E
-
HEALTH
IN THE CLOUD
NVvIR voorjaarsvergadering
17 June 2010
-
Amsterdam
Avv. Dr. Paolo Balboni: TILT, EPA & IIP
www.europeanprivacyassociation.eu
www.istitutoitalianoprivacy.it
www.paolobalboni.eu
paolobalboni@istitutoitalianoprivacy.it
2
Introduction (i)
“In order to fulfil European recommendations,
national requirements and to exploit the full value of
e
-
health services,
interoperability between different
local and national Electronic Health Records
(“
EHRs
”
) has to be guaranteed
(…)
”
2
3
Introduction (ii)
“Given the strong focus on interoperability and the
potential business efficiency impact of cloud models,
a
number of Local Healthcare Authorities
(“
LHAs
”
)
are considering
to jointly enter into an agreement with
a national
‘
telco
’
for
the creation of their own cloud
(…)
”
3
4
Introduction (iii)
“(…) The LHAs plan
to migrate
to the cloud services,
i.e.,
EHRs, EHFs, online reservation of health
examinations and,
other less critical services, e.g.,
back
-
end services, HR, payroll, e
-
learning.
”
4
5
Structure of the Presentation
1.
EU Regulatory
Background
2.
ENISA
GovCloud
Project
3.
e
-
Health
Scenario
4.
Nailing
Data Protection
Issues
5.
Few Preliminary
Considerations
6.
Q&A
5
6
EU Regulatory Background
•
“
Better informed
,
More efficient
,
Patient focused
,
a
European market
”
•
E
-
Health action plan:
COM(2004) 356
e
-
Health
-
making healthcare better for
European citizens: an action plan for a European e
-
Health Area
•
i2010 Subgroup on eHealth
•
Lead Market Initiative
-
eHealth
•
Article 29 WP (
WP 131/2007
) Working Document on the processing of personal
data relating to health in electronic health records (EHR)
•
COM(2008) 414
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL on the application of patients' rights in cross
-
border
healthcare
•
COM(2008) 415
A Community framework on the application of patients' rights in
cross
-
border healthcare
•
Study on the Legal Framework for Interoperable e
-
Health in Europe (2009)
6
7
ENISA GovCloud Project (i)
Aim
To analyse and evaluate the impact that cloud computing
have on resilience and security of services in a
Governmental organisation and to provide
recommendations and good practices for Eu MSs
planning to migrate to cloud computing
Subject
Both services to citizens (eGov) and internal IT service
(back end) are considered
7
8
ENISA GovCloud Project (ii)
Legal Aspects
Legal aspects are NOT the main focus of the paper, that is
security and resilience
We are going to publish an annex to the main report with data
protection and legal considerations
Background
The project has to be considered as follow up action of the work
done by ENISA during 2009 and, in particular, of the report:
‘
Cloud Computing: Benefits, risks and recommendations for
information security
’
8
9
E
-
Health Scenario
The analysis will be based on 4 cases/scenarios:
1.
E
-
Health
–
Local and Regional Healthcare Authorities
2.
Local and Regional Public Administrations
3.
Gov Cloud
–
Computing as a Service
4.
Supra
-
National Cloud
E
-
Health questionnaire to be distributed to 2 Italian LHAs,
NICTIZ and Rotterdam’s regional healthcare network
9
10
Nailing Data Protection Issues
Data Controller
-
Data Processor (Who is who?)
•
Article 2 (d) and (e) Directive 95/46/EC
•
Article 29 WP:
Opinion 1/2010 on the concepts of "controller"
and "processor"
•
EDPS: “
Data Protection and Cloud Computing under EU law
”
,
speech delivered by Peter Hustinx at the Third European Cyber
Security Awareness Day, Brussels, 13 April 2010
•
Article 29 WP:
Work Programme 2010
-
2011
10
11
Nailing Data Protection Issues
Does EU law apply?
“
(a) if the data controller has a relevant establishment in the EU
and (b) if it uses equipment in the EU. Thus:
•
A cloud provider established in the EU
-
or acting as processor
for a controller established in the EU
-
will in principle be 'caught'
by EU law.
•
A cloud provider which uses equipment (such as servers) in an
EU Member State
-
or acting as processor for a controller using
such equipment
-
will also be caught.
•
A cloud provider in other cases
-
even if it mainly and mostly
targets European citizens
-
would not be caught by EU law.
”
(Peter Hustinx
-
EDPS)
11
12
Nailing Data Protection Issues
Safeguards for Data Subjects
•
Right to create an EHR and/or EHF
•
Entities Processing the Data
•
How to access the EHR and/or a EHF
•
Data Subject
’
s Rights
•
Limitations on Data Dissemination and Cross
-
Border Data
Flows
•
Information notice and Consent
•
Security Measures
•
(Communications to the Local DPAs)
12
13
Few Preliminary Considerations
Key Issues
•
Limitations on Data Dissemination and Cross
-
Border
Data Flows
•
Security Measures
(
CAMM Project
)
13
Thanks for your attention!
Q&A
NVvIR voorjaarsvergadering
17 June 2010
-
Amsterdam
Avv. Dr. Paolo Balboni: TILT, EPA & IIP
www.europeanprivacyassociation.eu
www.istitutoitalianoprivacy.it
www.paolobalboni.eu
paolobalboni@istitutoitalianoprivacy.it
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο