ATHENS - New rights for citizens and enhanced protection of personal data are brought by the new General Data Protection Regulation (GDPR) within the
ATHENS – New rights for citizens and enhanced protection of personal data are brought by the new General Data Protection Regulation (GDPR) within the EU, which came into force on 25 May, and new national regulations are expected to be introduced, which will specify the implementation of the provisions of the CPVO in the Greek legal order. The Health Ministry has already appointed a Data Protection Officer and is taking action on the logic of full compliance with the provisions of the CIS.
But what exactly does the implementation of the new Health Regulation, which is “full of personal and sensitive data” with particular weight and significant “surplus value”? How prepared are the services for the effective protection of personal data, but also the Citizens themselves?
Greek Minister Giorgos Stefanopoulos, expert advisor of Information Technology responses to ANA-MPA (Athens News Agency-Macedonian Press Agency).
What are the personal data concerning Health?
“Data from the General Data Protection (CGD) regulation defines health data: these are personal data related to a person’s physical or mental health and are generated, recorded and processed in the course of the provision of health care services, and which reveal information about his state of health “.
The high surplus value of the data
“By avoiding the classic form of paperbacking of our history from healthcare professionals and healthcare institutions and by joining the digital world of information conservation and processing, the issue of sensitive personal data and civil protection is becoming more vigorous because of the ease of gathering, increasing their volume at local and central level and hence risks of leakage and malicious attack.
The penetration of technology in healthcare has undoubtedly led our country to gather at local or national level large data of health. Therefore, beyond the benefits in terms of support for care and the patient, we must take seriously all possible risks and therefore the necessary measures to protect the citizens themselves. I would not hesitate to compare personal health-related data as a surplus of oil for the Gulf countries. ”
“The healthcare area is full of personal and sensitive data, which concerns every person in whom health services are provided (whether or not they are socialy insured), but also to every healthcare professional.
The processing of these data on the basis of existing legislation – be it electronic or printed – does not only mean the need to comply with the existing legislative framework but also an essential condition for the provision of health services respecting human dignity. A patient-centered system of health care services, from public and private bodies, must ensure the protection of personal data, primarily from patients and healthcare professionals.
We have been and are constantly concerned with our issue, especially with eGovernment and eHealth, and we have an obligation to design realistic and serious strategies that will lead to services and applications of horizontal and national character to enhance healthcare for the population, strengthening public health, creating supportive policy documentation tools and delivering services that simplify citizens’ contact with the National Health System.
The substantial protection of personal data is therefore the primary policy choice and concern of the Ministry of Health and has been taken into account in any new action with the serious cooperation of the Personal Data Protection Authority (ADAPP) and the General Secretariat for Digital Policy. ”
Defining the Data Protection Officer
The conditions for the designation of the Data Protection Officer (DPO) are defined in the CIS in Article 37. Obligatory is defined especially when the processing is carried out by a public authority or body and when the principal activities of the controller or the processor are large scale processing of sensitive personal data, such as those relating to health. The political decision of the Ministry of Health – given the seriousness of the issue and the organizational structure and size of the supervised entities – was first to appoint a Data Protection Officer to the Ministry to participate in the planning and implementation of the necessary actions for effective protection personal data in the field of Health, public and private. For this reason, Mr. Dimitrios Zografopoulos, a law specialist of the Personal Data Protection Authority, has already been deployed to the Ministry of Health in order to take on this difficult role. With his help, we design and organize the definition of Data Protection Officers in each supervised legal person who meets the criteria of the CIS, in every Health District and in every public hospital in the Country. Accordingly, a DPO should be defined for each legal entity providing private health services.
Also, a relevant circular is being drafted which will be sent to all the supervised entities within the next few days in an effort to explain the context and tasks of the Managers, the preparation of the agencies, the mapping of personal data and the guidelines for the design of the impact studies as defined the CPC.
Also, within the next few months, we believe that we will be able to launch a series of training seminars on training the Data Protection Officers of the agencies and that is why we are also in touch with the EHIC.
We therefore believe that the Ministry of Health is moving properly and consistently in the logic of full compliance with the provisions of the CIS.
The key to implementing a serious policy of safeguarding personal data
“It is common ground that, although we have been special legislation for the protection of personal data since 1997, there are clearly significant room for improvement since 1997, concerning the overall framework for the management and processing of personal data, of Health. As a country, we really need to recognize that we are back in front of the other Member States and I think this sincere statement must act as a catalyst to take the necessary steps. I will not embarrass the situation but I have to admit that our country has gone through various paths and continues to go through a difficult path of fiscal adjustment and certainly it has affected our priorities as a state and our citizenship logic.
But I am sure that any new legislation is deemed necessary, it will be enacted. But here I will allow you to mention – as I have found during these three years that I support the Ministry of Health in the field of eGovernment that the solution to the issue and problems in general is not only a question of the existence of effective legal rules. Surely a proper legal framework of a national nature is a prerequisite, but the existence of a proper organizational model of operation is equally important. And I focus on the organization that concerns the existence and implementation of proper procedures and mainly on our general culture as healthcare professionals and as Citizens. Unfortunately, our country is difficult to implement and adopt standard procedures. I will focus in particular on the concept of Citizen and I will emphasize that every European Action focuses on the vigilance and the strengthening of the role of the Citizen, and this is not accidental. I think this is the key to implementing a serious policy of safeguarding personal data. This policy starts and ends with the Citizen. He is the owner of his data and he should know why a Healthcare System supports the recording and processing of his data, what benefit they will have from him and how much they will simplify his daily life and increase his degree of service and support health condition “.
The protection of personal data must become a lifestyle
“Our view is that we have to get to a level where effective protection of personal data will be less a matter of legal coercion and more of a mentality and attitude of life. We are therefore also called upon, when implementing the regulation, to develop a culture of effective protection of personal data, particularly in the field of public health.
Patients should feel confident about the effective protection of their personal data by healthcare providers, both public and private. To achieve this goal, the effort and the active contribution of all healthcare professionals are required. Every healthcare professional should be aware that effective protection of personal data is not only an ethical commitment but also a clear legal obligation, the breach of which implies sanctions (disciplinary, criminal, civil). ”
The danger of the emergence of a Big Brother orgellarian nightmare
“Clearly, the role of the State is to continually strive to deliver better and better health services and to ensure a high level of health of the population through the National Health System (public and private). In this direction, the large health data of the population, the large data of the functional and economic elements of the health units, which we collect with the use of modern technologies and computer systems, contribute to this great extent.
We must therefore balance and balance fully the democratic rights of the citizen and the health professional, ensure the use of public money and public resources, and the functioning of a modern state on terms and rules of serious e-government, with the ultimate goal of continuing upgrading of provided health care services to the population.
The danger of the emergence of an Orwellian Big Brother nightmare must always be at the back of our minds and that is why I believe that defending the democratic right through the protection of the personal data of the citizens finds us perfectly in agreement and the new Regulation comes perhaps at the most appropriate time to indicate our shortcomings, the needs of our immediate interventions, and our continued vigilance over the dangers behind the flawed design at security level and efficiency of state services’.
Source : ANA-MPA