In his letter sent to the Minister of Health, the Commissioner for Information of Public Importance and Personal Data Protection called for urgent action to ensure that personal data in the Integrated Health Management System (IHIS) are protected from unauthorised access and any other abuse and that the functioning of the IHIS is regulated in the only proper way – by a law. The Commissioner had previously found in an inspection procedure that the Ministry of Health had implemented the IHIS as a centralised personal data collection in electronic form, which it uses for processing the personal data of patients (including the data identified as “particularly sensitive” under the law) and employees in 451 health care institutions.
In accordance with Article 42 of the Constitution, personal data processing “shall be regulated by a law.” Only a law, rather than secondary legislation, can provide the legal basis for personal data processing and determine the purpose of processing and the type of processed data. None of the relevant laws (Law on Medical Documentation and Medical Records, Law on Health Care and Law on Public Health) provide for or regulate the processing of personal data that is done in the IHIS. On the other hand, the Regulation on the Programme of Operation, Development and Organisation of the Integrated Health Information System “e-Health”, being a piece of secondary legislation, clearly cannot provide a legal basis for personal data processing and even its content does not lend itself to such an interpretation.
This was one of the reasons why some entities in the health care system, for example the National Health Insurance Institute, rightly refused to provide personal data from their master records, which in and of itself, quite apart from the issue of the legal basis, undermines the functionality of the entire system.
In addition to the issue of the legal basis, an equally pressing issue identified in the inspection procedure is that huge omissions in personal data protection were made in the IHIS, resulting in an enormously high level of risk and the possibility of unauthorised access and other potential large-scale abuse.
In this context, in October last year the Commissioner had sent a Letter of Warning to the Ministry in which he presented a detailed account of the factual and legal situation.
The Ministry notified the Commissioner it had implemented a safeguard system which eliminated the shortcomings in personal data protection by preventing the access of unauthorised persons to the personal data. This point was reiterated by the Ministry’s representatives in a meeting held with the Commissioner’s representatives yesterday, on 12 January 2017. However, the Commissioner’s staff conducted checks to determine whether it was possible to access patient’s personal data and found that the situation had remained unchanged from that presented in the Letter of Warning of October 2016, i.e. the possibility of unauthorised access to those data had not been eliminated.
Any prolongation of the current situation is legally unacceptable and would de facto involve the risk of compromising and abuse of patients’ personal data, with wide and irreparable consequences. For this reason, the Commissioner expects the Ministry of Health to ensure without delay that personal data in the IHIS are protected from unauthorised access and to undertake steps to ensure that processing of personal data in the IHIS is legally valid, i.e. that it is regulated by a law.
