COCIR contribution to the public consultation on Personal Data Protection in the EU 1



Similar documents
Response of the German Medical Association

Healthcare Coalition on Data Protection

Under European law teleradiology is both a health service and an information society service.

Written Contribution of the National Association of Statutory Health Insurance Funds of

Data Protection Breach Management Policy

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Draft guidance for registered pharmacies providing internet and distance sale, supply or service provision

Message from Dr York Y N CHOW, GBS, JP Secretary for Food and Health

Health Data Governance: Privacy, Monitoring and Research - Policy Brief

Draft Code of Conduct on privacy for mobile health applications

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

BCS, The Chartered Institute for IT Consultation Response to:

The new EU Clinical Trials Regulation How NHS research and patients will benefit

Using AWS in the context of Australian Privacy Considerations October 2015

Overview of the national laws on electronic health records in the EU Member States National Report for Lithuania

Council of the European Union Brussels, 5 March 2015 (OR. en)

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

005ASubmission to the Serious Data Breach Notification Consultation

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

The potential legal consequences of a personal data breach

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

INTERNATIONAL PHARMACEUTICAL PRIVACY CONSORTIUM COMMENTS IN RESPONSE TO THE CALL FOR EVIDENCE ON EU DATA PROTECTION PROPOSALS

COCIR* position on the certification of Healthcare IT product interoperability

How To Save Money On Health Care Through A Computer System

Information Governance and Management Standards for the Health Identifiers Operator in Ireland

Data protection at the cost of economic growth?

ISO COMPLIANCE WITH OBSERVEIT

Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me?

An introduction to the regulation of apps and wearables as medical devices

Data protection compliance checklist

Community Pharmacy Roadmap Program Development Template

THE IMPORTANCE OF ENCRYPTION IN THE HEALTHCARE INDUSTRY

Application of Data Protection Concepts to Cloud Computing

Design of Database Security Policy In Enterprise Systems

The eighth data protection principle and international data transfers

Concerning: Norwegian Nurses Organisation s input to the Green Paper on Modernising the Professional Qualifications Directive

Physician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

EUROPEAN UNION OF GENERAL PRACTITIONERS/FAMILY PHYSICIANS UNION EUROPEENNE DES MEDECINS OMNIPRATICIENS/MEDECINS DE FAMILLE

Privacy and Electronic Communications Regulations

European Commission initiatives on e- and mhealth

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Data Processing Agreement for Oracle Cloud Services

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

Comments of the EDPS in response to the public consultation on

By Emily Hay and Jan Dhont, Data Privacy Department, Lorenz Brussels.

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations ("APOs")

REFORM OF STATUTORY AUDIT

Safeguarding public health The Regulation of Software as a Medical Device

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Understanding EHRs: Common Features and Strategic Approaches for Medicaid/SCHIP

How To Protect Your Data In European Law

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

EUCERD RECOMMENDATIONS QUALITY CRITERIA FOR CENTRES OF EXPERTISE FOR RARE DISEASES IN MEMBER STATES

Office 365 Data Processing Agreement with Model Clauses

AIRBUS GROUP BINDING CORPORATE RULES

CEN-CENELEC reply to the European Commission's Public Consultation on demand-side policies to spur European industrial innovations in a global market

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

QUALITY SYSTEM REQUIREMENTS FOR PHARMACEUTICAL INSPECTORATES

RULES OF THE ALABAMA BOARD OF MEDICAL EXAMINERS CHAPTER 540-X-15 TELEHEALTH. Table of Contents

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Article 29 Working Party Issues Opinion on Cloud Computing

COCIR GLOSSARY OF TERMS

Considerations for Outsourcing Records Storage to the Cloud

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine

DATA PROTECTION POLICY

Transcription:

COCIR contribution to the public consultation on Personal Data Protection in the EU 1 European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry Bd. A. Reyers 80, 1030 Brussels, Belgium Register ID number: 56324223008-74 COCIR represents the European Medical Diagnostic and Imaging, Electromedical and Healthcare IT Industry. Our industry offers healthcare IT solutions that support the safe, fast and seamless transfer of medical data to support quality healthcare for the benefit of patients and medical professionals. In this respect COCIR welcomes the initiative to review the personal data protection legal framework in the EU and sees it as an opportunity for improving the consistent enforcement of patients rights to privacy while ensuring the free flow of information and availability of medical data to ensure patients safety. This paper responds to the proposals of the Communication that relate to healthcare IT in the detailed briefing that follows. We would also like to attract the Commission s attention on four major matters when strengthening data protection: 1. Ensuring availability of data and patient safety: Timely and optimal healthcare depends on the availability of reliable, comprehensive health data. Availability of medical data is crucial for delivering emergency care, telehealth services, remote maintenance of IT systems, clinical research and public health research. COCIR therefore calls on the Commission to propose legislation that strengthens data protection without creating barriers for the free movement and processing of medical data that would inevitably hamper patient safety. See example 1 and 2 in annex for more detail. 2. Citizens rights to decide how their data is handled: Medical data is sensitive data. It should not be accessible to those that do not have authorization, but it should be available to enable healthcare delivery. Therefore COCIR suggests that the forthcoming EU legislation clarifies citizens consent and right to decide how their medical data is handled. 3. Need for better harmonisation of data protection rules across the EU: COCIR calls on the Commission to reduce administrative barriers on global entities attempting to comply with several country specific data protection laws when delivering health services or providing maintenance to IT systems with critical health data. This would allow for an efficient system where data flow is secure, and would raise citizen s confidence in the data protection framework and eliminate the current barriers to trade in the internal market. See example 3 in annex. 4. Healthcare organizations should have controls in place to ensure the adequate and safe use of healthcare information technology (HIT): Any technical solution can be compromised if users ignore or circumvent the policy or procedures that apply to it. To avoid this, all organisations utilising health information technology must have policies and procedures in place that provide actions to the different functions that make up a workflow and provide instructions on what controls must be turned on in the HIT system. COCIR recommends that the forthcoming legislation encourages the establishment of efficient security controls in healthcare settings and tackles the misuse of IT tools by users. 1 http://ec.europa.eu/justice/news/consulting_public/news_consulting_0006_en.htm 1 of 5 13 January 2011

DETAILED BRIEFING Hereafter are the responses to the various proposals of the Communication, which are relevant to medical diagnostic and imaging, electromedical and healthcare IT industry sector. Section 2.1.2 - Increasing transparency for data subjects Introducing a general principle of transparent processing of personal data in the legal framework COCIR agrees with the principle of transparent processing but notes that the implementation of the principle can be difficult to fulfill. During a patient visit, the healthcare professional can inform the patient on why their information is being collected, but it becomes difficult and technical to explain how the data will be processed, who will have access to it, which servers it will go through, or where the data will be archived and for how long. COCIR would recommend a simple and low-constraint approach on this matter, such as developing a notice that informs patients about the life-cycle of their data (who, when, where, how, and why). Such notice could be developed and delivered by healthcare providers. Introducing a general personal data breach notification in the legal framework COCIR welcomes the proposal to introduce a mandatory personal data breach notification. Current technology developed by our industry allows for the detection of breaches and to notify them to relevant authorities. On this matter COCIR notes that organizing data breach notification at national level could lead to different types of data breach definitions and types of notifications, which would be costly and burdensome. COCIR thus calls for harmonisation and recommends: A common data breach definition at EU level A common procedure for breach notification across the EU Clear guidelines explaining when to notify, how to notify and to whom. In case of personal data breaches occurring in more than one Member States, COCIR recommends that breaches be reported to a single data protection authority (instead of reporting to the DPA of various countries) such as the article 29 working party. Section 2.1.3 - Enhancing control over one s own data Introducing the principle of data minimisation in the legal framework COCIR calls for caution on the principle of data minimisation and attracts the Commission s attention on three separate scenarios: Scenario 1: Use of data for the treatment of a patient In the case of a referred patient, some data (such as symptoms, or medication history) may seem unrelated and can thus be removed from or blocked - according to the principle of data minimization- in the dataset accessible by a medical professional. However in medicine, all findings and symptoms can be related to each other and with the consent of the patient - all historic health data should be available to healthcare professionals. Stricter access and storage rules (due to data minimisation) would limit the available data leading to possible wrong diagnosis / treatment. COCIR thus recommends that all existing data should be available for the treatment of a patient. See example 1 in annex. 2 of 5 13 January 2011

Scenario 2: Use of data for secondary purposes with patient consent Medical data or portions of it collected during the treatment of a patient could be used if anonymised and with the patient consent for various secondary purposes (e.g. university education, clinical decision support, public health research, etc.) In this scenario, COCIR recommends that only the data for which the patient has given his consent should be used. See example 2 in annex. Scenario 3: Use of data for secondary purposes as a policy without patient consent Medical data and portions of it collected during the treatment of a patient can be used for secondary purposes (e.g. university education, clinical decision support, public health research, etc.) if the hospital/healthcare provider decides as an organizational policy that anonymised data can be used for secondary purposes and communicates this clearly to the patient. COCIR thus recommends a certain level of flexibility on the principle of data minimisation, to be able to adapt to the various situations and needs of healthcare, public health research and health education. Section 2.1.5 Ensuring informed and free consent Ensuring free and informed consent COCIR warmly welcomes the proposal to clarify and strengthen the rule on data subjects consent and information. Please see our position on patients informed consent in points 2.1.2 and 2.1.3. Section 2.1.6 - Protecting sensitive data Clarifying and harmonising the conditions allowing for the processing of sensitive data COCIR welcomes the initiative to re-assess existing conditions and safeguards for the processing of sensitive data to ensure they are in line with citizens rights to privacy (article 8.3 of Directive 95/46/EC) and to harmonise these conditions within the EU. In this process COCIR invites the Commission to take stock of modern and effective data protection techniques such as for instance- modern encryption of data. With such technologies in place, data processing does not constitute a privacy risk to sensitive data, and should therefore allow for the processing of data through appropriate service providers (e.g. processing and storing medical data through third-party servers). Please see example 3 in annex. Section 2.2 Internal market dimension Harmonisation of data protection rules across the EU COCIR welcomes the Commission s actions towards aligning the framework for national data protection legislation which currently is quite fragmented at the member state level. The Single Market would benefit significantly from a uniform and aligned national data protection implementation in the EU member states. Please see example 3 in annex. At this time, experts in other regions of the world similarly discuss data protection matters which may result in global data protection standards, e.g. to be published under the lead of IEC with potential contributions from ISO (e.g. the ISO 2700x-family) as well as fora/consortia. In that 3 of 5 13 January 2011

respect a new approach method would help clarifying the appropriate implementation measures, help reducing barriers to trade and strengthen citizens confidence. COCIR members are willing to support this approach by contributing to international standards for harmonization and through modern ICT solutions. COCIR recommends the adoption of global standards in the forthcoming legislation and the establishment of an implementation mechanism with clear guidelines to ensure a consistent enforcement of the forthcoming legislation in all EU Member States. COCIR also calls on the Commission to liaise with other international bodies developing guidance on data protection, such as the OECD. Section 2.2.4 Enhancing data controllers responsibility Promoting the use of privacy enhancing technologies (PETs) and privacy by design principle COCIR welcomes the proposal to promote the use of PETs and privacy by design principle, and notes that these technologies are already largely used and implemented. In the field of healthcare however, we are concerned that too much security might impede the free flow of data, and strongly recommend that strengthening security rules and processes should not impede the availability of medical data, which is important for patient safety. Possible creation of an EU certification schemes for privacy-compliant processes/technologies/products/services COCIR welcomes the creation of an EU-certification scheme in the security field as a step towards more and better security. COCIR encourages the certification of security procedures, based on industry best practices (e.g. ISO27001) and recommends using public/private certification auditors for these certification activities. 4 of 5 13 January 2011

Annex: examples of situations in Germany where current data protection rules have proved burdensome Example 1: Flow of information between hospital and ambulatory settings In Germany there is a strict division between the hospital sector and the ambulatory sector. Data protection officers do not allow the flow of patient data in cross-sectoral care processes. This is only allowed provided there is an integrated care contract between the hospital and the general practitioner. Such contracts cover only about 1% of the population. Wherever such agreements are not in place (99% of the population) German physicians cannot have access to patient information gathered elsewhere -for instance at the hospital - even if the patient has given his/her consent. Example 2: Sharing patient medical history between practitioners Some drugs can be dangerous or even fatal in combined with other drugs. For instance the combination of different cholesterol-lowering drugs can lead to renal failure and sometimes death. The combination of Viagra with lowering blood pressure drugs can lead to renal failure and heart attack. Such combinations have led to hundreds of casualties in Germany because doctors prescribing those drugs did not know that their patient was taking other medication prescribed by another doctor. The Lipobay scandal (cholesterol-lowering drug) triggered the German national ehealth Card program in 2003 and the adoption of a law in 2006, because the government thought it would be of great value to have anonymised medication data available to recognize patterns, detect problems early, size the problem, predict problems or educate/support physicians at the point of care. However implementation is lagging behind because data protection authorities want to allow the patient to hide some information included in the card. This would annihilate the purpose of the ehealth card, with doctors having access to only limited information on the medication history of the patient. In this example, patients, doctors, health authorities and the pharmacy industry were victims of the situation: patients suffered adverse health effects, health authorities did not react timely as the link between the different drugs was made with a delay, doctors prescribed drugs that they should not have prescribed had they had complete information on their patient, and the pharmacy industry had to pay important fines (Bayer alone had to pay indemnities of 125m$ by 2003 and stock price went down significantly) which could have been avoided. Example 3: Higher cost for storing data in a German Lander Data protection authorities in Schleswig-Holstein (SH) in Germany prohibit several ITimplementations supporting healthcare, even if these applications are approved, sold and operated in other Landers with no security breaches reported until now. The SH data protection authorities consider that servers hosting data as "external third-party are not allowed to receive, store or process medical data, even if the server infrastructure is operated under tight contractual security and auditing obligations (as in the other Landers) and even if the patients gave their consent to this type of application. As a result, the healthcare providers in SH face higher IT cost, not only for buying storage for each place but also for the operating cost of high-available, high-performance, highly-protected data storage centers. 5 of 5 13 January 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information