Osio workshop: Data Protection Regulation and Health Care
0 likes682 views
The document summarizes key aspects of the proposed EU Privacy Regulation update. It discusses the original goals of updating existing regulations to account for technological changes and increase citizen and data protection authority rights. However, heavy lobbying from US tech companies and governments has watered down some proposals. Key features of the updated regulation include strengthened definitions, data protection by design, breach notification requirements, data portability and access rights, the right to erasure, and an expanded international scope. Sensitive health and biometric data have additional protections and research has new consent standards. Non-compliance penalties were increased up to 100 million Euro fines.
Osio workshop: Data Protection Regulation and Health Care
- 1. EU Privacy Regulation Update Dr. Ville Oksanen 18.4.2014 18. maaliskuuta 14
- 2. Who’s talking.. • L.LM. , Ph.D. (Technology law) • At TKK (Aalto) since 2001 • At Helsinki University since 2009 • Partner, Turre Legal • Founder, Electronic Frontier Finland - Currently Vice Chairman • Blogger - “Lex Oksanen” 18. maaliskuuta 14
- 3. Privacy regulation updata 18. maaliskuuta 14
- 4. Original goal • To update the existing regulation to meet the change in technologies • To give more rights to both citizens and also data protection authorities 18. maaliskuuta 14
- 5. However.. • “Regulatory capture” in action • Heavy lobbying from e.g. • U.S Government • Facebook, Google etc. • To water down the proposal 18. maaliskuuta 14
- 10. Key features • “Clarified definitions • Data protection by Design • Accountability + Notification of breaches • Portability + Right to Access (for free) • Right to Erasure • International regulatory scope? 18. maaliskuuta 14
- 11. Sensitive data (Article 9) • ...revealing race or ethnic origin, political opinions, religion or philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities , and the processing of genetic or biometric data or data concerning health or sex life, administrative sanctions, judgments, criminal or suspected offences, convictions or related security measures • (h) processing of data concerning health is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81; or • (i) processing is necessary for historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Article 83; or 18. maaliskuuta 14
- 12. Right to access and to obtain data 2a. Where the data subject has provided the personal data where the personal data are processed by electronic means, the data subject shall have the right to obtain from the controller a copy of the provided personal data in an electronic and interoperable format which is commonly used and allows for further use by the data subject without hindrance from the controller from whom the personal data are withdrawn.Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject. 18. maaliskuuta 14
- 13. Profiling • Highly visible notification about right to object • Definition:“ 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour; 18. maaliskuuta 14
- 14. Data protection by Design Article 23: ”...Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data.” 18. maaliskuuta 14
- 15. Right to Erasure • Most controversial feature • Many open questions • Practical (backups? Who pays the costs) • Content spesific (photographs? Discussions?) • Application to data given to 3rd parties? 18. maaliskuuta 14
- 16. Respect to Risk • “The controller .. shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks.” • “(d) processing of personal data for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;” 18. maaliskuuta 14
- 17. Designation of the data protection officer • 1. The controller and the processor shall designate a data protection officer in any case where: • ..d) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1), location data or data on children or employees in large scale filing systems. 18. maaliskuuta 14
- 19. Penalties • “At least” 18. maaliskuuta 14
- 20. Penalties • “At least” • “a warning in writing in cases of first and non-intentional non-compliance; 18. maaliskuuta 14
- 21. Penalties • “At least” • “a warning in writing in cases of first and non-intentional non-compliance; • regular periodic data protection audits; 18. maaliskuuta 14
- 22. Penalties • “At least” • “a warning in writing in cases of first and non-intentional non-compliance; • regular periodic data protection audits; • a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher. 18. maaliskuuta 14
- 23. Article 80a: Access to documents • National law • “Reconciles the right to the protection of personal data with the principle of public access to official documents.” • Notification to the Commission 18. maaliskuuta 14
- 24. Processing of personal data concerning health • Based on law (EU or national) • “consistent, and specific measures to safeguard the data subject's interests and fundamental rights, to the extent that these are necessary and proportionate , and of which the effects shall be foreseeable by the data subject” 18. maaliskuuta 14
- 25. 3 categories of data • “preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services” • “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety • “other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system” 18. maaliskuuta 14
- 26. Research exceptions • Consent required • “Where the data subject's consent is required for the processing of medical data exclusively for public health purposes of scientific research, the consent may be given for one or more specific and similar researches.” • Anonymisation or pseudonymisation under the highest technical standards 18. maaliskuuta 14
- 27. Article 83 Processing for historical, statistical and scientific research purposes 1. In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects. 18. maaliskuuta 14
- 29. Questions? Comments? ville.oksanen@aalto.fi-- twitter: villoks 18. maaliskuuta 14