confidentiality Encryption and pseudonymisation as appropriate Special secrecy agreements with personnel Special requirements for e-mail correspondence (see Draft Code of Conduct)

21. Introduction Legitimation Principles Implementation Technical und Organisational Measures Rights of the Data Subject Implementation Enforcement Code of Conduct Rights of the Data Subject Rights of the data subject Rights of the data subject Transparency Transparency and and modalities modalities Information Information and Information and right of access by the data subject and access accessto to personal personal data data Art. 13-15 GDPR Rectification Rectification and Right to rectification Right to erasure ( right to be forgotten ) Right to restriction of processing Right to data portability and erasure erasure ( (section section 3) 3) Art. 16 GDPR Art. 17 GDPR Art. 18 GDPR Art. 20 GDPR Right Right to to object object an an automated automated individual individual decision decision- -making making Art. 22 GDPR

22. Introduction Legitimation Principles Implementation Enforcement Enforcement by actions of authorities and courts Enforcement by actions of authorities and courts Enforcement Code of Conduct Enforcement by supervisory Authorities Enforcement by supervisory Authorities Investigations, notifications, approvements, orders, etc Duty of cooperation with the supervisory authorities Art. 58 GDPR, Art. 75 ff. Draft Law Art. 31 GDPR Damages for the violation of personality rights Administrative fines Penalties Art. 82 GDPR Art. 83 GDPR Art. 84 GDPR Right to an effective judicial remedy against a controller or processor Right to Compensation and Liability Administrative liability for breach of the provisions of this law Art. 87 Draft Law Art. 88 Draft Law Art. 89 Draft Law Court decisions Court decisions

23. Introduction Legitimation Principles Implementation Enforcement Code of Conduct Elaboration Elaboration Cooperation Advantages Code of Conduct Textualisiation Textualisiation Current Current revision revision and supplementation Listing and prioritisation prioritisation of relevant questions Practicability Practicability and acceptance Preferably at an early stage: The supervisory autherities understand the uncertainty of the controllers The readiness for cooperation is higher than after having developed routines

24. Introduction legitimation Principles Implementation Enforcement Code of Conduct Elaboration Cooperation Cooperation Advantages Code of Conduct Cooperation Cooperation see also draft code of conduct/recommendation 1. Round table within the own medical unit/entreprise interdisplinary meetings with persons of different professions (medical, social, legal) and functions (management, commissioners, staff) 2. Exchange with other medical units and enterprises 3. Certification by the supervisionary authority

25. Introduction legitimation Principles Implementation Enforcement Code of Conduct Elaboration Cooperation Advantages Code of Conduct Advantages Advantages Advantages A higher degree of practability and aceptance Better weighing of interests by interdisciplinary work and gathering expertise Networking and worksharing Reassurance for the data protection policy within the own medical unit together with other medical units/enterprises by supervisory authorisities (i.e. approvement)