Strasbourg, 31 August / août 2015                                                                  T-PD(2015)02Mos

CONSULTATIVE COMMITTEE OF THE CONVENTION

FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO
AUTOMATIC PROCESSING OF PERSONAL DATA

COMITÉ CONSULTATIF DE LA CONVENTION POUR LA PROTECTION
DES PERSONNES A L’EGARD DU TRAITEMENT AUTOMATISÉ

DES DONNÉES A CARACTÈRE PERSONNEL [STE n°108]

COMPILATION OF REPLIES
ON MEDICAL TECHNOLOGIES AND DATA PROTECTION ISSUES

Recommendation (97)5 on medical data

Questionnaire on Medical Data

****

Directorate General Human Rights and Rule of Law /

Direction Générale droits de l'Homme et Etat de droit

 INDEX / TABLE DES MATIERES

ALBANIA / ALBANIE - THE COMMISSIONER  FOR FREEDOM OF INFORMATION AND PERSONAL DATA PROTECTION (IDP) 4

ALBANIA / ALBANIE - AMERICAN HOSPITAL / HÔPITAL AMERICAIN.. 14

ALBANIA / ALBANIE - SALUS HOSPITAL / HÔPITAL SALUS.. 22

ALBANIA / ALBANIE - UNIVERSITY HOSPITAL CENTER "MOTHER THERESA". 30

AUSTRIA / AUTRICHE.. 38

BELGIUM / BELGIQUE.. 48

BOSNIA AND HERZEGOVINA.. 60

CROATIA / CROATIE.. 68

ESTONIA / ESTONIE.. 90

FRANCE.. 103

LATVIA / LETTONIE.. 104

LITHUANIA / LITHUANIE.. 112

GERMANY / ALLEMAGNE.. 131

HUNGARY / HONGRIE.. 139

ICELAND / ISLANDE.. 148

ITALY / ITALIE.. 157

IRELAND / IRLANDE.. 169

MONACO.. 182

NORWAY / NORVÈGE.. 195

POLAND / POLOGNE.. 204

PORTUGAL.. 222

SERBIA / SERBIE.. 231

SLOVAK REPBULIC / REPUBLIC SLOVAQUE.. 245

SLOVENIA / SLOVENIE.. 254

THE FORMER YUGOSLAV REPUBLIC OF MACEDONIA" / «L’EX-REPUBLIQUE YOUGOSLAVE DE MACEDOINE». 265

PUBLIC HEALTH CARE 1. 265

PUBLIC HEALTH CARE 2. 272

PRIVATE HEALTH CARE 3. 279

PRIVATE HEALTH CARE 4. 286

PRIVATE HEALTH CARE 5. 293

PRIVATE HEALTH CARE 6. 300

PRIVATE HEALTH CARE 7. 308

PRIVATE HEALTH CARE 8. 316

SWITZERLAND / SUISSE - L’ASSOCIATION DES AUTORITÉS CANTONALES  DE LA PROTECTION DES DONNÉES (PRIVATIM) 323

SWITZERLAND / SUISSE – REPLIES / REPONSES PFDPT.. 341

SWITZERLAND / SUISSE.. 348

SWITZERLAND / SUISSE - OFFICE FEDERAL DE LA SANTE PUBLIQUE.. 356

URUGUAY.. 366


ALBANIA / ALBANIE - THE COMMISSIONER
FOR FREEDOM OF INFORMATION AND PERSONAL DATA PROTECTION (IDP)

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

In our country there is no specific legislation for EHR. For that reason is covered by the law “On protection of personal data”, no. 9887 dated 10.03.2008, amended ,  and Instruction no. 5 of 26 may 2010 “On fundamendal rules concerning protection of personal data in the health care system” and Instruction no23, date 20.11.2012 “On processing personal data in the health sector” .

Case-law:

Some of the findings, made by the Inspection Department, during the inspection were:


- Lack of internal regulations regarding security measures for personal data;

- Lack of consent of the data subject (patient) in written form and demonstrable way;

- Lack of fulfillment of the obligation to inform data subjects about the ways of data processing and the rights they have;

- In the contracts with third parties, in order to delegate the processing, should be determined some rules concerning the security and confidentiality of data, deadlines and means of processing, access rights and ways of destroying data;

- Violation of the principle of adequacy of data and exceeding the purpose of processing;

- Keeping personal data for an indefinite term;

- Limitation of access to systems processing personal data;

- Lack of privacy policies on websites of controllers.


Commissioner Authority is expressed through Recommendations, Orders and in cases of serious repeated and intentional violations, has established administrative sanctions (fines).

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

In terms of the law is presumed that the medical record is the information that relates to an individual's medical records. These data are part of the special category of data called "sensitive data". The law makes no distinction between medical data and data that lead to their identification.

The individual is not able to add information about his health.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

Pursuant to Instruction no. 23, dated 20.11 2012 " On processing personal data in the health sector" Health care professionals have an obligation to share the information with the consent of the patient in accordance with the purpose of the information collected. The request for a data transmission by the third party must be made in writing, and must indicate the health data that are subject to the request along with the purpose of the request. The requested data must be adequate and necessary for fulfilling the purpose of the request. In case the health care provider learns that the data requested are not proportionate to the goal of the transmission, it shall notify the Commissioner for Protection of Personal Data immediately.

Also, the transmission of health data shall be recorded, along with the recipient, the data subject to the data transmission, the purpose and date of transmission. These records shall be kept for 5 years.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

These principles are provided in the instruction no. 23, dated 20.11 2012 "Processing of personal data in the health sector". Also, there are provided time limits, for the maintenance of health data. Health records shall be retained for 30 years from recording the last data included. Discard reports shall be kept for 50 years. Recordings made using imaging diagnostic methods shall be kept for 10 years. After the deadline, an assessment has to be made whether further retention is necessary for scientific purposes; otherwise, the data shall be deleted. If further retention is necessary for scientific purposes, the records shall be transmitted to the competent state archive. Pharmacies shall keep recipes for 2 years; recipes for narcotic or psychotropic materials shall be kept for 3 years and recipes for strong poisonous drugs shall be kept for 5 years. During the retention period, the readability and integrity of health records shall be maintained using technical measures. Rectification of false or misspelled data shall be carried out in a way that the original data are not cancelled even after rectification.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

Under the instruction no. 23, dated 20.11 2012 "Processing of personal data in the health sector", for the purposes of scientific research, the researcher may access health records with the permission of the director of the health service provider. The publication shall not include health data that can be linked to an identified or identifiable person, only anonymous data. During the research, the researcher shall not copy records in a way that the copy includes health data that are not anonymous. Names of researchers accessing the recordings shall be recorded, along with the reason and time of access. The access log shall be kept for 10 years, and then it shall be deleted. Also, for the purposes of development of training materials used for demonstration in medical training and research, images, video recordings or sound recordings can be used upon the condition that they are anonymized.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

Office of the Commissioner has approved the Instruction No. 21, date24/09/2012 On “Determining the rules for safeguarding the personal data processed by Large Controllers” which defines specific security rules for personal data protection processed manually or electronically.

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

Patient's rights are covered by Article 12 and 13 of Law No. 9887, dated 10.03.2008 "On protection of personal data", as amended, which is published in English version in the official website of the authority, www.kmdp.al


Within 30 days from receipt of the data subject request, the controller must respond. Otherwise, the data subject has the right to appeal to the Office of the Commissioner.
Following this complaint, in accordance with the Code of Civil Procedure, the data subject may file a complaint in court.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

Law No. 9887, dated 10.03.2008 "On protection of personal data" in Article 7 thereof provides as one of the legal requirements for the processing of sensitive data, obtaining informed consent from the data subject which may be revoked at any given moment.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Law No. 9887, dated 10.03.2008 "On protection of personal data" in Article 7/2 / or its states as one of the legal requirements for the processing of sensitive data, obtaining informed consent from the data subject which can be revoked at any given moment making illegal any further processing of data time.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

Instruction Nr. 23, dated 20.11 2012 "Processing of personal data in the health sector", defines the health care provider may contract data processors for technical operations regarding the processing of health data (e.g. safe storage of data).

In the case of using a data processor, the controller and the processor have to enter into a contract in writing, following the requirements the Law on protection of personal data and Instruction No. 19, dated 03.08.2012.

The data processor shall follow the instructions of the health care provider when processing health data on behalf of it. It shall not use the data for its own purposes, and except where provided otherwise by law  must not give third parties access to the data processed.

The data processor must notify the controller if it intends to use other processors (sub-processors). In case of sub-processing, the requirements regarding the processor set out by the Law on protection of personal data and Instruction No. 19, dated 03.08.2012 must be applied even to the sub-processor.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

There is no specific legal regulation but Commissioner's Office has recently issued a guide (nonbinding) for the protection of personal data in cloud computing services.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

It is regulated by the guideline (nonbinding) to protect personal data in cloud computing services which provides rights and obligations of the client and service provider cloud Cloud

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

NA

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

NA

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

NA

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

It does not exist a specific regulation to RFID technologies.

In the law on protection of personal data is there is the Article 27 which provides the "measures for the security of personal data" and Article 28 "Confidentiality of data". Controllers or processors, who do not take the data security measures and do not observe the duty to keep confidentiality, provided for under Articles 27 and 28 of this law, are fined from 10 000 ALL to 150 000 ALL.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

NA

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

NA

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Our legal framework does not provide a special regulation for Apps and Mobile Apps.

Regarding the general law, we mention Article 5 of the Law on the protection of personal data, which stipulates the general principles of protection of personal data and Article 7 on the criteria of processing sensitive data. Cases of data processing in contradiction with the provisions of this law do not constitute any criminal offence and are subject to a fine, are fined from 10 000 to 500 000 ALL.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Our legal framework does not provide a special regulation for Medical Devices.

Regarding the general law, we mention Article 5 of the Law on the protection of personal data, which stipulates the general principles of protection of personal data and Article 7 on the criteria of processing sensitive data. Cases of data processing in contradiction with the provisions of this law do not constitute any criminal offence and are subject to a fine, are fined from 10 000 to 500 000 ALL.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Our legal framework does not provide a special regulation for Internet of Things.

Regarding the general law, we mention Article 5 of the Law on the protection of personal data, which stipulates the general principles of protection of personal data and Article 7 on the criteria of processing sensitive data. Cases of data processing in contradiction with the provisions of this law do not constitute any criminal offence and are subject to a fine, are fined from 10 000 to 500 000 ALL.

Also, article 27 which provide the "measures for the security of personal data" and Article 28 "Confidentiality of data". Controllers or processors, who do not take the data security measures and do not observe the duty to keep confidentiality, provided for under Articles 27 and 28 of this law, are fined from 10 000 ALL to 150 000 ALL.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.


ALBANIA / ALBANIE - AMERICAN HOSPITAL / HÔPITAL AMERICAIN

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Information regarding the health of the person is considered health information. Non-health information are been treated as well, but not as the health information. EHR provides the individuals to enter the info regarding their health.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

In EHR, has access only authorised staff based on the responds. Respective departments are responsible only for the information which is relevant to them.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

Principle of legality for the patient data are kept partially. Accurate records are kept for an indefinite period.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

To maintain the integrity of data, there are different standards used. Patients in EHR are identified by a no. Unique identification and personal data. No use of anonymisation.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

The data are stored in a centralized database of EHR. Technology used is client-server and central database.

 

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

The rights of access are based on responsibilities. The data are corrected only by authorized staff and the persons cannot enter data about themselves or to retrieve them.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Patients do not have the right to withdraw the consent given in EHR schemes

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

We don’t use outsourcing.


2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

Cloud computing are provided by ISP, who use international safety standards. There are no specific criteria for the storage of medical data in the cloud. We don’t have information distribution.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

Don’t have government programs that enable the growth of data mining.

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Private entities are allowed to mine medical data for their internal effects, such as information, statistics etc. The government may have access to this information.

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

Profiling methods can be used by the private sector for medical records but are not applicable.

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

RFID is not used to manage the data. If it is used, will be only for internal connections and apply security standards (such as password and encryption). Access is granted only to authorize internal staff.

 

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

We don’t use wireless tracking technology


4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

It is allowed the use of apps for medical services and medical data collection. Only internal staff or contracting firm has the right to develop the program based on demand and only internal staff has the right to use it. There are specific requirements for different levels of security.

 

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

Hospital uses the app to collect medical data. Often medical treatment requires the use of the app to process medical records. There are special security requests for this information from institutions. The data are used by hospital for management purposes.

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

No other app are used to collect data from patients

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

Yes, there is a request for implementing Privacy by Design in the development of medical applications by the staff and internal departments. We are not using any specific standard for this purpose.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

The system is not based on an approach opt-in or opt-out.

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

No, is not applicable.

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

Yes, includes applications that are used by equipment from special medical dpt. There are not used to track non-medical information.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

There are requirement to implement the development of PbD in medical equipment but based on the standards of the medical device.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

The system is not based on an opt-out approach.

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

There are not standard used by these devices.

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

Is not allowed the non-medical equipment to collect medical records or data crossing with medical devices.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

There is no requirement for the implementation of the PbD for these devices.

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

No, is not allowed medical treatment services through online, only consultancy.

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

The data must be processed in different structures for different cases in order to become an elaboration as precise information that comes online. This can be done in three steps, gathering information that should be precise, its processing in the appropriate way for each case and at the end of its analysis in order to identify arguments can and techniques.

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.


ALBANIA / ALBANIE - SALUS HOSPITAL / HÔPITAL SALUS

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

We not have a law that  discipline electronic health records. Salus have installed a program that manages electronic patient records (Medarchiver). Currently we are aware of only apparently legal reference for the protection of personal data  medical is  a law number  9887 date 10.03.2008.

Case-law:

Don’t have

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

The data which determinat condition, diagnosis, prognosis, medical treatment. For the protection of personal data and confidentiality for more than 90% of the services offered. It is impossible for the patient to add information about her or his health.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

All employees who are related to medical treatment and financial treatment. The information is not shared with the pharmacist. Every doctor who treats the patient has access to the EHR as informed about the history of the patient. Our system give the possibility to restrict the access.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

We apply the principles of legitimacy, fairness and minimization. Technically there is no loss off data we reserve at 100%. The data will never cancelled, delete, we conserve an eternity.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

No, we don’t have a particular methods. The patients are identificate by name and surname always. Electronically such methods do not exist.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

In the database. There is a centralized database. Technology security user authentication with username and password.

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

By using Username and Password. Medical records can be changed only by the medical referring. No absolutely any person can’t make any information in the EHR.  Law for the protection of personal data.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

The system is based on an opt-in approach.  only authorized persons have access.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Patient consent form is extracted from the EHR and they shall sign. We give copy of the consent of the patient.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

We not applicate subcontracting.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Don’t provide

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

Cloud computing does not exist in our country.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

There are no government programs to enable increased data-mining medical data.

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

In our hospital we don’t have data mine.

 

Only article 7 of Law n. 9887 dated 10.03.2008 allows processing:

Processing of sensitive data, in circumstances other than those specified in paragraph 2 of this article, is regulated by the Council of Ministers, only for purposes of important public interests, under appropriate protective measures.

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

The only legal reference for the protection of personal data is LAW No. 9887, dated 10.3.2008, LAW FOR THE PROTECTION OF PERSONAL DATA, and Article 7 "

The data required for the purposes of preventive medicine, medical diagnosis, the provision of health care, treatment, and management of health care services and their use by medical personnel or other persons who have the obligation of confidentiality.

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The legal  does not provide for an adjustment for RFID technologies. We do not use as.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

We don’t use.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

We do not apply as other structure.

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Don’t have legal prediction.

Case-law:

Don’t have

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Our structures don’t use these applications.

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

Our structures don’t use these  applications to collect medical data. The data used for management purposes in the context of quality improvement.

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

Our structure does not use non- medical app

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

Our structure does not use non- medical app

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

We do not use structure as non-medical applications and equipment for tracking and collecting data from their patients

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

There is no specific law for this. For medical equipment becomes simply the service and technical control.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

Not include

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

No.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

Not include

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

Not include

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

No there is a legal reference

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

We don’t use these devices

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

We don’t have a non- medical devices

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

No there is any requirement

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

No there is a legal reference

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

It is allowed. The same requirement.

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

No there are no specific requirements for processing. Operated by law for the protection of personal data in Article 7:

Processing of sensitive data, in circumstances other than those specified in paragraph 2 of this article, is regulated by the Council of Ministers, only for purposes of important public interests, under appropriate protective measures.

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.

ALBANIA / ALBANIE - UNIVERSITY HOSPITAL CENTER "MOTHER THERESA"

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Medical data in our country are considered: state, diagnosis, prognosis and medical treatment. These medical data are treated the same way as confidential data.

EHR is solely constituted of data collected in a medical context. An individual can not add information.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

The medical staff has access to the medical data. There is a limit information given to the pharmacists. The responsibility over the medical data has been regulated by signing a Privacy Statement.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

Yes, the principles of legitimacy, fairness and minimization are applied for the medical data.

The data is kept for a non- specified period of time.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

No, there are not specific methods. The patients are identified by their names, surnames, ID card or ID passport.

Safeguards are the access levels to the medical data.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

There is a database which is centralized.

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

The data can not be corrected. Even if they are corrected, traces remain in the system. An individual can not enter information on his/her own.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

Yes, the access to certain data can be prevented by activation or non- activation in data entry.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

Not applicable.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

We don’t have cloud computing in our institution.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

We are not aware of government programs.

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

We don’t have information about that.

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

We don’t have information about that.

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

Is not used.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

Is not used.

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

We are not aware.

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

We do not use.

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

No, we do not use other technologies.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

No.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

We do not understand that.

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

Medical device must be certified before being used. .

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

Apps do not belong to the concept of medical equipment. There is no regulation.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

No, there is not.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

We do not understand that.

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

ISO standards provided by the manufacturer.

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

Are not allowed.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

No there is not.

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

No

Other:

No

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

Medical treatment via online services are not applied.

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

We do not collect data via online services.

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.


 

AUSTRIA / AUTRICHE

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

EHR in Austria: The electronic health record in Austria is as to date -still under construction. The nine provinces (Bundesländer), social security and the federal entity (Republic of Austria) have committed themselves to create and implement the so called ELGA (acronym for EHR in Austria) on a joint basis. The Electronic Health Record Act 2012 (EHRA 2012; available (in German and English) online at

http://www.ris.bka.gv.at/Dokumente/Erv/ERV_2012_1_111/ERV_2012_1_1

11.pdf) entered into force on January 1st, 2013 and provides the legal basis for the implementation of the central components of ELGA as well as the specification of health care providers and health data to be processed within the ELGA system.

mHealth: There is no state driven mHealth project comparable to ELGA. Text services (for appointments, reminders, etc.) as well as health oriented apps are offered by some health care providers. These have to comply with the provisions of the Health Telematics Act and the Data Protection Act 2000 (DPA 2000; available in English at http://www.dsb.gv.at/site/6274/default.aspx).

The Data Protection Authority provides specific information on ELGA on its website (http://www.dsb.gv.at/site/8157/default.aspx).

Case-law:

To date, there is no final case law on EHR.

Other:

------------------------

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Medical data: According to § 4/2 DPA 2000, health data contain information about a person’s health state. The EHRA 2012 leaves this provision untouched and defines Medical data as “Health Data” in § 2/1 EHRA 2012.

There is an additional definition in § 2/9 EHRA 2012 of “EHR-Health

Data” which may legally be used in the Austrian EHR. Thus, the EHR is solely constituted of data which are created in a medical context exclusively by health professionals.

Non-medical data: Non-medical data that leads to medical information is treated in the same way when it comes e.g. to confidentiality issues at the workplace (e.g. a visit of a specific website that might lead to certain conclusions concerning a person’s condition).

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

Access to the EHR and sharing of information:

The legal access to ELGA is based on the principles of role and identity, i.e. only those health care providers who are listed in a special index, whose identity is proven by this index and who act according to their legally defined role (e.g. general practitioner) are allowed to retrieve patient data by means of ELGA. See § 2/10 EHRA 2012. Access is provided by way of the “Access Control Centre” (§ 2/10 in conjunction with § 21/2 EHRA 2012).

Pharmacists: Pharmacists are by definition of § 2/10/c EHR-HCPs. Their access rights are, however, subject to a time limit of two hours after the last identification of the patient (physical contact) and only for medication data (“e-Medikation”).

Responsibility for medical data: The existing rules concerning statutory documentation requirements and responsibility for the medical data of practitioners, hospitals and pharmacists (i.e. ÄrzteG, Apothekerordnung, Kranken- und Kuranstaltengesetz) remain untouched by ELGA.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How records are kept accurate? How long is the data kept for, is the specific storage period defined for the EHR?

Principles of legitimacy, fairness and minimization: The principles of legitimacy, fairness and minimisation apply to medical data according to § 6 DPA 2000.

Storage period: There are several storage periods in different legal acts. The specific storage period for ELGA EHR-Health Data as well as electronic references) is, however, ten years (see § 20/3 EHRA 2012) for documents, one year for medication data and three years for log data.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

Integrity of data: All HCPs are obliged by law to implement and document data security measures (see § 8/1 EHRA 2012). A specific Information Security Management System (ISMS) based on ISO directive 27000 has already been developed and is currently being implemented by the EHR-HCPs.

Patient Identification: One of the central components which were created specifically for ELGA is the Patients’ Index which aims at providing for a safe and unambiguous identification of patients. Patients are identified by way of digital certificates (usage of the citizen card [Bürgerkarte], a function also available as a mobile phone signature) and the Patient Index which for its part is supplied by the Central Register of Residents.

Anonymisation methods in the research context: According to § 14/2 EHRA 2012, EHR-health data which are made accessible by EHR may be used in a personally identifiable manner exclusively for the purposes listed therein. The EHRA 2012 does neither list the use of medical data in the context of research, nor does it specify anonymisation methods.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

Storage of records – database of EHR: EHR-health data are stored in a decentralized manner in repositories of large hospital organisations or data centers of the privates sector (so called “Affinity Domains”). Generally speaking, the ELGA “IT-Architecture” stipulates a geographically distributed system based on both centralized (shared) and decentralized patterns and components. The central components are the Patient Index, the Health Service Provider Index, the Access Control System as well as the logging and protocol feature. The only centralized EHR-healthdata base will be the information system on prescribed and dispensed medication (so called “e-Medication”).

Security technology: The IT Architecture of ELGA has to comply with the EHRA 2012, the DPA 2000 and the relevant profiles of the “Integrating the Healthcare Enterprise” (IHE) standards. A specific Information Security Management System (ISMS) for the decentralized data storage has already been developed based on ISO directive 27000 and is currently being implemented by the EHR-HCPs.

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

Patients have the right to access their own health data according to Art. 19

of the Austrian Patients Charta. In the EHR context, they can retrieve their own EHR-health data by using an internet portal provided by the Federal Ministry of Health at www.gesundheit.gv.at. Data can only be corrected at the document source, i.e. the hospital or practice where they have been created and saved. A patient can retrieve his/her own medical data but neither change nor complete them. Medical documents can only be created by health service providers based on their professional responsibility. This rule will be not be changed by the introduction of EHR in Austria.

Apart from that, data subjects have the right to access to their data according to § 26 DPA 2000. If access is not granted or not completely granted, a data subject can file a complaint with the Data Protection Authority.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

ELGA is based on an opt-out approach (§15/2 EHRA 2012). One of the main arguments in favor of the opt-out rather than the opt-in approach is the lower access barrier to the e-health infrastructure provided by ELGA: Patients do not need to take any action in order to make use of ELGA and its benefits. The concept of granular consent applies in reverse insofar, as data subjects are entitled to set individual access rights for EHR-HSPs and to hide, display and delete electronic references to EHR-health data. Patients can exercise their rights at any time by means of the ELGA internet portal Furthermore, they are entitled to object the inclusion of references and EHR-Health Data including individual medication data for a concrete treatment (unless prohibited by other statutory documentation requirements) in relation to their treating or supervising EHR-HCPs (§ 16/2/2).

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

As for the procedure, see above. It is important to note that the system is based on an opt-out approach. The opt-out can be declared via internet portal or paper based via opt out office (“Widerspruchstelle”)

Opt-out: Patients can declare (either electronically by way of the e-Health

Access Point or in writing to Opt-out Offices) their objection to the storage

of their EHR-Health Data. In the case of a general objection, all data stored

in the EHR are deleted. Furthermore, patients can declare their objection in

each individual case to their healthcare provider.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

The EHRA 2012 stipulates that storage media have to be based in the territory of the European Union. Outsourcing happens within the autonomy and responsibility of the health service providers. There are no notification obligations or similar for private controllers. Public controllers must in principle consult the Data Protection Authority before outsourcing sensitive data (§ 10 DPA 2000). Thus, information on the outsourcing situation is limited.

The operators to whom these data are outsorced are subject to the same

EHR-security requirements as healthcare providers.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Liability issues have to be treated by using the existing civil and data protection law. For details see http://infolaw.at/files/4_Osterreichischer_IT-Rechtstag/Blaha.pdf (in German)

Case-law:

See above

Other:

See above

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

§ 6/3 EHRA 2012 stipulates that health data which are saved by means of cloud computing have to be encrypted state-of-the-art (i.e. by using protocols and methods which provide full encryption and whose cryptographic algorithms are enlisted in an ordinance issued by the Minister of Health.)

The provisions of the DPA 2000 concerning data security measures (§ 14 DPA 2000) apply.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

Due to the federal structure of the Republic of Austria, there is a vast amount of different ICT projects both on federal as well as on provincial and regional level. For an overview over the projects on federal level see www.iktprojekte.at. This overview does not contain any data mining projects. The Austrian social security institutions are granted autonomy and special data procession rights based on the Social Security Act. Data mining is, however not explicitly mentioned.

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Anyone willing to carry out data mining must comply with the DPA 2000. The DPA 2000 contains a special provision on the use of data for research purposes in § 46. In certain cases an approval of the Data Protection Authority is required.

For further information and findings of scientific research see http://rechtsinformatik.univie.ac.at/forschung/

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

See above.

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The general provisions of the DPA 2000 apply.

Case-law:

No case-law

Other:

------------------

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

Identification of medical devices is organized by using the bar code system of Global Standard One. See http://www.gs1.at/branchenloesungen/gesundheitswesen/gs1-anwendungen In this context, RFID is also applied in individual hospitals. See http://www.aerztezeitung.at/archiv/oeaez-2009/oeaez-7-10042009/13-internationale-gs1-healthcare-konferenz-krankenhaus-der-zukunft.html

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

----------------------------------

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

There is no specific legislation for a regulation of Apps and Mobile Apps; the general provisions of the DPA 2000 apply.

Case-law:

No case-law

Other:

-----------------------

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

-------------------------------------------

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

--------------------------------------------

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

--------------------------------------------

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

--------------------------------------------

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

-------------------------------------------

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Yes, medical devices are regulated by the “Federal Act on Medical Devices

(Medizinproduktegesetz – MPG)”, available (in German) online at

www.ris.bka.gv.at/GeltendeFassung/Bundesnormen/10011003/MPG

%2c%20Fassung%20vom%2029.10.2014.pdf

Case-law:

No case-law

Other:

----------------

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

No. A certification is required only under the Federal Act on Medical

Devices.

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

No

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

No specific requirement; the DPA 2000 stipulates the general applicable data minimization principle.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

----------------------------------------------------

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

For the government strategies concerning digital services see http://www.digitales.oesterreich.gv.at/. “Internet of Things” is not mentioned. There is no specific legal framework; the general provisions of the DPA 2000 apply.

Case-law:

See above

Other:

See above

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

See above

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency? Are they allowed to cross medical data with non-medical data?

See above

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

See above

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

According to § 49/2 Ärztegesetz, medical doctors are obliged to carry out their professional duties personally and directly. Thus online medical treatment is unlawful in Austria.

Case-law:

-----------------

Other:

-----------------

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

See above

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

See above

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.

------------------------


BELGIUM / BELGIQUE

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The general data protection legislation (the Belgian law on data protection of December 8th of 1992) applies to all health records, both to those held on paper as to those held electronically.

Nevertheless, the Belgian law of August 21st of 2008 concerning the establishment and organization of the eHealth-platform aims to facilitate the exchange of electronic health data/records that are stored in a decentralized way: a directory of referral indicates where health data of a certain person/patient is held/stored and can be found (e.g., which hospital). The legislation also provides for certain services ensuring for a secure transmission of sensitive health data (encryption, encoding, time stamping, loggings, etc …)

Case-law:

/

Other:

The Belgian DPA did render an opinion on the aforementioned bill concerning the establishment and organization of the eHealth-platform (Opinion n° 14/2008 of April 2nd 2008). In this opinion the Belgian DPA  highlighted (a.o.) the obligation to comply with the general privacy legislation (the Belgian law on data protection) and the Belgian legislation on patient rights, and more in particular with the right of each patient to know at all times who accessed his personal data and at what time.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Medical data are data that contain information about the health status of an individual.

Even though the Belgian law on data protection doesn’t provide in a definition of ‘personal data concerning health’, for the Belgian DPA this refers to: all information concerning the past, present and future, physical or mental health of an individual.  This implies that, when the use of ‘non-medical data by nature’ leads to medical information, this data will be treated the same way as ‘medical data by nature’.

Privacy legislation only uses ‘data concerning the health status of an individual’. No distinction is made with respect to the context in which the data is gathered (non-medical or medical context).

In Belgium, health professionals are responsible for the content of an EHR and the data are traditionally obtained in a medical context. According to patient rights’ legislation a patient can ask the health professional to add certain documents to his health record.

However and recently, efforts are being made for the development of a Personal Health Record (PHR) in which a patient can view (a summary of) his or her own medical data stored in the EHR of a medical doctor. A PHR should also allow the patient to store and share self-generated medical data.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

Typically only the treating physicians or health professionals have access to the data in an EHR.

However, patient’s rights legislation gives a patient the right to view his or her own medical data and to obtain a copy of the medical record.

Recently and as stated above, efforts are being made to give patients direct access to their own electronic information through the PHR.

Sharing of digital health care data is possible through the standards and (basic) services of the Belgian eHealth-platform (https://www.ehealth.fgov.be/nl/home) and the services with added value that use the functionality of the eHealth-platform (e.g., Vitalink in Flanders (www.vitalink.be), Intermed in Wallonia – which are health vaults for specific health information like the medication or vaccination scheme or a summary electronic health record – or the Hubs & Metahub system).

Any other exchange of health-related personal data (outside the scope of the therapeutic relationship between patients and healthcare professionals and outside any regulatory requirement) has to be authorized by the Sector Committee of Social Security and Health (established within the Belgian Privacy Commission), prior to the exchange.

This committee will examine the lawfulness, legitimacy, proportionality and security of the exchange/communication of health-related personal data.

Sharing of health data between health professionals through the eHealth-platform is also subject to an informed consent of the patient (electronic opt-in procedure available on the website of the eHealth-platform).

Data exchange with pharmacists is only on a need to know basis.

There is no single responsible for medical data.

A health professional is responsible for the data that he/she generates for his/her own patients. He can be considered as ‘controller’ of his patient records.

In larger organizations, the one that determines the purposes and means of the processing or the one designated as such by law, will be considered as controller, and therefore responsible for the processing of the data,   assisted in this by security consultants, the data protection officer and/or the Chief Medical Officer.

The Belgian data protection legislation dictates that health-related personal data may only be processed under the responsibility of a health-care professional. The controller will therefore appoint such a health-care professional to take this responsibility.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

All data protection principles are applied to health-related personal data.

Health professionals are responsible for the accuracy of the data in their field of expertise that they generate in their own medical records for their own patients.

General practitioners can receive a fee to gather and centralize all the relevant medical information from every treating physician for a certain patient (Global medical record).

Medical records have to be kept for 30 years after that last contact with the patient; regardless electronic storage or on paper.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

The Belgian eHealth-platform offers certain services to ensure integrity of the data, such as time stamping.

Patients are identified through their Identification Number of Social Security, which for most Belgian citizens is identical to their Identification Number of the National Registry.

Belgian data protection legislation dictates that (further) processing for research purposes should preferably be realized by using anonymous data; when the research purpose cannot be achieved using anonymous data, encoded data may be processed. Only when the use of encoded data doesn’t allow to achieve the research purpose, non-encoded data can be used.

The eHealth-platform can act as a Trusted Third Party (TTP) for anonymisation or coding of patient data.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

Data storage is typically decentralized. Every hospital usually has his own local system. The same applies to general practitioners who have GP-oriented packages to their disposal with data storage that is usually local. (up until April 2014 hospitals were even legally obliged to store their medical records ‘in house’ – cloud computing was therefore not feasible) Recently, GP-oriented EHR-systems became available that are cloud-based. Data however, cannot be accessed by colleagues that are not directly associated with the treating physician.

In Flanders Vitalink (www.vitalink.be) serves as a central health database designed to share specifically selected health information (see above) between different health professions and between health professionals and patients. A similar system exists in Wallonia (Intermed).

Regardless the way personal data are processed or stored, certain security measures should always be implemented. The Belgian DPA listed the following reference measures: information security policy, organization of information security, physical environment security, network security, logical access security, access logging (audit trails and access analysis), monitoring – checks – maintenance, security incident management and continuity, enforcement, documentation (for more detailed information:

http://www.privacycommission.be/sites/privacycommission/files/documents/reference_measures_security_personal_data_processing_1.pdf)

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

The right of access is provided for by the general data protection legislation and by the patient’s rights legislation.

Every patient has the right of access (directly of by means/intervention of a healthcare professional) to his medical record.

A patient can also request for a copy of his patient file.

At this moment, a patient cannot enter himself, any information into his health record directly; he can, however, ask the health care professional to add certain documents or information. The development of a PHR should allow the patient to do this independently.

General data protection legislation allows any person to rectify incorrect personal data relating to him.

Data protection legislation imposes a fine on any controller who fails to answer a right of access within forty-five days of receipt of the request.

According to patient’s rights legislation a patient can introduce a complaint regarding the exercise of his rights in the hands of the competent Ombudsman.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

Sharing of health data between health professionals through the eHealth-platform is subject to an informed consent of the patient (electronic opt-in procedure available on the website of the eHealth-platform). Physicians can be included or excluded. No granular consent is possible for certain categories of data.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Opt-in (see above) for data sharing through the eHealth-platform can be withdrawn immediately and at any time on the website of the eHealth-platform.

On the level of hospitals or individual physicians, no such opt-in or opt-out procedure exists. Processing of health data by individual hospitals or healthcare professionals is, indeed, not based on ‘consent’ but on the necessity of this processing within the scope of preventive medicine or medical diagnosis, the provision of care or treatment or the management of healthcare services.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

Outsourcing is not common.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Belgian legal framework does not provide in any specific regulation concerning cloud computing, data mining or profiling. General data protection legislation and principles apply.

Case-law:

/

Other:

The Belgian DPA did not yet render any opinions, guidelines, recommendations, … concerning cloud computing, data mining or profiling.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

As stated above, no specific regulation concerning the use of cloud computing with regard to the processing of health-related data exists in Belgium.

Up until April 2014 cloud computing was not even an option for hospitals, since hospitals were obliged to hold/store their medical records ‘in house’. At the moment a circular letter with guidelines regarding the use of cloud based systems in hospitals, is being prepared by the ministry of social affairs and public health.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

No

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Yes under certain circumstances.

For as far general data protection principles applied to health-related personal data (purpose limitation in particular) are respected this may be allowed.

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

Secondary use and further processing can be allowed when not incompatible with the initial purpose of processing and when respecting all other data protection principles (applied to the processing of health-related personal data).

Nevertheless, any communication (crossing and correlation implied) of health-related personal data (outside the scope of the therapeutical relation between patient and healthcare professional and outside any regulatory requirement) is only possible after prior authorization from the Belgian Sector Committee of Social Security and Health (see before).

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Belgian legal framework does not provide in any specific regulation concerning RFID technologies. General data protection legislation and principles apply.

Case-law:

/

Other:

The Belgian DPA did render an opinion on the use of RFID in general (Opinion n°27/2009 of October 14th 2009) in which she draw the attention (a.o.) on: a freely given and informed consent by the data subject, the necessity of a privacy impact assessment and efficient technical and organizational security measures that comply with technological evolution and developments.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

RFID technology is used in some hospitals for patient identification mainly to prevent erroneous patient switch. In some cases, it is also used during equipment sterilization procedures (quality control) and for logistic purposes.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Belgian legal framework does not provide in any specific regulation concerning Apps and Mobile Apps. General data protection legislation and principles apply.

Case-law:

/

Other:

The Belgian DPA did not yet render any opinions, guidelines, recommendations, … concerning Apps and Mobile Apps.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Yes.

As stated above, no specific regulation concerning the use of Apps and Mobile Apps with regard to the processing of health-related data exists in Belgium. General privacy legislation applies.

In principle, the basic services and standards of the eHealth-platform could be used to communicate health data.

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

At this moment, we do not know any specific examples of hospitals that use smartphone apps to gather medical data (e.g., for telemonitoring – also see Section Other comments and technologies) but in principle this could be possible in the context of a medical evaluation or treatment.

The general privacy legislation applies. Note that there some software firms of EHR software for GP’s have mobile versions of their applications.

Hospitals use medico-administrative data to optimize their revenues, services, internal procedures and policies.

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

Not to our knowledge.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

Not to our knowledge.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

It should be based on an opt-in approach.

No regulation exists stating that the data collection should be in reference to a specific medical diagnostic.

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Royale Decree of March 18th of 1999 concerning medical devices (see below)

The law of December 2013 15th concerning medical devices 

Case-law:

/

Other:

 

Regardless some -mostly formal- remarks, the Belgian DPA did render a favorable opinion on the aforementioned bill concerning medical devices (Opinion n° 34/2013 of July 17th 2013).

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

The royal decree on medical devices in Belgium (18/03/1999) is based on the European directive on medical devices (1993/42) which states:

‘Medical device’ means any instrument, apparatus, appliance,

software, material or other article, whether used alone or in combination,

including the software intended by its manufacturer to be

used specifically for diagnostic and/or therapeutic purposes and

necessary for its proper application, intended by the manufacturer

to be used for human beings for the purpose of:

— diagnosis, prevention, monitoring, treatment or alleviation of

disease,

— diagnosis, monitoring, treatment, alleviation of or compensation

for an injury or handicap,

— investigation, replacement or modification of the anatomy or of

a physiological process,

— control of conception,

and which does not achieve its principal intended action in or on

the human body by pharmacological, immunological or metabolic

means, but which may be assisted in its function by such means;

In our opinion, this can encompass the above-mentioned services and apparels in the realm of eHealth and mHealth.

A CE-label should be obtained before introduction to the market is allowed. Recognition is necessary with the Federal Agency for Medicines and HealthProducts and all incidents must be notified. The FAMHP is the Belgian competent authority responsible for quality, safety and efficacy of pharmaceutical and health products from development to application (http://www.fagg-afmps.be/en/).

Although not yet in effect, article 51 of the aforementioned law of December 13th 2013 foresees the installation of a central registry within the FAMHP for all implants in order to make sure they remain traceable.

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

In principle the above-mentioned definition of medical devices encompasses health apps. See above for the regulatory requirements.

The general data protection legislation and principles apply.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

Not to our knowledge. The general data protection legislation and principles apply.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

It should be based on an opt-in approach. The general data protection legislation applies.

No regulation exists stating that the data collection should be in reference to a specific medical treatment and we think that this is not always warranted or desired (e.g., devices for prevention or in the wellness domain).

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Belgian legal framework does not provide in any specific regulation concerning the Internet of Things. General data protection legislation and principles apply.

Case-law:

/

Other:

The Belgian DPA did not yet render any opinions, guidelines, recommendations, … concerning the Internet of Things.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

As stated above, no specific regulation concerning these devices with regard to the processing of health-related data exists in Belgium. General privacy legislation applies.

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

General privacy legislation concerning health data applies.

Any communication (crossing implied) of health-related personal data -outside the scope of the therapeutical relation between patient and health care professional and outside any regulatory requirement- is only possible after prior authorization from the Belgian Sector Committee of Social Security and Health (see before).

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

Not to our knowledge.

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The Belgian legal framework does not provide in any specific regulation concerning online Medical Treatment. General data protection legislation and principles apply.

Case-law:

/

Other:

The Belgian DPA did not yet render any opinions, guidelines, recommendations, … concerning online Medical Treatment.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

At this moment, medical deontology in Belgium requires that a physician is physically present during a consultation with a patient (because a medical evaluation almost always requires one or another form of clinical examination which is not possible through online services).

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

General privacy legislation concerning health data applies but as stated above and in principle, physicians should be reluctant to participate in online treatment or diagnosis.

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.

Hospitals and hospital physician participate more and more in telemonitoring projects where several parameters (dependent on the specific health problem; e.g., for COPD, heart failure or arrhythmias) are measured at home - usually with specific and dedicated hardware and software (not necessarily apps but this could be possible), stored (locally and/or in a remote database), transmitted (sometimes in real time) and interpreted automatically and/or manually.

No specific legislation has yet been developed, but the general privacy legislation applies.


BOSNIA AND HERZEGOVINA

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

EHR in BIH is currently being established and it is used in some medical institutions. At the entity level (FBiH and RS) the Law on Health Record in the Health Field of Federation of BiH ("Off. Gazette of FBiH" No.37/12) and the Law on Records and Statistical Researches in the Health Field of the Republic of Srpska ("Official Gazette of RS" No. 53/07) were adopted, prescribing the records in the health field, keeping methods, etc.

Relevant regulations that generally relate to health care are:

The Law on Health Protection of RS (“Official Gazette” No. 106/09)

The Law on Health Protection of FBiH ("Official Gazette” of FBiH" No.46/10 and 75/13)

The Law on the Rights, Obligations and Responsibilities of patients in FBiH ("Official Gazette of BiH" No.40/10)

These laws stipulate fines as a kind of sanctions for violators of the provisions thereof.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Medical data are the ones that relate to health of a person and that are defined as a separate category of personal data, and in terms of the Law on Personal Data Protection, each entry, on the basis of which the medical condition can be determined or disclosed, falls into a special category of data.

Health data of an individual are processed in the framework of health records (electronic or material) containing the medical documentation relating to that person. Medical documentation includes written, electronic and other evidence to support certain allegations, which were collected and secured in the process of implementing health care.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

Only authorized doctor of medicine granted access to the EHR.

EHR in BiH has currently been established only in some health institutions and the introduction of electronic prescriptions and establishing communication with pharmacies will gradually be implemented in the coming period.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

The Law on Health Records in the health field of Federation of BiH ("Off. Gazette of FBiH" No.37/12) and the Law on Records and Statistical Researches in the Health Field of the Republic of Srpska ("Official Gazette of RS" No. 53/07) prescribe the basis, minimum of required data and responsibility for the accuracy of the data entered.

Keeping health data is limited, only dental records are kept permanently.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

Laws provide that secondary legislation closely defines the architecture of the health-information system.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

Electronic records and EHR are stored on a separate partition on the server and they are being backed up on a server or external hard drive.

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

The patient has the right to timely information needed in order to decide whether to agree or not to a proposed medical measure.

Informing the patient should be sufficiently comprehensive, accurate and timely.

The right to access information can be achieved by each patient himself according to the Law on Personal Data Protection.

Statement of the patient can be a source of data for entry into the medical documentation.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

Data access can be restricted pursuant to Article 28 of the Law on Personal Data Protection because of: national security, defense, public security, health protection, prevention, investigation etc.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Personal data subject has the right to rectification, erasure and blocking of data that are inaccurate, incorrectly stated or processed in a manner contrary to the law and rules of processing (Article 27 of the Law on Personal Data Protection).

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

No.

Application of the principle of legitimate processing of personal data and specific provisions relating to the processing of special categories of personal data, and for the violation of the same, the Law provides criminal provisions.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

No.

Application of the principle of legitimate processing of personal data and specific provisions relating to the processing of special categories of personal data, and for the violation of the same, the Law provides criminal provisions.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.


CROATIA / CROATIE

QUESTIONNAIRE

The questionnaire should ideally be completed by data protection authorities, health policy authorities, professional or patient associations as well as healthcare providers: you are invited to share it as widely as possible.

Please send your replies to dataprotection@coe.int no later than 15 December 2014.

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

CIHI (Croatian Institute for Health Insurance):

The implementation of the Central Electronic health record (CEHR) called eRecord or Electronic health record (EHR) is currently in progress, and is working in a way to make use of data which are already exchanging through the system called CEZIH[1] from the following mechanisms: ePrescription, eReferral - PHC laboratory, eReferral (in CEHR or hospital when it is implemented), report after each medical exemination (for four activities), report on sick leave.

Legislation:
• Health Care Act, OG 150/08 - 22/14

• Law on Medical Practice, OG 121/03 and 117/08

• Law on Protection of Patients' Rights, OG 169/04 and 37/08

• Law on Personal Data Protection, OG 103/03, 118/06, 41/08, 130/11 and 106 / 12- revised text

• Data Secrecy Act, OG 79/07 and 86/12

• Law on Right to Access Information, OG 25/13

Basing on the Law on confidentiality of information, the Law on Protection of Personal Data and a Law on the Right to Access Information the Governing Council of the Croatian Institute for Health Insurance (hereafter: Institute) has brought an internal act on 24 May 2012 Rules of data confidentiality and Right to Access Information of the Croatian Institute for Health Insurance (hereafter: Rules of data confidentiality).

Ways of keeping, storaging, collecting and disposing the medical records of patients from the mandatory health insurance in the Central Information Croatian health care (CEZIH) and method of keeping personal health records in electronic form are prescribed by the Regulations.

• Rules on keeping, storaging, collecting and disposing of medical records  

  of patients in the Central Information System of Health of the Republic of

  Croatia, OG 82/10

• Rules on the use and protection of data from medical records of patients

  in the Central Information System of Health of the Republic of Croatian,

  OG 14/10

• Rules on Keeping the personal health records in electronic form, OG

  82/10

The sanctions in cases of violation of the confidentiality of data for the employees of the Institute are regulated by Article 21 of the Rules of data confidentiality, which establishes that the actions that are contrary to the provisions of the Rules on storage and release of classified information and non-compliance with established measures to protect data, the worker makes a serious breach of duty.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

CIHI:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

In terms of legal or secondary legal regulation there is no precisely definition on what is considered medical data. In practice of the Institute medical data imply those data which are related to the state of health of the insured person, and they are quite broadly defined. For example, medical information can be medical history, a discharge letter, laboratory findings, diagnostic examinations and other data relating to the state of health of the insured person.

Purpose of EHR applications is to collect and in a consistent and ergonomic way show medical information of variety of authorized users in one place. Data which are intended for storing in central EHR, receive medical applications through already implemented mechanisms (data on prescribed remedy - ePrescription, the results of laboratory tests - eReferral in primary health care (PHC), opinion of specialists eReferral SKZZ[2] ...)

CEZIH (Central Information System of Health of the Republic of Croatia)

       The system works by using the virtual private network (VPN) in the current version which connects all medical offices of primary health care, Croatian Health Insurance Institute (CIHI) and the Croatian Public Health Institute (CPHI)

       Doctors and medical nurses have access through applications installed in their offices, and also the CIHI and CPHI through their own applications

       On central part of CEZIH from PHC offices, a corresponding individual can connect through the installed software that has successfully passed the appropriate checking of the readiness at CIHI. Since the contracting health subjects are independently purchasing the hardware and software computer equipment, the responsibility for computer security at using a functionality of CEZIH, which also includes dealing with sensitive data, it is on the side of the contracting health subjects, or his/hers employees which represents authorized users of CEZIH

       The training for authorized users of CEZIH for work with the software are performed by software houses that have applied for a license for it. Besides software solutions for medical offices/pharmacies /laboratories, it is necessary to have software support for work with the smart card and the VPN client to ensure a secure connection to the central part of CEZIH, which can be retrieved on the website of CEZIH.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

CIHI:

Selected doctor of general / family medicine, doctor of dental medicine, specialist in dental medicine, pediatric specialist, specialist in gynecology and specialist in school medicine are required to keep personal medical records of the insured person and they are also obligated to keep documents held in electronic media from any changes, premature destruction or unauthorized use.

Data from the personal health records of the insured person shall be delivered in electronic form to the central part of the integrated information system of CEZIH where they are kept.

CEZIH system works in a way so that only doctor, who is limited with the Contract, can at the same time see the medical and personal information of the patient.  Communication between doctors and other institutions is being protected (encrypted), and medical and administrative data are completely separated from other users on the system, which means that eg. CPHI, when collecting data on health trends, can only see medical cards, but without names and surnames of patients.

The central system can be accessed only by health professional offices of PHC which CIHI reported as a member of the team (team holder, replacement, nurse). Pharmacies are obliged to apply for an authorization for pharmacists, and laboratory the requirement to obtain authorization for medical biochemists and laboratory technicians, which can be downloaded from the website of CIHI.

In offices of PHC it is necessary to have a computer for doctors and computer for nurse, or computer for pharmacist and computer for lab technicians. It is highly recommended before procuring the equipment of contractual health care institutions, to first consult with the manufacturer of the software whose software solution they want to use and which received a license from CIHI after the procedure for assessing the readiness of software solutions for working with CEZIH.

There are persons who are authorized and who have the right to access the information from CEZIH, and are in exclusive jurisdiction of the CIHI, CNIPH, HZZOZZR and MHSW whose workers can only use the certain information for the purpose of creating a report in accordance with current regulations, or for the purpose of creating statistic reports.

Authorized persons are obliged to maintain the secrecy, or confidentiality from medical documentation of the patient in CEZIH for the duration of his/hers authorization as well as after stopping the authority under which they have a right to access that data.

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

CIHI:

The quality and accuracy of medical data which the application of EHR shows, is exactly the same as the quality and accuracy of information that different client applications are exchanging through the system of CEZIH. If the doctors write in PHC a short reason for visiting doctor such as "hard headache", "strong hit in the head", "chronic weakness", then the review of visits would be more understandable and innovative. If a doctor of PHC completely leaves out this kind of information then the medical review will be less quality. It is same is for information about status of medical history or the opinion of a doctor where you should avoid using abbreviations and also reducing the amount of information you write down.

The doctor is obliged to keep accurate, detailed and dated medical records in accordance with the regulations of the records in the health field, which at any time can provide sufficient information about the health condition of the patient and his/hers treatment.

Your doctor or other person who is in charge of the health institution, company or other legal entities who are performing health activity are obliged to keep data about ambulance treatment of patients ten years after finishing treatment, and after that time they are obliged to act in accordance with the Regulations on keeping documentation.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

CIHI:

The point of this whole mechanism is to present the information that are exchanging through clinical subsystems (such as ePrescription, eReferral etc.), and not data from reports about these processes. This means that in the application eRecord will display only information about the prescribed medical drug that is contained in an electronic recipe, not the information written in the message after each medical review.

Also there will be shown the information on issued drug which is contained in a message on realization of prescriptions (part of ePrescription mechanism), and not those from account or some other source. Therefore it shows the information on the basis on which the service has been provided to the patient or is caused as a direct result of using services.

For the purpose of the research and production of different reports there are used different methods of anonymization of data, such as masking information, which is practically not possible to reidentificate.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

CIHI:

The data from the transactional mechanisms such as eRecipes and eReferrals, will shift into production base of eRecord independently of patient's consent on data access. In other words, this means that the mechanism of transferring data in eRecord system is carried out independently, whether the patient has given authorization to access the data or not. In that way if the patient after some time, during which no one has access to data, decides to give permission to access, there will be visible all data including those which have been collected in the meantime.

Depending on which one out of four levels of authorization the patient chooses, these data are given full or limited access or the access is completely banned. The application has the administrative part with two functions: managing the patient's consent to access the data, and also printing details about accessing EHR. Access to the administrative part of the application has a doctor who the patient chooses.

Every person who works in a field of health care in Croatia has a smart card with his/hers identification data and the security certificate. The register of medical professionals leads CPHI (Croatian Public Health Institute). Smart card – CEZIH Card and the entire PKI infrastructure has been supported by CIHI.

CIHI smart card - CEZIH Card is a multifunctional smart card for personal identification, it contains a qualified digital signature; also has a magnetic stripe on the back and additional protection certificate with PIN code (which is changeable).

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

CIHI:

The levels of authorisation are:  

       The patient does not allow access to his/hers EEC - at this level of authorization, users can find a patient, see the basic identification data but it`s shown to them that the patient didn`t give permission for access to his data,

       The patient gives limited access to the data and only to selected doctors in primary health care (general / family doctor, pediatrician, dentist). Other users can only see the basics of identification data and also information that the patient didn`t give permission to access,

       The patient gives full access to the data with his previously approval - only doctors of PHC (general / family doctors, pediatrician, dentist) can see all data, while the other users, after the election of a patient can see the basic identification data and also information that is necessary to ask for written consent from the patient for permission to access data. There should offer access to 1, 15 and 30 days and the ability to print statement of agreement as a document,

       The patient gives his full permission to access medical card – access to data have all authorized users with the appropriate role, without further permission for access.

However, an authorized user must be enabled the "special access" regardless of whether the patient has given consent to access or not. It must be clearly indicated that this approach is used only in emergency situations ("break the glass" principle when eg. when something life-threatening is happening to the patient and the doctor is unable to get his written permission, and decides that his data are absolutely necessary).

The doctor is obliged to keep accurate, detailed and dated medical record in accordance with the regulations of the records concerning health, which in every moment can provide relevant information on the health condition of the patient and his/hers treatment. The doctor is obliged to present the same documentation on request of the Ministry of Health, government bodies in accordance with special regulations, the Croatian Medical Chamber or legal authority.

Doctor is obliged to allow patient the access to all medical records relating to the diagnosis and treatment of his/hers disease, if and whenever he/she requires it. When an authorized person, in accordance with a special law takes medical documentation, he/she is obliged to give an official signed certificate of takeover with a full list of taken documents to the doctor, responsible person of the health institution/company or to any legal person performing health activities.

PDPA (Personal Data Protection Agency):

Regarding the provision of Art. 18 of the Croatian Personal Data Protection Act (OG 106/12 – consolidated text; hereinafter: PDPA), personal data in personal data filing systems shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access. Furthermore, the personal data filing system controller and recipient shall undertake appropriate technical, staffing and organisational measures aimed at protecting personal data, necessary for the protection of personal data from accidental loss or destruction and from unauthorized access, unauthorized alterations, unauthorized dissemination and all other forms of abuse, and to determine the obligation of all persons entrusted with the processing of personal data to sign a confidentiality statement. It is also important to remark that the techincal data protection measeures are more specified by the Regulation on the manner of storing and special measures of technical protection of the special categories of personal data (OG 139/04)

Also, according to Art. 19 of the PDPA, the personal data filing system controller shall (among other obligations), at the latest within 30 days from receiving a request about it, to every data subject or his/her legal representatives or authorised persons, allow access to the personal data filing system records and to personal data in the personal data filing system relating to the data subject, and allow the copying of such files.

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

CIHI:

The patient will be offered a choice of giving a written consent to her/his most important data from the medical card to be available to other health specialists (eg. Emergency medicine, dentistry, etc.), and also he/she can deny, in a written form, the right to access information to other health specialists in the Republic of Croatia.

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

CIHI:

The patient will be given a choice to withdraw their consent at any time (eg. on the return from summer vacation or a trip), and allow only their general/family doctors to have access to data from their card.

PDPA:

According to Art. 2, para 1, point 8, of the PDPA data subject's consent is any freely given and clear consent by which the data subject indicates his/her approval for his/her personal data to be processed for a specific purpose. Also, the Art. 7, para. 1 of the same Act stipulates that the consent is one of the legal bases for personal data collection and subsequently processing. In relation with that, Art. 7, para. 2, stipulates that the data subject has the right to revoke his/her consent at any time, and request the termination of further processing of his/her data, unless this data is processed for statistical purposes when personal data can no longer lead to the identification of the person it relates to.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

CIHI:

Outsourcing in the processing of data does not exist.

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to cloud computing. The most relevant PDPA provisions for this case are the following:

- The personal data filing system controller shall process personal data only under conditions stipulated by the PDPA and special acts. (Art 5)

- Personal data may be collected for a purpose known to the data subject, explicitly stated and in accordance with the law, and may be subsequently processed only for the purposes it has been collected for, or for a purpose in line with the purpose it has been collected for. Further processing of personal data for historical, statistical or scientific purposes shall not be considered as incompatible provided that appropriate protection measures are in place. Personal data must be relevant for the accomplishment of the established purpose and shall not be collected in quantities more extensive than necessary for achieving the purpose defined.

Personal data must be accurate, complete and up-to-date.

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. Appropriate protection measures for personal data stored for longer periods of time for historical, statistical or scientific usage are established by special acts. The personal data filing system controller is responsible for implementing provisions of this Article. (Art 6)

- Special categories of personal data may only be processed - upon consent of the data subject, or if the data processing is necessary to exercise the rights and obligations of the personal data filing system controller based on special regulations, or if the processing is necessary for the protection of life or physical integrity of another person, when the data subject is unable to provide his/her consent for physical or legal reasons, or if the processing is carried out within the scope of legal activity of an institution, association or any other non-profit entity with political, religious or other aim, provided that such processing relates solely to the members of this entity, and that the data obtained is not disclosed to a third party without prior consent of the data subject, or if data processing is necessary to establish, obtain or protect claims prescribed by law, or when the data subject personally published this data, or if data processing is necessary for the purpose of preventive medicine, medical diagnosis, health care or management of health institutions, on the condition that the data is processed by a health official based on rules and regulations adopted by competent authorities. (Art 8)

Also, with regard to this issue, applies the provision on data transfer (Art 13):

- Personal data filing systems or personal data contained in personal data filing systems may be transferred abroad from the Republic of Croatia for further processing only if the state or the international organization the personal data is being transferred to have adequately regulated the legal protection of personal data and have ensured an adequate level of protection. Prior to transferring personal data abroad from the Republic of Croatia, the personal data filing system controller shall, in case of reasonable doubt that an adequate personal data protection system exists, or that the adequate level of protection is ensured, obtain an opinion regarding this issue from the Personal Data Protection Agency.

Exceptionally, personal data forming part of personal data filing systems may be taken out of the Republic of Croatia to states or to international organizations which do not provide for an adequate level of protection only in the following cases: if the data subject consents to the transfer of his/her personal data only for the purpose for which the he/she provided consent, or if the transfer is essential for protecting the life or the physical integrity of the data subject, or if the personal data filing system controller provides sufficient guarantees regarding the protection of privacy and the fundamental rights and freedoms of individuals, which might arise from contractual provisions, for which the Personal Data Protection Agency establishes that they comply with regulations in force governing personal data protection, or if the transfer of data is necessary for the execution of contract between the personal data filing system controller and the data subject, or for the implementation of pre-contractual measures undertaken upon data subject's request, or if the data transfer is necessary for the conclusion or execution of a contract between the personal data filing system controller and a third person, and which is in the interest of the data subject, or if the data transfer is necessary or determined by law for protecting public interest or to establish, obtain or protect the claims prescribed by law, or if data is transferred from records the purpose of which, based on the law or another regulation, is to provide public information, and which is available to the public or to any person who can prove a legal interest in it, data may be transferred to the point to which requirements determined for review in a particular case have been prescribed by law.

The PDPA provides the following sanctions (Art. 36) that could be applied in relation to cloud computing:

A fine of HRK 20,000.00 to 40,000.00 shall be charged for the following violations (the person responsible within the legal person, or in the state administration body and in the local and regional self-government unit shall also be fined for the violations from paragraph 1 of this Article in the amount of HRK 5,000.00 to 10,000.00):

- if a processor exceeds his/her authority or collects personal data for a purpose other than that agreed, or discloses them for usage to other recipients or does not ensure the implementation of appropriate personal data protection measures,

- if a personal data filing system controller or the recipient fail to ensure adequate personal data protection,

- if a personal data filing system controller does not, upon request of the data subject, supplement, amend or delete incomplete, incorrect or obsolete data,

- if the personal data filing system controller, the recipient or processing official prevent the Agency from conducting activities

- if the personal data filing system controller or processing official fail to respect an order or a prohibition issued by the Agency

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to cloud computing. In this regard applies especially the Regulation on the manner of storing and special measures of technical protection of the special categories of personal data (OG 139/04), as well as the following Articles of the PDPA:

Art. 10:

- Based on a contract, the personal data filing system controller may entrust individual tasks regarding the processing of personal data within his/her authority to other natural or legal persons (hereinafter: processor). Tasks regarding personal data processing may be entrusted solely to a processor registered for conducting these activities, who provides sufficient guarantees that appropriate personal data protection measures will be implemented or classified data when he/she fulfils the requirements determined by special regulations governing the field of information security.

- The contract shall regulate mutual rights and obligations of the personal data filing system controller and the processor, where the processor is in particular under the obligation to:

act only pursuant to an order issued by the personal data filing system controller, not provide personal data to other recipients for usage, nor process it for any other purpose than that defined by the contract, ensure that the appropriate technical, organizational and staffing measures are in place for personal data protection, in accordance with provisions stipulated by the PDA. The contract from paragraph 1of this Article shall be drawn up in writing.

Art. 18:

Personal data in personal data filing systems shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access.

The personal data filing system controller and recipient shall undertake appropriate technical, staffing and organizational measures aimed at protecting personal data, necessary for the protection of personal data from accidental loss or destruction and from unauthorized access, unauthorized alterations, unauthorized dissemination and all other forms of abuse, and to determine the obligation of all persons entrusted with the processing of personal data to sign a confidentiality statement.

Protection measures must be proportionate to the nature of activities of the personal data filing system controller or the recipient, and to the contents of the personal data filing systems.

Also, the following provisions of the Electronic Communications Act (Art. 99 – OG 73/08, 90/11, 133/12, 80/13, 71/14) also apply:

Operators of public communications services must take appropriate technical and organisational measures to safeguard security of their services, and, together with the operators of public communications networks take the necessary measures with respect to security of the electronic communications network. Having regard to the available technical and technological solutions and the costs of their implementation, these measures shall ensure a level of security appropriate to the network security risk presented.

In case of a particular risk of a breach of the security of the network, the operator of publicly available electronic communications services must inform the users of its services about such risk. Where the risk lies outside the scope of the measures to be taken by the operator of publicly available electronic communications services, users must be informed about any possible measures for the elimination of the risk and/or consequences thereof, including an indication of the likely costs involved.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to RFID. The most relevant PDPA provisions for this case are the same as listed in question 2.2.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patient`s knowledge.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to applications and mobile applications. The most relevant PDPA provisions for this case are the same as listed in question 2.2.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Institutions:

Do hospitals/clinics/labs employ apps to gather medical data? Is there a need for a medical treatment to permit the use of an app to process the medical data? Are there specific security requirements for the institutions collecting these data from the apps? Are medico-administrative data used by hospitals/clinics for management purposes?

Tracking technologies:

Do hospitals/clinics/labs employ non-medical apps and devices to track and collect data from their patients? What type of data is collected? For what purpose? Is the data identifiable? Is the data combined with medical data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical apps and tracking apps? If yes, what are the standards?

PDPA:

Information on requirements to implement privacy by design is not available.  It is remarkable that the implemented measures shall comply (among other) with the following PDPA provisions:

Art. 6:

Personal data may be collected for a purpose known to the data subject, explicitly stated and in accordance with the law, and may be subsequently processed only for the purposes it has been collected for, or for a purpose in line with the purpose it has been collected for. Further processing of personal data for historical, statistical or scientific purposes shall not be considered as incompatible provided that appropriate protection measures are in place. Personal data must be relevant for the accomplishment of the established purpose and shall not be collected in quantities more extensive than necessary for achieving the purpose defined. Personal data must be accurate, complete and up-to-date. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. Appropriate protection measures for personal data stored for longer periods of time for historical, statistical or scientific usage are established by special acts. The personal data filing system controller is responsible for implementing provisions of this Article.

Art. 18:

Personal data in personal data filing systems shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access. The personal data filing system controller and recipient shall undertake appropriate technical, staffing and organisational measures aimed at protecting personal data, necessary for the protection of personal data from accidental loss or destruction and from unauthorized access, unauthorized alterations, unauthorized dissemination and all other forms of abuse, and to determine the obligation of all persons entrusted with the processing of personal data to sign a confidentiality statement. Protection measures must be proportionate to the nature of activities of the personal data filing system controller or the recipient, and to the contents of the personal data filing systems.

Also, there should be taken into consideration that the special categories of personal data can be processed only exceptionally as stated in Art. 8 of the PDPA (see question 2.2).

Also, the following provisions of the Electronic Communications Act (Art. 99 – OG 73/08, 90/11, 133/12, 80/13, 71/14) also apply:

Operators of public communications services must take appropriate technical and organisational measures to safeguard security of their services, and, together with the operators of public communications networks take the necessary measures with respect to security of the electronic communications network. Having regard to the available technical and technological solutions and the costs of their implementation, these measures shall ensure a level of security appropriate to the network security risk presented.

In case of a particular risk of a breach of the security of the network, the operator of publicly available electronic communications services must inform the users of its services about such risk. Where the risk lies outside the scope of the measures to be taken by the operator of publicly available electronic communications services, users must be informed about any possible measures for the elimination of the risk and/or consequences thereof, including an indication of the likely costs involved.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical diagnostic? How would this be applied to fitness and daily-basis data?

PDPA:

Yes, and therefore for data processing is necessary the informed consent of the data subject. It is not necessary to be in reference to a medical treatment, but anyway there should be a legal basis for collection and further processing. As mentioned before, an informed consent should cover it.

5. Medical Devices and Wearable Devices

5.1. Data Protection Issues:

A medical device can be defined as: ‘any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application. Such a device should be intended by the manufacturer for one of a number of defined purposes, one of which is, diagnosis, prevention, monitoring, treatment or alleviation of disease’ (Directive 93/42/EEC Article 1:2)

Some eHealth and mHealth devices and apps do not fall in this definition of medical devices, as can also be the case of a software working in combination with a physical device, for instance a smartphone.

5.2. Questions: Is your legal framework providing for a regulation of Medical Devices? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to applications and mobile applications. The most relevant PDPA provisions for this case are the same as listed in question 2.2.

Case-law:

Other:

CIHI (AMPMD - Agency for Medicinal Products and Medical Devices):

Data on medical devices class risk I are enrolled in the Register of Medicinal Products in Agency for Medical Products and Medical Devices and also the medical devices class risk IIa, IIb and III which are on the Croatian market. Database of Medical Devices can be searched out according to one or more criteria: name of the medical product; date of medical decision; the purpose of the medical device; manufacturer of medical products; the applicant or notification; class of issued document; reg. No. of issued document; risk classes of medical product.

The medical product is intended for:

-  diagnosing, preventing, tracking, treatment and alleviating disease

-  diagnosing, tracking, treatment, control, reduce or eliminate injury or 

    handicap

-  testing, removing, replacing or moderating the anatomy and physiological 

   functions of the organism

controling the conception

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

eHealth and mHealth:

Does the concept of Medical device in your country encompass services and apparels in the realm of eHealth and mHealth? What are the requirements? Should, for instance, the medical device be certified before it can be used?

CIHI (CAMS - Croatian Academy of Medical Sciences):

Declaration on e-health, Croatian Academy of Medical Sciences (CAMS), Zagreb, April 2011.

http://www.amzh.hr/novosti%20i%20dogadaji.html#_1.

E-Health is the common name for the development, implementation and evaluation of Information and communication technologies (ICT) in the health system for needs of health professionals (routine or professional work; continuous education and lifelong learning; evaluation on professional work and researches) and for the needs of all citizens (care for their own health; informing about the functioning of health systems; the reliability of health information on the Internet). Nowadays there are different terms about use of ICT in health and medicine (biomedical, medical and health informatics, portals about health; medical advices on Internet; information for patients; computerization of Health care; internetization of Health care; telemedicine). It is useful to create a term that includes all of above, and that`s e-Health.

Certification of programming and other solutions: Before being used each product must pass the certification process - checking functionality, safety of data, systems and interoperability. For that purpose it is necessary to set the primary criteria which a product must possess, establish a body that will implement the certification process, define the period for which the certificate will be valid as well as the conditions for a potential re-certification of products. When it comes to the HIS (Health Information System), EHR (Electronic Health Record), etc., the body that implements certification must include a different professions:

  1. users of/and health professionals,

  2. medical Informatics and ICT professionals,
  3. lawyers and
  4. different professions and individuals who are potentially interested in the considered problems.

CIHI (AQAHSC - Agency for Quality and Accreditation in Health and Social Care):

Medical technology implies a medical drug, medical device or medical procedure used for the prevention, diagnosis, treatment or rehabilitation of individual.

The evaluation of health technologies (Health Technology Assessment, HTA) represents a comparison of new and existing health technologies with the technology that is used in practice or is considered the best possible ("gold standard") on the basis of clinical efficacy and safety, economic analyzes, ethical, legal, social and organizational principles.


The main purpose of health technology evaluation is giving
recommendation for making a decision about the justification of the application of new technologies or replacing existing health technologies. Recommendation on the justification of using new or replacing existing health technology is impartial, professional, objective and transparent.

Procedure of evaluation of health technologies performed by the Agency for quality and accreditation in health and social welfare (Department of development, research and health technology), based on Article 36 of the Law on the quality of health care and social welfare, OG 124/11. The Agency is processing the implementation according the "Croatian guidelines for the evaluation of health technologies".

The evaluation of health technology can refer to:

       The estimate of one technology for one indication (Single Technology Assessment, STA) compared to best one existing.

       The estimate of multiple technologies for one indication or one technology for multiple indication (Multiple Technology Assessment, STA) compared to best one existing.

The final product of evaluation of health technology represents a written document - a recommendation which includes the following components (domains):

       Description of health problems and treatment,

       Description of new health technologies and technology comparisons,

       Clinical effectiveness,

       Security,

       Cost and economic evaluation,

       Ethical principles,

       The organizational principles,

       Social principles,

       Legal principles.

Apps:

Does the concept of medical devices encompass apps? If yes, is there any regulation applicable to apps that perform medical services? Is there any regulation applicable on apps that track non-medical data that can lead to health information? If yes, what type of data?

Privacy by Design:

Is there any requirement to implement privacy by design in the development of medical and/or wearable devices? If yes, what are the standards?

PDPA:

Information on requirements to implement privacy by design is not available.  Please see the general requirements under question 4 – privacy by design.

Consent:

Is the system based on an opt-in approach? Is it necessary for the collection to be in reference to a medical treatment? How would this be applied to fitness and daily-basis data?

PDPA:

Yes, and therefore for data processing is necessary the informed consent of the data subject. It is not necessary to be in reference to a medical treatment, but anyway there should be a legal basis for collection and further processing. As mentioned before, an informed consent should cover it.

6. Internet of Things

6.1. Data Protection Issues:

Internet of things relates to common, ordinary devices that are now, and increasingly, connected to the Internet, such as cars, fridges, ovens, microwaves, etc. All of these devices can provide data that can lead to reveal information concerning one’s health. A fridge can easily inform on the type of food stored and thus the diet of an individual. One of the biggest challenges of the Internet of Things is to guarantee the right to privacy and data protection in a world where every device collects, processes, analyses and transmits the data, commonly via wireless technologies.

In the realm of medical data, the issue mainly arises when crossing seemly unrelated data that can lead to health information about an individual.

6.2. Questions: Is your legal framework providing for a regulation of the Internet of Things? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to Internet of things. The most relevant PDPA provisions for this case are the same as listed in question 2.2.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Security:

What are the security standards that need to be employed by these devices when collecting personal data?

According to Art. 18 of the PDPA:

Personal data in personal data filing systems shall be adequately protected from accidental or deliberate abuse, destruction, loss, unauthorized alteration or access. The personal data filing system controller and recipient shall undertake appropriate technical, staffing and organizational measures aimed at protecting personal data, necessary for the protection of personal data from accidental loss or destruction and from unauthorized access, unauthorized alterations, unauthorized dissemination and all other forms of abuse, and to determine the obligation of all persons entrusted with the processing of personal data to sign a confidentiality statement. Protection measures must be proportionate to the nature of activities of the personal data filing system controller or the recipient, and to the contents of the personal data filing systems.

Also the Regulation on the manner of storing and special measures of technical protection of the special categories of personal data (OG 139/04) is applied.

Non-medical devices:

Are non-medical devices allowed to collect medical data, such as heart frequency?  Are they allowed to cross medical data with non-medical data?

PDPA:

Yes, both options possible if PDPA requirements are fulfilled.

Privacy by Design:

Is there any requirement to implement privacy by design in the development of connected devices? If yes, what are the standards?

PDPA:

Information on requirements to implement privacy by design is not available.  Please see the general requirements under question 4 – privacy by design.

7. Electronic Doctor (online Doctor) and on-line appointments

7.1. Data Protection Issues:

The Doctor listens, talks and assesses the patient online, via a website, app, canal, sometimes including video-conference. Medical data is collected and processed, what are the security requirements and standards followed? Other websites provide for on-line appointments with doctors, which can also involve the processing of medical data.

7.2. Questions: Is your legal framework providing for a regulation of online Medical Treatment and is the on-line appointment system covered by such a framework? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

PDPA:

This issue is not specifically regulated by the Croatian legislation. Therefore the general data protection provisions apply to on-line medical services. The most relevant PDPA provisions for this case are the same as listed in question 2.2.

Case-law:

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Medical treatment:

Is it allowed to perform medical treatment via online services? If yes, how should the medical services be provided? Does it have to follow the same requirements of a regular physically-present medical treatment?

CIHI: (CIT - Croatian Institute for Telemedicine)

Telemedicine is providing medical care from the distance. It is all about the transfer of information from the distance between the two sides: the patient and a doctor or between healthcare professionals.

Using the most advanced information and communications technology, by using cameras, screens and medical diagnostic devices, enables the simultaneous connections of patients and medical specialists, no matter the distance. Medical services that can provide the medical examination, diagnosis with help of special medical equipment and therapies.

Telemedical-examination is same as a regular medical examination, except in his way you will see and talk to specialist through screens and cameras. Specialist with whom you have agreed a medical examination will have the most information about you before your even arrive, but sometimes it may be necessary to bring some medicines or medical reports. During telemedicine views there is present a healthcare professional qualified to work with telemedicine equipment, because he needs to visualize your state of health through specific medical equipment that is needed specifically for your medical review.

Medical data:

How should the data collected via a medical treatment performed online be processed? Are there specific requirements? Which ones?

CHI: CIT

As same as the regular examination by a doctor of medicine, telemedicine examination is private and confidential. Only patients and their possible accompaniment can have access to data, and possible health care professionals involved in the medical examination. Technology that is used in order to convey information between users in urban, rural and hard to reach areas in a safe way.

Croatian Institute for telemedicine is a public, topic and professional institution founded to promote the use of new techniques and technologies for the diagnosis and treatment at the distance in the Republic of Croatia according to the Amendments to the Act on Law on Health Care.

Other comments and technologies

Should you wish to describe any technology, feature or trend that has not been covered by the questionnaire, please feel free to use the space provided below. Where relevant, also indicate recent legislation changes, guidelines and/or case law.


ESTONIA / ESTONIE

QUESTIONNAIRE

1. Mobile Health (mHealth) and Electronic Health Records (EHR)

1.1. Data Protection Issues:

This is perhaps the biggest topic sitting at the intersection of technology and data protection. Mobile health (mHealth) and Electronic Health Records (EHR) are increasingly  used in healthcare systems and provisions – it is a trend that needs to be examined.

Related to the EHR, these records are more accurate, cost-effective (in terms of storage) than paper-based notes. The concept of patient controlled/accessed EHR has been implemented in varying degrees in different countries.

Furthermore, some non-medical record can still contain health information about users and it should be considered if such records ought to be treated in a similar way to EHR.

Also, should ‘medical data’ as defined in Recommendation N° (97) 5 on the protection of medical data cover physical tracking data, such as pedometers or fitness data and data that can lead to medical information about an individual ?

1.2. Questions: if EHR exist in your country, is your legal framework providing for a regulation of such records? If mHealth exists in your country, is your legal framework providing for a specific regulation? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

The governing act is Health Services Organisation Act[3], specifically chapter 51(Health Information System). Government of the Republic established the Health Information System and its statutes with a regulation - Statute of Health Information System (governments Statute no 131 August 14th 2008)[4]. The Statute no 53 September 17th 2008 of Ministry of Social Affairs on The Composition of Data, Conditions and Order of Maintaining of the Documents Forwarded to the Health Information System. E-prescription system is regulated with Medicinal Products Act and the governments Statute no 130 August 14th 2008.

State supervision over the Health Information System is conducted by the chief processor (Ministry of Social Affairs), Estonian Information System's Authority (Riigi Infosüsteemi Amet)[5], Data Protection Inspectorate and Health Board (Terviseamet).

All the processing of personal data is logged in the Health Information System.

No specific legislation for mHealth from the state side, therefore the general requirements for data processing derive from the Personal Data Protection Act[6].

 

Case-law:

Law of Obligations Act[7] § 768 (1): Providers of health care services and persons participating in the provision of health care services shall maintain the confidentiality of information regarding the identity of patients and their state of health which has become known to them in the course of providing health care services or performing their official duties and they shall ensure that the information contained in documents specified in § 769 of this Act[8] does not become known to other persons unless otherwise prescribed by law or by agreement with the patient.

Health care providers, who have the obligation to maintain confidentiality arising from law, have the right to process personal data required for the provision of a health service, including sensitive personal data, without the permission of the data subject. The data processing is also permitted if it is processed with the data subject’s informed consent.

Health care provider does not have the right to process data subject’s personal data for personal goals. If a health care provider processes data subject’s personal data without the data subject’s consent and the processing is not carried out to provide a health service, then the data processor breaches the Health Services Organisation Act  and Personal Data Protection Act.

Data Protection Inspectorate supervises according to the Personal Data Protection Act. Sanctions are stipulated in the Personal Data Protection Act §§ 42 and 43. A fine up to 300 fine units (for a natural person) is 1200 euros.

Illegal disclosure of patient’s personal data may in some cases be a criminal offence – see Penal Code[9] §§ 157 and 1571. The legislator has reassessed the Penal Code[10] §§ 157 and 1571 and after 01.01.2015[11] the necessary elements of the offence are changed to misdemeanours (except in case of § 1571 (2) and (4)). After 01.01.15 the offence is a misdemeanor if the case is following: illegal disclosure of sensitive personal data, enabling access to such data or transfer of such data. The case is a criminal offence if the same elements of the offence are met with and it is being done for personal gain or if damage is caused to another person.  

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

EHR and Medical data:

What can be considered medical data in your country? Is it solely the data relating to a person’s health (state, diagnosis, prognosis, medical treatment, etc.)? Is non-medical data that leads to medical information treated the same way as medical data (for instance in terms of confidentiality requirements)? Is the EHR solely constituted of data collected in a medical context or can the individual also himself or herself add information regarding his or her health?

Personal Data Protection Act § 4 (1): Personal data are any data concerning an identified or identifiable natural person, regardless of the form or format in which such data exist.

Personal Data Protection Act § 4 (2) p 3: The following are sensitive personal data: data on the state of health or disability.

Ministry of Social Affairs and Estonian eHealth Foundation[12]: Medical data is the data related to the healthcare services provided by health care professionals (state, diagnosis, prognosis, medical treatment, etc.) The conditions and procedure for maintaining records of the provision of health services is regulated by law. If non-medical data contains sensitive data – the data should be kept confidentially.

DPA finds that the non-medical data that leads to medical information needs to be treated the same way as medical data, because this data may reveal the patient’s sensitive data and therefore cause damage to person.

The health care providers add the personal data to the Health Information System, but the patient can also add personal data about him/her: e.g. Health Services Organisation Act § 592 (12). Individuals are allowed to add/change information concerning only general data (contact details). The System’s statute states that a person has the right to submit (and rectify) personal data to the System if the source of data in the System are the patient’s statements.

Sharing of data and Access:

Who is granted access to the EHR and how is the sharing of information (with other health care providers?) regulated? Where information is shared with pharmacists, is there a strict purpose limitation in place? How has the definition of the responsibility over the medical data been regulated?

All healthcare providers must send data to EHR. Access only to licensed medical professionals – the attending doctor concept.

ID card for authentication and digital signature

Granting access to data in Health Information System is stipulated in the Health Services Organisation Act § 593. And specific regulation is in the statute of the Health Information System.

Chief processor of Digital Prescription Centre forwards to the Health Information System following data: data of the delivered medicinal product and data of the medical prescription. With pharmacist information is shared via Prescription Centre. Pharmacist do not have access to EHR.

The responsibility is regulated by law (Health Services Organisation Act).

Data quality:

Are the principles of legitimacy, fairness and minimisation applied to medical data? How are records kept accurate?  How long is the data kept for, is the specific storage period defined for the EHR?

The principles of legitimacy, fairness and minimization are applied to medical data. There is a regulation in place how to store medical data.

The patient has access to his/her personal data electronically and he/she can request rectification of his/her data from the person who submitted the personal data to the Health Information System. All the processing of personal data is logged in the Health Information System (state regisrty). The logs are kept permanently in the Health Information System.

Storage period for data in the Health Information System is permanent (unless the law states otherwise). Medical images are kept in the System 30 years, except medical images for dental purposes are kept 15 years. For health care providers there is a specific period for specific documents. The health care providers also have the duty to retain personal data, but in their case the retention period different – in some cases up to 110 years[13]. See also Health Services Organisation Act § 42.

Data integrity:

Are any specific methods used to ensure the integrity of the data? How are patients identified in the EHR? In the context of research, are anonymisation methods used and what safeguards exist for re-identification?

Standard rules for data processing: HL7 (for medical documents) and DICOM (Picture Archive). Patients are identified by personal identification code[14]. Anonymisation is used in the context of research. Coding/recoding systems are applied in order to ensure anonymisation.

Processing of personal data for scientific research or official statistics needs is regulated in the Personal Data Protection Act § 16. Also see Health Services Organisation Act § 593 (51) and § 594.

Data security:

Where are the records stored? Is there a centralised database of EHR? What security technology is being used?

Records are stored in centralized database of Estonian E-Health Foundation[15] and also in the infrastructure of hospitals/clinics. Central database is using many different security principles, for example:

- (transparent) database encryption;

- digitally signing/stamping records;

- data quality validation;

- separation of duties and validation of database quering (4-eye

principle) in the backend;

- principle of least privilege;

- accountability (authentication, authorization, audit trail, tracing);

- 2-factor authentication;

- penetration testing of web applications;

- and so on.

The health service providers are obliged to forward data to the central system, but they also need to retain data that they create (see also 1.2. Data quality).

For System security see: http://www.e-tervis.ee/index.php/en/health-information-system/electronic-health-record/system-security

Rights of the person/patient concerned:

How can the right of access be exercised? How can the data be corrected? Can the person enter information in his or her own EHR? What are the legal remedies available? 

A patient has access to his or her personal data in the Health Information System. Patient accesses the Health Information System with his/her personal ID-card[16]. The patient can request rectification of his/her data from the person who submitted the personal data to the Health Information System. See also Health Services Organisation Act § 592 (12).

Talking about the centralized system:

frontend: person must be registered as a medical employee in a registered medical service organization.

backend: based on job duties and need to know + validation of database quering.

Data can be corrected by the person/institution who is allowed to and who entered the data first place. Logs are followed. Individuals are allowed to add/change information concerning only general data (contact details).

Consent:

Is the system based on an opt-in approach? Is the principle of granular consent applied (with the possibility of preventing access to certain data?)? If yes, in which situations?

All the health care providers are obligated to send data to the central system.

See also Health Services Organisation Act 593 (1), (3) and (4). Patient has the right to prohibit the access to the personal data either to all personal data or restricting access to a specific document.

Data access policy: opt out

       Patient has the right to close his/her own data collected in the central database (opt out).

       Patient can access their own data (Patient’s Portal) in order to protect a patient’s life or health, a health care provider may set a time limit upon forwarding data to the Information System in the course of which the patient can first examine his or her personal data only through a health care professional.

Patient can monitor visits to their Health information system (All actions will leave secure trail).

Withdrawal:

Are patients able to withdraw the consent given to EHR schemes? If yes, what is the relevant procedure to withdraw such consent? What are the consequences?

Patient can express his or her wish
1) to donate cells, tissues or organs for transplantation after his or her death;
2) to donate corps for academic work;
3) about blood transfusions;
4) to name contact person;
5) to name a person who is authorized to purchase medication on behalf of the patient.

To withdraw the consent the patient has to sign in patient portal. Authentication with ID card or MobileID.

Outsourcing processing of data:

Is outsourcing common? Under what circumstances? Where is the data outsourced to? What sort of safeguards are in place?

Healthcare providers enter data to central system according to law (Health Services Organization Act; Statute of Health Information System (governments Statute no 131 August 14th 2008)), data is also provided by national registers, databases and information systems. To fulfill their obligation the Public Information Act is applied (data exchange systems).

2. Cloud Computing, Data Mining and Profiling from both Medical Records (including EHR) and Data not specifically related to medical records.

2.1. Data Protection Issues:

Cloud computing has brought a new dimension to the way data is stored, accessed and processed. Infrastructure as a service (IaaS), Platform as a service (PaaS), Software as a service (SaaS), Network as a service (NaaS) are all used by services and organisations that deal with both medical data and non-medical data.

With the development of more advanced and efficient data-mining and data-querying Medical techniques (e.g NoSQL, MapReduce, Hadoop) in conjunction with increased processing power and data storage, mining data has never been more informative, easier, and cost-effective.

Healthcare is a natural sector in which to apply new technologies and methodologies, with particular impacts in epidemiology, public health, health services research, etc.

Data that can lead to the identification of a particular individual and his/her health situation is not limited to medical data per se, present on Electronic Health Records, but also to unsuspicious type of information.

There is a growing concern that these schemes may be implemented in manner which does not always respect the patients’ confidentiality and basic rights, and in a broader context, the use of this of information may prejudice the individuals concerned.

The ability to track and monitor patients and resources enables a more efficient provision of care but may have an impact on the right to privacy of the individual concerned.

2.2. Questions: Is your legal framework providing for a regulation of Cloud Computing, Data Mining and Profiling? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Cloud Computing is not regulated by legal framework.

Data mining and Profiling is regulated by Health Services Organisation Act.

Personal Data Protection Act is applicable for data mining. The processing of personal data has to comply with the principles of processing personal data[17].

Case-law:

Data Protection Inspectorate supervises according to the Personal Data Protection Act. Sanctions are stipulated in the Personal Data Protection Act §§ 42 and 43. A fine up to 300 fine units (for a natural person) is 1200 euros.

Other:

DPA finds that cloud computing may pose a threat to unlawful access to personal data and in the case of health records the danger for infringement of person’s rights are greater – e.g. in case where the data is being stored abroad (even outside EU) and the Cloud’s owner may have access to the data stored within the Cloud.

The DPA also notes that the Article 29 Data Protection Working Party has issued opinion 05/2012[18] on Cloud Computing.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Cloud computing:

How is cloud computing regulated in your country? Which security safeguards and standards are mandatory? Are there specific requirements in order to store medical data in the cloud? How is data shared and is the sharing regulated?

Medical data is not stored in cloud. No specific regulation, but the Personal Data Protection Act is applicable if processing is carried out in the territory of Estonian Republic. For specific mandatory measures, see aforementioned Act’s chapter 4.

If data is being shared it needs to have a legitimate ground – either an informed consent or the processing is provided in the law.

Government:

Do governmental programmes exist to allow for increased data-mining of medical records? If yes, what are the purposes of this data mining? Are private entities allowed to access the data? Under what circumstances? What sort of techniques and technologies are being used? To what end? Are data subjects informed of this type of data-mining?

There is specific rules how to use medical data for the purposes of scientific research or statistics.

Data subjects are not informed of data-mining if data is used through central system. Access are allowed according to the law (Health Services Organisation Act 593 (51)).

Private sector:

Are private entities allowed to mine medical data which they process? Under what circumstances? Can the government have access to this data?

Access are allowed according to the law (Health Services Organisation Act).

General rule is that the health care providers, who have the obligation to maintain confidentiality arising from law, have the right to process personal data required for the provision of a health service, including sensitive personal data, without the permission of the data subject.

But if the purpose of the processing changes, the processing needs to be carried out with a legitimate ground – either consent or if the processing is prescribed by the law.

The government has no direct access to this data.

Profiling:

Are the government and the private sector allowed to employ profiling methods on medical data? If yes, under what circumstances? Is it allowed to cross and correlate non-medical data with medical data?

Access are allowed according to the law (Health Services Organisation Act). There are no specific requirements whether the health care provider is governmental or private organization. They are allowed to data mine if they offer medical treatment according to the law.

3. RFID and wireless communication technologies

3.1. Data Protection Issues:

It is common for medical devices, such as patients’ tags, to possess RFID technologies in order to facilitate the transmission of the patients’ data.

It can also be related to the data-mining operations previously mentioned as it is another category of information that can be used to discern meaningful patterns.

Transmission of data through radio-frequency is not limited to medical devices. Almost any smartphone uses some technology enabling to collect, and share, the user’s data. For instance, via WI-FI it is possible to identify users’ locations and therefore infer some of their behaviour, which in some cases can relate to health information.

3.2. Questions: Is your legal framework providing for a regulation of RFID technologies and the transfer of personal data through wireless technologies? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

There is no specific RFID regulation. The topic is covered with generic data protection law (see above) which is mandatory to governmental and private organizations. The processing of personal data has to comply with the principles of processing personal data. 

In addition, there is mandatory information security standard ISKE (https://www.ria.ee/iske-en) and it describes several security measurements regarding wireless technologies (WiFi, bluetooth).

Case-law:

Data Protection Inspectorate supervises according to the Personal Data Protection Act. Sanctions are stipulated in the Personal Data Protection Act §§ 42 and 43. A fine up to 300 fine units (for a natural person) is 1200 euros.

Other:

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

RFID:

How is RFID used in hospital/clinics for (a) resource management, (b) patient care? What types of database systems (and security) are implemented in conjunction with RFID use? How are issues of access, sharing, consent etc. managed considering that RFID may be used without the patients’ knowledge.

The DPA, Ministry of Social Affairs and Estonian E-Health Foundation have no info for the use of RFID in hospitals/clinics.

Wireless tracking technologies:

Are hospitals/clinics employing other wireless tracking technologies besides RFID? Which ones? Do they have to follow specific security requirements? Which ones?

The DPA, Ministry of Social Affairs and Estonian E-Health Foundation have no info for the use of other wireless tracking technologies besides RFID in hospitals/clinics..

4. Applications (Mobile)

4.1. Data Protection Issues:

Information society is increasingly relying on the use of “apps” (application), most of them mobile. These apps are commonly designed to gather personal data, and in practice often process medical data.

Technologies such as multi-touch touchscreen, accelerometers or gyroscopes, ambient light sensors, GPS and cameras, and devices featuring fingerprint and biometric sensors also involve the collection of medical data.

A mobile phone application can monitor accurately physiological data, such as heartbeats, sleep patterns, fitness information.

4.2. Questions: Is your legal framework providing for a regulation of Apps and Mobile Apps? If not, how is the general data protection legislation applied to cover it? Please indicate the legislation (as well as possible sanctions envisaged in case of violations), guidelines, DPAs’ opinions and/or case law.

Legislation:

Ministry of Social Affairs and Estonian E-Health Foundation: Apps and Mobile Apps with medical purpose are medical devices. Regulated by Medical Devices Act[19].

Also the Personal Data Protection Act is applicable. The processing of personal data has to comply with the principles of processing personal data.

Case-law:

Data Protection Inspectorate supervises according to the Personal Data Protection Act. Sanctions are stipulated in the Personal Data Protection Act §§ 42 and 43. A fine up to 300 fine units (for a natural person) is 1200 euros.

Other:

The DPA also notes that the Article 29 Data Protection Working Party has issued opinion 02/2013[20] on apps on smart devices and opinion 13/2011[21] on geolocation services on smart mobile devices.

The DPA finds that in case of mobile apps the developer has to use privacy by design and provide a clear and understandable privacy policy for the app’s user prior to installing the app.

Specific questions (for each section, please indicate where possible recent legislation changes, guidelines, DPAs’ opinions and/or case law).

Apps:

Is it allowed to use apps and mobile apps to deploy medical services and collect medical data? If yes, which type of individual/organisation can develop and employ these apps? Are there specific security requirements for these types of apps?

Ministry of Social Affairs and Estonian E-Health Foundation: Apps and Mobile Apps with medical purpose are medical devices. Regulated by Medical Devices Act.

DPA: If an enterprise uses the app, the processing has to comply with the principles of processing personal data.