Successfully reported this slideshow.

GDPR and eHealth for the pharma industry (VFenR presentation)

2

Share

1 of 36
1 of 36

More Related Content

Similar to GDPR and eHealth for the pharma industry (VFenR presentation)

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

GDPR and eHealth for the pharma industry (VFenR presentation)

  1. 1. EHEALTH AND GDPR VFenR - AVG wie doet er mee 24 mei 2018 Erik Vollebregt www.axonadvocaten.nl
  2. 2. GDPR hateful eight Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
  3. 3. Health data case study • DPAs already take expansive view of health data • Performance data becomes health data
  4. 4. GDPR’s Hateful 8 Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
  5. 5. Consent-based business model tricky ‘GDPR: ‘means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ Recitals 32, 42 and 43 GDPR • silence, pre-ticked boxes or inactivity do not constitute consent • Processing for multiple purposes? Consent should be given for all of them! • Controller must be able to prove valid consent was obtained and provide intelligible consent language • Consent invalid “in a specific case where there is a clear imbalance between the data subject and the controller” 7
  6. 6. Scope of ‘health data’
  7. 7. When is health data anonymous? WP 216 on Anonymisation Techniques (para 2.2): • Anonymisation is further processing personal data with the aim of irreversibly preventing identification of the data subject. • Several anonymisation techniques may be envisaged, there is no prescriptive standard in EU legislation. • Importance should be attached to contextual elements: account must be taken of “all” the means “likely reasonably” to be used for (re-) identification by the controller and third parties • A risk factor is inherent to anonymisation: this risk factor is to be considered in assessing the validity of any anonymisation technique – pseudonomisation is not anonymisation (e.g. if linkable through datasets)
  8. 8. Research – ‘Right to be forgotten’ Article 17 (1) GDPR: The data subject has the right to obtain the erasure of personal without undue delay from the controller. The ‘right to be forgotten’ ONLY does not apply if the processing takes place: ‘for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.’ (article 17 (3) (d) Right to be forgotten does apply in all commercial processing of health data for the purpose of services!
  9. 9. Privacy by design and default, PIAs
  10. 10. Impact Assessment Article 35 • PIA prior to processing • Authorities will make lists of operations subject to PIA • Prior consultation of DPA regarding residual risks (article 36)
  11. 11. Impact Assessment
  12. 12. Profiling requirements • Profiling based on health data -> always PIA • 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; • Data subject must be informed • Article 22: right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless • decision is necessary for performance or entering into contract • decision is based on explicit consent • AND: • explicit consent in case of profiling based on health data • suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place
  13. 13. Data portability right • Controller must inform data subject about right, and:
  14. 14. Security Data controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing • Article 32 defines security principles Security measures must take into account (recital 78): • Nature of the data to be protected and consequences of security breach • State of the art • Security by design • Aim to prevent unnecessary collection and further processing of personal data • Overriding principle: Plan-Do-Check-Act • Data breach notification (article 33/34) • to DPA (<72 hours) and to data subject • processor must inform controller
  15. 15. Export Chapter 5 Export only with legal basis: • Adequacy decision (or Privacy Shield) • Appropriate safeguards (BCR and SCCs) ensuring third party rights for data subjects, approved code or certification mechanism • Specific situation • informed consent • necessary for performance of contract
  16. 16. Known unknowns and wide open doors • This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data! • Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
  17. 17. Bonus slides on GDPR implementation in NL
  18. 18. What’s interesting in the AVG implementation act? Article 19 – cooperation protocols with other CAs in NL (typical Dutch thing) Exercise of discretion under article 9 (4) GPDR: Article 24 UAVG re processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law - additional requirements in Article 24 (b), (c) and (d): Research must be in general interest Asking consent must be impossible or prohibitively difficult Safeguards against unjustifiable damage to data subjects privacy Seems to exclude commercial research given general interest criterion What about vigilance and PMS data?
  19. 19. What’s interesting in the AVG implementation act? Exercise of discretion under article 9 (4) GPDR: Article 30 IAVG – exceptions re data concerning health Processing of data concerning health allowed for government, pension funds, employers or institutions active on their behalf for execution of tasks and re- integration (Art 30 (1) – article 9 (2) (b) GDPR) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health allowed by schools and rehabilitation services insofar as necessary for their tasks (Art 30 (2) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health for HCP, health institutions and social services insofar as necessary for their tasks and insurance companies (Art 30 (3) – article 9 (2) (h) GDPR) Processing on the above three bases only by persons under professional or contractual secrecy (Article 30 (4)) Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR (service providers to HCPs and health institutions) If treatment or care require it then processing of data concerning health can be mixed with processing of other categories of sensitive data (Article 30 (5) Issue
  20. 20. What’s interesting in the AVG implementation act?Convenient implementation table to check exercise of national discretion
  21. 21. Bonus slides on cybersecurity and GDRP – MDR overlaps
  22. 22. General EU current security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sauce ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)
  23. 23. General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
  24. 24. Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
  25. 25. Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
  26. 26. Concurrent privacy by design requirements under GDPR • General Data Protection Regulation has already entered into force, transitional period ending 25 May 2018 • Will apply to any device that processes personal data, both on hardware and software level – possible overlaps with MDR • Requires privacy by • Design • Default • Requires cybersecurity measures, but so does the MDR • GSPRs 17.1, 17.2 and 17.4
  27. 27. GDRP security thinking Recital 81: “the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. ”
  28. 28. GDPR security thinking • Under the MDR / IVDR costs of implementation are irrelevant for risk reduction (AFAP principle in GSPR 2)
  29. 29. Security requirements
  30. 30. Security design requirements (art. 32) Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Take account of risks that are presented by processing, e.g. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  31. 31. Overlap of risks and different approaches MDR / IVDR • Security by design aimed to safeguard safety and performance (Safety, Reliability and Availability (SRA) for cyber physical systems) GDPR • Security by design and default aimed at data integrity (Confidentiality– Integrity–Availability (CIA) for corporate processes) Map security risks under GDPR that are also (partially) safety and performance risks under MDR / IVDR • Those risks are subject to AFAP reduction by means of design insofar as they concern the device (GSPR 2 and EN ISO 14971:2012 ZABC annexes)
  32. 32. Overlap of risks and different approaches - nice model GDPR orientation MDR / IVDR orientation
  33. 33. It all starts with a PIA and selection of approaches based on that Mandatory and prior to processing if processing is likely to result in a high risk to the rights and freedoms of natural person, especially in case of (a) systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (incl. profiling), and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data (e.g. health); or (c) systematic monitoring of a publicly accessible area on a large scale • Mandatory advice of the data protection officer required • Authorities to specify what processing subject to PIA
  34. 34. www.axonlawyers.com THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com

Editor's Notes

  • Potential future health status: any information where there is a scientifically proven or commonly perceived risk of disease in the future, such as obesity, blood pressure, personal habits involving tobacco, alcohol or drugs

    Past, current and future health status
  • Not sure how this will work out in practice!
  • ×