PROCESSING OF PERSONAL DATA IN THE HEALTH SECTOR - A PROBLEM WHICH CALLS FOR SERIOUS SOLUTIONS, NOT IMPROVISION

The Commissioner for Information on Public Importance and Personal Data Protection, regarding the Bill amending the Law on Health Documentation and Records, submitted by the Government to the National Assembly, gave his opinion on several occasions during the preparation of the Draft Law, to the Ministry of Health which prepared it.

The Serbian Government, in establishing the Bill, ignored the main and essential objection of the Commissioner.

Namely, the Bill still does not solve the essential problem of personal data processing in the IHIS (Integrated Health Information System), that is, the issue of the legal basis for establishing the IHIS has not been resolved. And despite several warnings of the Commissioner, the IHIS has been actually established, although the current Law on Health Documentation and Records, even one of its provisions, does not authorize the data controller to establish it to process personal data.

On the contrary, the provision of Article 44 (2) of the Law on Health Documentation and Records stipulates that the IHIS consists of a health statistical system, an information system for health insurance organizations and information systems of healthcare institutions, private practices and other legal entities. The Law does not in any way provide for the establishment of a single and centralized personal data file that would be under the control of one controller.

In addition to drawing attention, again, to the lack of a valid legal basis, the Commissioner also points to security issues seeking answers.

From the perspective of generally accepted European standards in the field of personal data protection, the consolidation of a large number of smaller databases into a huge, centralized database poses a serious risk to the rights of persons with regard to personal data processing and should always be avoided, except where necessary and extremely justified.

In this specific case, it seems obvious that such a thing is not necessary. And in any case, if the purpose of the processing could not be achieved differently, without creating a huge centralized database, then, as a minimum, the law should regulate which data will be entered and processed in the IHIS, which healthcare institutions will do it, under what conditions, the manner of using data, and so on. In terms of minimum safety, it is also necessary to prescribe by law the technical and organizational measures that must be undertaken in the IHIS, taking into account the type of data, scope and purpose of processing, the technological level, the likelihood of occurrence and the seriousness of the danger to the rights of persons, and who and how can access personal data and responsibility for processing such data.