The Commissioner for Information of Public Importance and Personal Data Protection has sent a letter to the Prime Minister of the Government of the Republic of Serbia, in which he called on the Government to urgently undertake measures to eliminate the illegalities and shortcomings concerning the Integrated Health Information System(IHIS), in particular with a view to preventing the severe harmful consequences that may arise if the personal data processed in that system are compromised and abused.

The Commissioner previously found in an inspection procedure that the Ministry of Health had implemented the IHIS as a centralised personal data collection in electronic form, which it uses for processing the personal data of employees and patients in 451 health care institutions in the Republic of Serbia. The IHIS was implemented without a proper legal basis, as none of the relevant laws (Law on Medical Documentation and Medical Records, Law on Health Care and Law on Public Health) provide for or regulate the processing of personal data that is done in the IHIS. On the other hand, the Regulation on the Programme of Operation, Development and Organisation of the Integrated Health Information System “e-Health”, being a piece of secondary legislation, clearly cannot provide a legal basis for personal data processing and even its content does not lend itself to such an interpretation.

In addition to the issue of the legal basis, an equally pressing issue identified in the inspection procedure is that huge omissions in personal data protection were made in the IHIS, resulting in an unacceptable level of risk and the possibility of unauthorised access and other potential abuse. Namely, it is possible to access the personal data of patients and employees at medical institutions virtually without any problems and without any specific IT skills, which in turn increases the likelihood that those data would be compromised and abused.

In October 2016, the Commissioner sent a Letter of Warning to the Ministry in which he presented a detailed account of the factual and legal situation and underscored that the identified omissions in personal data protection could have immensurable harmful consequences for the patients of medical institutions in the Republic of Serbia.

The Ministry notified the Commissioner it had implemented a safeguard system which eliminated the shortcomings in personal data protection by preventing the access of unauthorised persons to the personal data. This point was reiterated by the Ministry’s representatives in a meeting held with the Commissioner’s representatives in early January 2017.

However, the Commissioner’s staff found through subsequent checks that the situation had remained unchanged from that presented in the Letter of Warning of October 2016, i.e. the possibility of unauthorised access to those data had not been eliminated. The Commissioner personally presented all these facts in a letter sent to the Minister of Health and called on the Minister to respond with utmost urgency in the best interest of Serbia’s citizens.

The shortcomings I had identified have not been rectified to this date. Since this issue affects a huge quantity of medical information of Serbian citizens which, if abused, could have severely harmful consequences and could even compromise the country’s entire health care system, the Commissioner has called on the Government to undertake all necessary measures without delay in order to prevent the consequences that could literally be catastrophic.