May 25th 2018, EU GDPR (General Data Protection Regulation) comes into force. The basis of GDPR, which replaces PuL (Personuppgiftslagen) is that the individual person owns the personal data and others can only process it, i.e. collect, store and process the data, if granted permission from the individual (consent) or have another legal basis for treating the data.
Hence, GDPR covers all the processing of personal data, but some parts are to be supplemented by national law. For E-care@home, which conducts research, it is necessary to be aware of two additional laws: Forskningsdatalagen (Personuppgiftsbehandling för forskningsändamål SOU 2017:50) and the Ethics Assessment Act (Etikprövningslagen 2003:460). The purpose of these two laws is to enable personal data processing for research purposes while protecting the individual’s rights and freedom.
In order to strengthen the work on personal integrity, the Swedish government is increasing the budget for Datainspektionen (The Swedish Data Protection Authority) with 30 million SEK. The new name of the authority will be Integritetsskyddsmyndigheten, and in addition to its prior tasks, Integritetsmyndigheten will have a more supportive and advisory role than Datainspektionen has had.
Ringholm bv, a group of European experts in the field of messaging standards and systems integration in healthcare IT, with a basis in Gothenburg, provides an insight on how the new law will have an impact on the use of interoperability standards within the healthcare system:
- Valid consent must be explicit for the data collected and for what purposes the data is used.
- The individual has the right to request erasure of personal data.
- The individual has the right to transfer the personal data from one electronic processing system to another without being prevented by the data controller.
- The data controller should provide data in a commonly used Open Standard electronic format.
- Privacy by design and by default applies.
While there is currently no plan for collecting information about people the E-care@home distributed research environment is designed to perform research on selected fundamental issues in semantic interoperability with a particular focus on:
1) human-machine interoperability, that is to say how to enable users to query and control the IoT infrastructure on meaningful terms that are human interpretable and compatible with e.g. electronic health records; and
2) testing the research results on a technical platform which is embedded in the Internet of Things that provides information with an unambiguous, shared meaning across IoT devices, elderly residents, relatives, health-and-care professionals and organizations and various personal information repositories and the various electronic health records associated with those.
Therefore, GDPR is taken into consideration when developing APIs and databases so as to ensure that information that is stored can be accessed and ported if the system reaches a mature state.
Directive (EU) 2016/680 (GDPR) is available in multiple languages here: http://eur-lex.europa.eu/eli/dir/2016/680/oj
Ringholm bv’s additional comments on GDPRS impact on the use of interoperability standards is available here: http://www.ringholm.com/column/GDPR_impact_on%20healthcare_data_interoperability.htm