SlideShare a Scribd company logo

GDPR and eHealth for the pharma industry (VFenR presentation)

Download as PPTX, PDF
Erik Vollebregt, profile picture
Erik Vollebregt

The document discusses key points of attention regarding the GDPR in relation to health data, outlining aspects such as informed consent, the right to be forgotten, and data portability. It highlights the importance of privacy by design and conducting impact assessments for health-related data processing, while emphasizing the strict requirements for obtaining consent and ensuring security measures. Additionally, it addresses the complexities and responsibilities faced by data controllers and processors in maintaining compliance with both GDPR and other related regulations.

Healthcare
1 of 36
Downloaded 36 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
EHEALTH AND GDPR VFenR - AVG wie doet er mee 24 mei 2018 Erik Vollebregt www.axonadvocaten.nl
GDPR hateful eight Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
GDPR and eHealth for the pharma industry (VFenR presentation)
GDPR and eHealth for the pharma industry (VFenR presentation)
Health data case study • DPAs already take expansive view of health data • Performance data becomes health data
GDPR’s Hateful 8 Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
Consent-based business model tricky ‘GDPR: ‘means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ Recitals 32, 42 and 43 GDPR • silence, pre-ticked boxes or inactivity do not constitute consent • Processing for multiple purposes? Consent should be given for all of them! • Controller must be able to prove valid consent was obtained and provide intelligible consent language • Consent invalid “in a specific case where there is a clear imbalance between the data subject and the controller” 7
Scope of ‘health data’
When is health data anonymous? WP 216 on Anonymisation Techniques (para 2.2): • Anonymisation is further processing personal data with the aim of irreversibly preventing identification of the data subject. • Several anonymisation techniques may be envisaged, there is no prescriptive standard in EU legislation. • Importance should be attached to contextual elements: account must be taken of “all” the means “likely reasonably” to be used for (re-) identification by the controller and third parties • A risk factor is inherent to anonymisation: this risk factor is to be considered in assessing the validity of any anonymisation technique – pseudonomisation is not anonymisation (e.g. if linkable through datasets)
Research – ‘Right to be forgotten’ Article 17 (1) GDPR: The data subject has the right to obtain the erasure of personal without undue delay from the controller. The ‘right to be forgotten’ ONLY does not apply if the processing takes place: ‘for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.’ (article 17 (3) (d) Right to be forgotten does apply in all commercial processing of health data for the purpose of services!
Privacy by design and default, PIAs
Impact Assessment Article 35 • PIA prior to processing • Authorities will make lists of operations subject to PIA • Prior consultation of DPA regarding residual risks (article 36)
Impact Assessment
Profiling requirements • Profiling based on health data -> always PIA • 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; • Data subject must be informed • Article 22: right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless • decision is necessary for performance or entering into contract • decision is based on explicit consent • AND: • explicit consent in case of profiling based on health data • suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place
Data portability right • Controller must inform data subject about right, and:
Security Data controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing • Article 32 defines security principles Security measures must take into account (recital 78): • Nature of the data to be protected and consequences of security breach • State of the art • Security by design • Aim to prevent unnecessary collection and further processing of personal data • Overriding principle: Plan-Do-Check-Act • Data breach notification (article 33/34) • to DPA (<72 hours) and to data subject • processor must inform controller
Export Chapter 5 Export only with legal basis: • Adequacy decision (or Privacy Shield) • Appropriate safeguards (BCR and SCCs) ensuring third party rights for data subjects, approved code or certification mechanism • Specific situation • informed consent • necessary for performance of contract
Known unknowns and wide open doors • This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data! • Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
Bonus slides on GDPR implementation in NL
What’s interesting in the AVG implementation act? Article 19 – cooperation protocols with other CAs in NL (typical Dutch thing) Exercise of discretion under article 9 (4) GPDR: Article 24 UAVG re processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law - additional requirements in Article 24 (b), (c) and (d): Research must be in general interest Asking consent must be impossible or prohibitively difficult Safeguards against unjustifiable damage to data subjects privacy Seems to exclude commercial research given general interest criterion What about vigilance and PMS data?
What’s interesting in the AVG implementation act? Exercise of discretion under article 9 (4) GPDR: Article 30 IAVG – exceptions re data concerning health Processing of data concerning health allowed for government, pension funds, employers or institutions active on their behalf for execution of tasks and re- integration (Art 30 (1) – article 9 (2) (b) GDPR) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health allowed by schools and rehabilitation services insofar as necessary for their tasks (Art 30 (2) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health for HCP, health institutions and social services insofar as necessary for their tasks and insurance companies (Art 30 (3) – article 9 (2) (h) GDPR) Processing on the above three bases only by persons under professional or contractual secrecy (Article 30 (4)) Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR (service providers to HCPs and health institutions) If treatment or care require it then processing of data concerning health can be mixed with processing of other categories of sensitive data (Article 30 (5) Issue
What’s interesting in the AVG implementation act?Convenient implementation table to check exercise of national discretion
Bonus slides on cybersecurity and GDRP – MDR overlaps
General EU current security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sauce ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)
General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
Concurrent privacy by design requirements under GDPR • General Data Protection Regulation has already entered into force, transitional period ending 25 May 2018 • Will apply to any device that processes personal data, both on hardware and software level – possible overlaps with MDR • Requires privacy by • Design • Default • Requires cybersecurity measures, but so does the MDR • GSPRs 17.1, 17.2 and 17.4
GDRP security thinking Recital 81: “the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. ”
GDPR security thinking • Under the MDR / IVDR costs of implementation are irrelevant for risk reduction (AFAP principle in GSPR 2)
Security requirements
Security design requirements (art. 32) Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Take account of risks that are presented by processing, e.g. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
Overlap of risks and different approaches MDR / IVDR • Security by design aimed to safeguard safety and performance (Safety, Reliability and Availability (SRA) for cyber physical systems) GDPR • Security by design and default aimed at data integrity (Confidentiality– Integrity–Availability (CIA) for corporate processes) Map security risks under GDPR that are also (partially) safety and performance risks under MDR / IVDR • Those risks are subject to AFAP reduction by means of design insofar as they concern the device (GSPR 2 and EN ISO 14971:2012 ZABC annexes)
Overlap of risks and different approaches - nice model GDPR orientation MDR / IVDR orientation
It all starts with a PIA and selection of approaches based on that Mandatory and prior to processing if processing is likely to result in a high risk to the rights and freedoms of natural person, especially in case of (a) systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (incl. profiling), and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data (e.g. health); or (c) systematic monitoring of a publicly accessible area on a large scale • Mandatory advice of the data protection officer required • Authorities to specify what processing subject to PIA
www.axonlawyers.com THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 M +31 6 47 180 683 E erik.vollebregt@axonlawyers.com @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com

More Related Content

PPTX
NEN symposium on Medical Devices and IVD Regulation
Erik Vollebregt
 
PPTX
Economic operators under the MDR and IVDR
Erik Vollebregt
 
PPTX
Your legal relationship with your notified body
Erik Vollebregt
 
PPTX
MDR and class I medical devices presentation
Erik Vollebregt
 
PPTX
Advamed Med Tech 2019 countdown presentation
Erik Vollebregt
 
PPTX
Point of-care, biosensors &amp; mobile diagnostics europe 2019
Erik Vollebregt
 
PPTX
Use of left over samples under the IVDR and GDPR
Erik Vollebregt
 
PPTX
M&A and medical devices presentation
Erik Vollebregt
 
NEN symposium on Medical Devices and IVD Regulation
Erik Vollebregt
 
Economic operators under the MDR and IVDR
Erik Vollebregt
 
Your legal relationship with your notified body
Erik Vollebregt
 
MDR and class I medical devices presentation
Erik Vollebregt
 
Advamed Med Tech 2019 countdown presentation
Erik Vollebregt
 
Point of-care, biosensors &amp; mobile diagnostics europe 2019
Erik Vollebregt
 
Use of left over samples under the IVDR and GDPR
Erik Vollebregt
 
M&A and medical devices presentation
Erik Vollebregt
 

What's hot (20)

PPTX
Economic operators and the exits
Erik Vollebregt
 
PPTX
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
Erik Vollebregt
 
PPTX
Q1 Medical Devices Regulation - practical consequences for manufacturers
Erik Vollebregt
 
PPTX
Q1 medical device packaging conference 10 november 2020
Erik Vollebregt
 
PPTX
Informa Eudamed update 29 january 2014
Erik Vollebregt
 
PPTX
Advamed EU MDR and IVDR panel presentation
Erik Vollebregt
 
PPTX
Easy medical devices podcast self tests ivdr
Erik Vollebregt
 
PPTX
Liability insurance requirements under the new EU Medical Devices Regulation ...
Erik Vollebregt
 
PPTX
Legal aspects of the new EU Medical Devices Regulation - known and unknowns
Erik Vollebregt
 
PPTX
New legal obligations under MDR and IVDR
Erik Vollebregt
 
PPTX
Legal and regulatory developments in precision medicine and diagnostic devices
Erik Vollebregt
 
PPTX
New legal obligations and liability under MDR and IVDR
Erik Vollebregt
 
PPTX
Recent and future developments in UDI for medical devices in the EU
Erik Vollebregt
 
PPTX
E health, mhealth and apps
Erik Vollebregt
 
PPTX
Transparency under the new MDR and IVDR
Erik Vollebregt
 
PPTX
Advamed MDR IVDR update
Erik Vollebregt
 
PPTX
MDR aspects for the sterilisation industry
Erik Vollebregt
 
PPTX
3D medtech printing under EU Medical Devices Directive and under future Medic...
Erik Vollebregt
 
PDF
A Delay in MDR: Where are We Now
Greenlight Guru
 
PPTX
The New EU MDR and What You Need to Know
EMMAIntl
 
Economic operators and the exits
Erik Vollebregt
 
HOW TO WORK WITH EMERGENCY RULES RELATING TO COVID 19?
Erik Vollebregt
 
Q1 Medical Devices Regulation - practical consequences for manufacturers
Erik Vollebregt
 
Q1 medical device packaging conference 10 november 2020
Erik Vollebregt
 
Informa Eudamed update 29 january 2014
Erik Vollebregt
 
Advamed EU MDR and IVDR panel presentation
Erik Vollebregt
 
Easy medical devices podcast self tests ivdr
Erik Vollebregt
 
Liability insurance requirements under the new EU Medical Devices Regulation ...
Erik Vollebregt
 
Legal aspects of the new EU Medical Devices Regulation - known and unknowns
Erik Vollebregt
 
New legal obligations under MDR and IVDR
Erik Vollebregt
 
Legal and regulatory developments in precision medicine and diagnostic devices
Erik Vollebregt
 
New legal obligations and liability under MDR and IVDR
Erik Vollebregt
 
Recent and future developments in UDI for medical devices in the EU
Erik Vollebregt
 
E health, mhealth and apps
Erik Vollebregt
 
Transparency under the new MDR and IVDR
Erik Vollebregt
 
Advamed MDR IVDR update
Erik Vollebregt
 
MDR aspects for the sterilisation industry
Erik Vollebregt
 
3D medtech printing under EU Medical Devices Directive and under future Medic...
Erik Vollebregt
 
A Delay in MDR: Where are We Now
Greenlight Guru
 
The New EU MDR and What You Need to Know
EMMAIntl
 
Ad

Similar to GDPR and eHealth for the pharma industry (VFenR presentation) (20)

PPTX
EU General Data Protection Regulation top 8 operational impacts in personal c...
Erik Vollebregt
 
PPTX
EU data protection and security update COCIR annual meeting 2016
Erik Vollebregt
 
PPTX
Medical device data protection and security
Erik Vollebregt
 
PDF
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
Cognizant
 
PPTX
Niall Rooney FD Event 05.09.19
Niall Rooney
 
PDF
GDPR and Research Data Management
London School of Hygiene and Tropical Medicine
 
PPTX
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
PDF
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
PPTX
GDPR SECURITY ISSUES
Sylvain Martinez
 
PPTX
Protection of patient data in EU vs. US
Erik R. Ranschaert, MD, PhD
 
PDF
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
PDF
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
PDF
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
PDF
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
PPTX
EU cybersecurity requirements under current and future medical devices regula...
Erik Vollebregt
 
PDF
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
PDF
Legal Framework for Digital Health Innovation - Data Protection and Security
DayOne
 
PDF
General Data Protection Regulation (GDPR) for Identity Architects
WSO2
 
PDF
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
An Overview of GDPR
The Pathway Group
 
EU General Data Protection Regulation top 8 operational impacts in personal c...
Erik Vollebregt
 
EU data protection and security update COCIR annual meeting 2016
Erik Vollebregt
 
Medical device data protection and security
Erik Vollebregt
 
The U.S. Healthcare Implications of Europe’s Stricter Data Privacy Regulation
Cognizant
 
Niall Rooney FD Event 05.09.19
Niall Rooney
 
GDPR and Research Data Management
London School of Hygiene and Tropical Medicine
 
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Browne Jacobson - Administrative and public law - October 2017
Browne Jacobson LLP
 
GDPR SECURITY ISSUES
Sylvain Martinez
 
Protection of patient data in EU vs. US
Erik R. Ranschaert, MD, PhD
 
DPOs in the public sector, May 2018, Birmingham
Browne Jacobson LLP
 
GDPR for public sector DPO's seminar, April 2018, Manchester
Browne Jacobson LLP
 
DPOs in the public sector, May 2018, London
Browne Jacobson LLP
 
GDPR for public sector DPO's, April 2018, Nottingham
Browne Jacobson LLP
 
EU cybersecurity requirements under current and future medical devices regula...
Erik Vollebregt
 
Feedback on Draft Personal Data Protection Bill 2018 submitted to MEITY
Nanda Mohan Shenoy
 
Legal Framework for Digital Health Innovation - Data Protection and Security
DayOne
 
General Data Protection Regulation (GDPR) for Identity Architects
WSO2
 
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
An Overview of GDPR
The Pathway Group
 
Ad

More from Erik Vollebregt (7)

PPTX
Q1 MDR and IVDR PRRC presentation
Erik Vollebregt
 
PPTX
Managing New Requirement for Economic Operator Regime
Erik Vollebregt
 
PPTX
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
Erik Vollebregt
 
PPTX
Regulation of Economic Operators under the MDR and IVDR
Erik Vollebregt
 
PPTX
Trends in EU regulation of software as medical device
Erik Vollebregt
 
PPTX
Legal issues relating to clinical investigation with medical devices
Erik Vollebregt
 
PPTX
Changes in device classification under the EU Medical Devices and In Vitro Di...
Erik Vollebregt
 
Q1 MDR and IVDR PRRC presentation
Erik Vollebregt
 
Managing New Requirement for Economic Operator Regime
Erik Vollebregt
 
VZI jaarcongres: de MDR en IVDR - de impact in de medische techniek
Erik Vollebregt
 
Regulation of Economic Operators under the MDR and IVDR
Erik Vollebregt
 
Trends in EU regulation of software as medical device
Erik Vollebregt
 
Legal issues relating to clinical investigation with medical devices
Erik Vollebregt
 
Changes in device classification under the EU Medical Devices and In Vitro Di...
Erik Vollebregt
 

Recently uploaded (20)

PDF
Megan Miller Colona Illinois - Passionate About CrossFit
Megan Miller Colona Illinois
 
PPTX
Pulmonary Circulation PPT final for easy
63kirubaharan
 
PDF
Selvita_Development-Strategy-2022-2025.pdf
joejoe805294
 
PPTX
ANTICANCER_DRUGES.pptx,anticancer drugs ppt
Latha Sukumar Dasi
 
PDF
Dr Masood Ahmed Expertise And Sucess Story
adilseoexpert1
 
PPTX
First aid in common emergency conditions.pptx
cham2i1738
 
PPTX
H&E Staining Procedures | Preparation, Steps, and Troubleshooting
Mohd Salman
 
PDF
Myers’ Psychology for AP, 1st Edition David G. Myers Test Bank.pdf
solutionsmanual3
 
PPTX
Host Modulation Therapy.pptx by swaroop sony
DiyaFathima8
 
PPTX
Child health services in Bangladesh.pptx
Nishat Tasnim
 
PPTX
Community Health Workers and gender webinar recording
karenmiller397756
 
PDF
The Dr. Mykim Tran Story: A Purposeful Pursuit of Motivation & Triumph
sidnik500
 
PPTX
Anatomy of female reproductive organs.pptx
amritkaur229581
 
PPTX
Current Treatment Of Heart Failure By Dr Masood Ahmed
adilseoexpert1
 
PPT
Adrenergic drugs (sympathomimetics ).ppt
AdugnaWari
 
PPTX
Microbiology, the study of microorganisms, has a rich history marked by key d...
LuckyMittal13
 
PPTX
AI_in_Pharmaceutical_Technology_Presentation.pptx
bharghav bhushan
 
PPTX
GINA_2025_Full_Guideline_Presentation.pptx
Malaymaitra
 
PPTX
X-ray Reading Guide for UG MBBS students VIVA X-RAYS.pptx
sanjeevnavalyal
 
PPTX
Medical aspects of impairment including all the domains mentioned in ICF
muskaan650751
 
Megan Miller Colona Illinois - Passionate About CrossFit
Megan Miller Colona Illinois
 
Pulmonary Circulation PPT final for easy
63kirubaharan
 
Selvita_Development-Strategy-2022-2025.pdf
joejoe805294
 
ANTICANCER_DRUGES.pptx,anticancer drugs ppt
Latha Sukumar Dasi
 
Dr Masood Ahmed Expertise And Sucess Story
adilseoexpert1
 
First aid in common emergency conditions.pptx
cham2i1738
 
H&E Staining Procedures | Preparation, Steps, and Troubleshooting
Mohd Salman
 
Myers’ Psychology for AP, 1st Edition David G. Myers Test Bank.pdf
solutionsmanual3
 
Host Modulation Therapy.pptx by swaroop sony
DiyaFathima8
 
Child health services in Bangladesh.pptx
Nishat Tasnim
 
Community Health Workers and gender webinar recording
karenmiller397756
 
The Dr. Mykim Tran Story: A Purposeful Pursuit of Motivation & Triumph
sidnik500
 
Anatomy of female reproductive organs.pptx
amritkaur229581
 
Current Treatment Of Heart Failure By Dr Masood Ahmed
adilseoexpert1
 
Adrenergic drugs (sympathomimetics ).ppt
AdugnaWari
 
Microbiology, the study of microorganisms, has a rich history marked by key d...
LuckyMittal13
 
AI_in_Pharmaceutical_Technology_Presentation.pptx
bharghav bhushan
 
GINA_2025_Full_Guideline_Presentation.pptx
Malaymaitra
 
X-ray Reading Guide for UG MBBS students VIVA X-RAYS.pptx
sanjeevnavalyal
 
Medical aspects of impairment including all the domains mentioned in ICF
muskaan650751
 

GDPR and eHealth for the pharma industry (VFenR presentation)

  • 1. EHEALTH AND GDPR VFenR - AVG wie doet er mee 24 mei 2018 Erik Vollebregt www.axonadvocaten.nl
  • 2. GDPR hateful eight Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
  • 5. Health data case study • DPAs already take expansive view of health data • Performance data becomes health data
  • 6. GDPR’s Hateful 8 Connected health related top 8 points of attention: 1. Informed consent criteria 2. Data concerning health scope 3. Right to be forgotten (applies to commercial collection of health data) 4. Impact assessment (and privacy by design) • For data concerning health • In case of profiling 5. Profiling requirements • including right to object if processing significantly affects data subject 6. Data portability right of user 7. Security requirements 8. Export of data to extra-EU jurisdictions
  • 7. Consent-based business model tricky ‘GDPR: ‘means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ Recitals 32, 42 and 43 GDPR • silence, pre-ticked boxes or inactivity do not constitute consent • Processing for multiple purposes? Consent should be given for all of them! • Controller must be able to prove valid consent was obtained and provide intelligible consent language • Consent invalid “in a specific case where there is a clear imbalance between the data subject and the controller” 7
  • 9. When is health data anonymous? WP 216 on Anonymisation Techniques (para 2.2): • Anonymisation is further processing personal data with the aim of irreversibly preventing identification of the data subject. • Several anonymisation techniques may be envisaged, there is no prescriptive standard in EU legislation. • Importance should be attached to contextual elements: account must be taken of “all” the means “likely reasonably” to be used for (re-) identification by the controller and third parties • A risk factor is inherent to anonymisation: this risk factor is to be considered in assessing the validity of any anonymisation technique – pseudonomisation is not anonymisation (e.g. if linkable through datasets)
  • 10. Research – ‘Right to be forgotten’ Article 17 (1) GDPR: The data subject has the right to obtain the erasure of personal without undue delay from the controller. The ‘right to be forgotten’ ONLY does not apply if the processing takes place: ‘for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing.’ (article 17 (3) (d) Right to be forgotten does apply in all commercial processing of health data for the purpose of services!
  • 12. Impact Assessment Article 35 • PIA prior to processing • Authorities will make lists of operations subject to PIA • Prior consultation of DPA regarding residual risks (article 36)
  • 14. Profiling requirements • Profiling based on health data -> always PIA • 'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; • Data subject must be informed • Article 22: right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless • decision is necessary for performance or entering into contract • decision is based on explicit consent • AND: • explicit consent in case of profiling based on health data • suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place
  • 15. Data portability right • Controller must inform data subject about right, and:
  • 16. Security Data controllers and processors should implement appropriate technical & organizational measures to protect data from loss or any form of unlawful processing • Article 32 defines security principles Security measures must take into account (recital 78): • Nature of the data to be protected and consequences of security breach • State of the art • Security by design • Aim to prevent unnecessary collection and further processing of personal data • Overriding principle: Plan-Do-Check-Act • Data breach notification (article 33/34) • to DPA (<72 hours) and to data subject • processor must inform controller
  • 17. Export Chapter 5 Export only with legal basis: • Adequacy decision (or Privacy Shield) • Appropriate safeguards (BCR and SCCs) ensuring third party rights for data subjects, approved code or certification mechanism • Specific situation • informed consent • necessary for performance of contract
  • 18. Known unknowns and wide open doors • This means that member states can still require geofencing, hosting accreditation and things like that for processing of genetic, biometric and/or health data! • Only restriction is that these cannot be contrary to the requirements of the internal market and must be proportionate
  • 19. Bonus slides on GDPR implementation in NL
  • 20. What’s interesting in the AVG implementation act? Article 19 – cooperation protocols with other CAs in NL (typical Dutch thing) Exercise of discretion under article 9 (4) GPDR: Article 24 UAVG re processing that is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law - additional requirements in Article 24 (b), (c) and (d): Research must be in general interest Asking consent must be impossible or prohibitively difficult Safeguards against unjustifiable damage to data subjects privacy Seems to exclude commercial research given general interest criterion What about vigilance and PMS data?
  • 21. What’s interesting in the AVG implementation act? Exercise of discretion under article 9 (4) GPDR: Article 30 IAVG – exceptions re data concerning health Processing of data concerning health allowed for government, pension funds, employers or institutions active on their behalf for execution of tasks and re- integration (Art 30 (1) – article 9 (2) (b) GDPR) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health allowed by schools and rehabilitation services insofar as necessary for their tasks (Art 30 (2) – implementation of secrecy like in article 9 (2) (h) GDPR Processing of data concerning health for HCP, health institutions and social services insofar as necessary for their tasks and insurance companies (Art 30 (3) – article 9 (2) (h) GDPR) Processing on the above three bases only by persons under professional or contractual secrecy (Article 30 (4)) Unclear if this includes contractual third parties referred to in Article 9 (2) (h) GDPR (service providers to HCPs and health institutions) If treatment or care require it then processing of data concerning health can be mixed with processing of other categories of sensitive data (Article 30 (5) Issue
  • 22. What’s interesting in the AVG implementation act?Convenient implementation table to check exercise of national discretion
  • 23. Bonus slides on cybersecurity and GDRP – MDR overlaps
  • 24. General EU current security regulations and standards: data protection • Protection against e.g. alteration and unauthorized access have everything to do with cybersecurity, as these impact directly on safety and performance of the device. • Non harmonization of the Data Protection Directive is a big problem because it leads to the situation of member states taking different views on security terms requirements. • Dutch NCA refers to ISO 27000 family as informal harmonised standard • Dutch sauce ISO 27002 mandatory standard in Dutch healthcare market (NEN 7510, 7512 and 7513)
  • 25. General EU security regulations and standards • Currently authorities mainly approach cybersecurity issues via Data Protection Directive, which features a secutiry regime in Article 17(1):
  • 26. Privacy by design obligations for medical devices • WP 223: Controller has responsibility for security of IoT devices • Parties purchasing OEM devices and solutions will want privacy by design compliance warranties
  • 27. Privacy by design obligations for medical devices WP 223 on end of life devices and remote monitoring / measuring devices
  • 28. Concurrent privacy by design requirements under GDPR • General Data Protection Regulation has already entered into force, transitional period ending 25 May 2018 • Will apply to any device that processes personal data, both on hardware and software level – possible overlaps with MDR • Requires privacy by • Design • Default • Requires cybersecurity measures, but so does the MDR • GSPRs 17.1, 17.2 and 17.4
  • 29. GDRP security thinking Recital 81: “the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. ”
  • 30. GDPR security thinking • Under the MDR / IVDR costs of implementation are irrelevant for risk reduction (AFAP principle in GSPR 2)
  • 32. Security design requirements (art. 32) Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Take account of risks that are presented by processing, e.g. accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  • 33. Overlap of risks and different approaches MDR / IVDR • Security by design aimed to safeguard safety and performance (Safety, Reliability and Availability (SRA) for cyber physical systems) GDPR • Security by design and default aimed at data integrity (Confidentiality– Integrity–Availability (CIA) for corporate processes) Map security risks under GDPR that are also (partially) safety and performance risks under MDR / IVDR • Those risks are subject to AFAP reduction by means of design insofar as they concern the device (GSPR 2 and EN ISO 14971:2012 ZABC annexes)
  • 34. Overlap of risks and different approaches - nice model GDPR orientation MDR / IVDR orientation
  • 35. It all starts with a PIA and selection of approaches based on that Mandatory and prior to processing if processing is likely to result in a high risk to the rights and freedoms of natural person, especially in case of (a) systematic and extensive evaluation of personal aspects relating to natural persons based on automated processing (incl. profiling), and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data (e.g. health); or (c) systematic monitoring of a publicly accessible area on a large scale • Mandatory advice of the data protection officer required • Authorities to specify what processing subject to PIA
  • 36. www.axonlawyers.com THANKS FOR YOUR ATTENTION Erik Vollebregt Axon Lawyers Piet Heinkade 183 1019 HC Amsterdam T +31 88 650 6500 M +31 6 47 180 683 E [email protected] @meddevlegal B http://medicaldeviceslegal.com READ MY BLOG: http://medicaldeviceslegal.com

Editor's Notes

  • #9: Potential future health status: any information where there is a scientifically proven or commonly perceived risk of disease in the future, such as obesity, blood pressure, personal habits involving tobacco, alcohol or drugs Past, current and future health status
  • #11: Not sure how this will work out in practice!