Response of the German Medical Association



Similar documents
European Commission initiatives on e- and mhealth

COCIR contribution to the public consultation on Personal Data Protection in the EU 1

Written Contribution of the National Association of Statutory Health Insurance Funds of

Data protection compliance checklist

Code of Ethics for Pharmacists and Pharmacy Technicians

Article 29 Working Party Issues Opinion on Cloud Computing

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Cloud Computing Security Considerations

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

// CODE OF ETHICS FOR DENTISTS IN THE EUROPEAN UNION

Data protection at the cost of economic growth?

BIO-PARTNERING EUROPE EVENT SPEECH PAOLA TESTORI COGGI DIRECTOR GENERAL FOR HEALTH AND CONSUMERS EUROPEAN COMMISSION

Draft Code of Conduct on privacy for mobile health applications

ECSA EuroCloud Star Audit Data Privacy Audit Guide

Data Protection Breach Management Policy

Using AWS in the context of Australian Privacy Considerations October 2015

Formal response to the Consultation Paper: Monitoring and Regulation of Migration

Privacy and Cloud Computing for Australian Government Agencies

Message from Dr York Y N CHOW, GBS, JP Secretary for Food and Health

005ASubmission to the Serious Data Breach Notification Consultation

Summary of feedback on Big data and data protection and ICO response

Healthcare Coalition on Data Protection

Standards of conduct, ethics and performance. July 2012

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

STANDARDS OF PRACTICE (2013)

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Position Statement on Doctors' Relationships with Industry 2010

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Cloud Security Trust Cisco to Protect Your Data

Information Sharing Policy

How To Protect Decd Information From Harm

Data Protection Act Bring your own device (BYOD)

Table of Contents. Page 1

(DRAFT)( 2 ) MOTION FOR A RESOLUTION

The potential legal consequences of a personal data breach

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

AlixPartners, LLP. General Data Protection Statement

The EFPIA Disclosure Code: Your Questions Answered

Response of the German Medical Association

Data Protection Act Guidance on the use of cloud computing

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

Cloud Computing in a Government Context

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

White Paper. Data Security. journeyapps.com

EFPIA position on Clinical Trials Regulation trialogue

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Appendix 11 - Swiss Data Protection Act

Newcastle University Information Security Procedures Version 3

ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA

FISHER & PAYKEL PRIVACY POLICY

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Intel Enhanced Data Security Assessment Form

OECD GUIDELINES FOR PENSION FUND GOVERNANCE

List of Guiding Principles Promoting Good Governance in the Pharmaceutical Sector 1

Privacy and Electronic Communications Regulations

Mobile Health Apps 101: A Primer for Consumers. myphr.com

Global Policy on Interactions with Healthcare Professionals

Accountability in Cloud Computing An Introduction to the Issues, Approaches, and Tools

Policy on the Appropriate Use of Telemedicine Technologies in the Practice of Medicine

Data Protection Act. Conducting privacy impact assessments code of practice

Medical Technologies and Data Protection Issues - QUESTIONNAIRE

Privacy fact sheet 17

Under European law teleradiology is both a health service and an information society service.

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

ALFI Code of Conduct for Luxembourg Investment Funds

BCS, The Chartered Institute for IT Consultation Response to:

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

4-column document Net neutrality provisions (including recitals)

International Working Group on Data Protection in Telecommunications

Transcription:

Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin

We are grateful for the opportunity to contribute our answers to the questions set out in the Green Paper, and thus towards the development of a suitable regulatory framework for mhealth in Europe. In addition to our responses to the questions, we would first like to share the general concerns of the German Medical Association (GMA) regarding this topic. We would particularly like to point out that, due to its fundamentally positive stance towards mhealth, the Green Paper neglects to address some of the wide-ranging implications of mhealth for patient safety and data protection: Suitable definitions of the various concepts relating to mhealth are lacking in the Green Paper. Within the framework of the current political focus upon mhealth, the GMA asks the Commission to contribute towards the creation of a uniform terminology. In particular, the differentiation between lifestyle applications, on the one hand, and applications with require the medical expertise of physicians, on the other, should, in our opinion, be more clearly defined. Applications which fulfil the objective criteria of a medical device must be subject to the same regulation and certification which apply to other medical devices. There should be more emphasis upon data protection. From our point of view, this Green Paper does not sufficiently take into account the full implications of data collection in the medical field. This applies particularly to the multiple use of data. We would refer in this respect to the results produced by the Working Party set up under Article 29 of Directive 95/46/EC, which has already conducted valuable work on this complex topic. The GMA would also like to draw attention to the response submitted by the Standing Committee of European Doctors (CPME) to this public consultation, which highlights the crucial points that should be respected. Questions: Which specific security safeguards in mhealth solutions could help to prevent unnecessary and unauthorised processing of health data in an mhealth context? There should be maximum transparency. App developers should be obliged to disclose fully which data are collected, where they are stored, how they are protected and by whom, and for what purpose and with what consequences for the end user they are processed. In terms of data minimisation and purpose limitation, the possibility that data generated by mhealth apps are processed despite the fact that the apps themselves would not require any such processing needs to be excluded. Also, discount scenarios with incentives for consumers to disclose data should be prohibited. End-users willing to use mhealth apps should have the right to refuse the disclosure of their data to third parties. Consent to data disclosure should not be a prerequisite for making use of mhealth apps. In addition, we would like to refer to Opinion 02/2013 on apps on smart devices by the Article 29 Data Protection Working Party (adopted on 27 February 2013), which highlights the governing rules and principles applicable in data protection terms. How could app developers best implement the principles of data minimisation and of "data protection by design, and data protection by default in mhealth apps? This is a task for the operating systems and programming frameworks of the relevant mobile platforms like android and ios. They should support developers by adapting general programming tools so that by default: - All data stored on a mobile device are encrypted (protection in case of theft of the mobile device) - All data which are processed via a network are encrypted e.g. with TLS1.2 2

- The communication endpoints are authenticated - Backups in the cloud are always encrypted with secure keys derived from the user password In addition, we would like to refer to Opinion 02/2013 on apps on smart devices by the Article 29 Data Protection Working Party (adopted on 27 February 2013) which highlights the governing rules and principles applicable in data protection terms. What measures are needed to fully realise the potential of mhealth generated "Big Data" in the EU whilst complying with legal and ethical requirements? First and foremost, there needs to be a legal framework which provides clear rules on how data can be processed and used, thereby respecting and not weakening the governing rules and principles applicable in data protection terms (see Opinion 02/2013 on apps on smart devices by the Article 29 Data Protection Working Party) as well as the applicable ethical standards (e.g. informed consent - safeguarding the person s right to self-determination and thus his/her autonomy). This is of utmost importance, specifically when it comes to the multiple use of health data. Provided ethical requirements are met and legal safeguards are in place, multiple use may be viable to improve patient care, prevention and/or public health in the context of medical research. However, this requires complex solutions with governance structures in place that include an approval process by an independent research ethics committee. The exploitation and misuse of personal and sensitive data for other purposes (e.g. commercial uses) need to be prevented in all cases. Therefore, we suggest focussing on how to improve anonymisation and pseudonomisation techniques. Since effective anonymisation in a big data scenario is very difficult, research in this field, especially for big data analysis, should be promoted. One idea might be to strictly separate data custodians from data users. Is there a need to strengthen the enforcement of EU legislation applicable to mhealth by competent authorities and courts; if yes, why and how? Yes. Why: Current legislation enforces the classification and certification of a medical device only when the manufacturer declares it to be a medical device. Outside the mhealth market this system works because physicians and hospitals are obliged to use certificated medical devices in patient care. However, this is a problem for apps as a declaration as a medical device is not mandatory even when an app, by objective criteria, would clearly fall into the scope of the Medical Device Directive. The app market is a low cost market. The target group of the app market consists mainly of consumers and not health professionals. Consumers have no obligation to use certified medical devices for medical purposes. As a result, medical apps are usually not certified and can pose a risk to patient safety. App manufacturers often argue that a specific app is not intended for medical use but only for learning or entertainment. How: Legislation (e.g. the Medical Device Directive, MDD) should be adapted so that apps which fall into the scope of the MDD must be certified and regulated even though the manufacturer/developer of the app does not declare them to be medical devices. Legislation should be adapted so that: - mhealth apps providing medical information should disclose the identity, professional qualifications and conflicts of interest of the source of this information. - mhealth apps must provide a privacy statement informing consumers about which personal/medical data will be collected, transmitted or stored outside the mobile device and how these data are protected. In this respect we refer to the results produced by the Working Party set up under Article 29 of Directive 95/46/EC. 3

- mhealth apps must ask for permission before they transmit personal/medical data to third parties. Consent for data disclosure should not be a prerequisite for using a mhealth app. In this respect we refer to the results produced by the Working Party set up under Article 29 of Directive 95/46/EC. What good practices exist to better inform end-users about the quality and safety of mhealth solutions (e.g. certification schemes)? To our knowledge there are no established good practices to better inform end-users about mhealth apps. An approach similar to the HONcode (Health on Net Foundation) could possibly be appropriate. Which policy action should be taken, if any, to ensure/verify the efficacy of mhealth solutions? If apps are to be used or even prescribed in patient care then the efficacy should be proved as with other medical devices, e.g. by means of randomised controlled trials. How to ensure the safe use of mhealth solutions for citizens assessing their health and wellbeing? When patient health could be at risk, regulation is needed, e.g. as a medical device. For apps providing medical information, there should be mandatory disclosure of the identity, professional qualifications and conflicts of interest of the source of the information. Do you have evidence on the uptake of mhealth solutions within EU's healthcare systems? There are reports of some successful mhealth projects in patient care. To our knowledge there is no strong evidence yet on the uptake of mhealth solutions in European healthcare systems. What good practices exist in the organisation of healthcare to maximise the use of mhealth for higher quality care (e.g. clinical guidelines for use of mhealth)? To our knowledge, good practices with strong evidence for raising the quality of patient care do not yet exist. Do you have evidence of the contribution that mhealth could make to constrain or curb healthcare costs in the EU? No. What recommendations should be made to mhealth manufacturers and healthcare professionals to help them mitigate the risks posed by the use and prescription of mhealth solutions? We would recommend that healthcare professionals use mhealth solutions that are certified in terms of patient safety and efficacy - by a trustworthy and independent organisation. For mhealth solutions providing medical information, they should consider checking the professional qualifications and reputation of the source of the information, as they would do with a scientific publication. Could you provide specific topics for EU level research & innovation and deployment priorities for mhealth? Research and innovation should be promoted in the following areas: - Privacy, pseudonymisation and anonymisation in big data settings - Information security for mobile applications 4

- mhealth and patient safety - Best practices for mhealth services - Cost-benefit analysis of mhealth apps Is it a problem for web entrepreneurs to access the mhealth market? If yes, what challenges do they face? How can these be tackled and by whom? The large amount of ehealth apps suggests that there are no barriers to access the mhealth market. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information