E-HEALTH IN THE CLOUD

E
-
HEALTH

IN THE CLOUD

NVvIR voorjaarsvergadering

17 June 2010
-

Amsterdam


Avv. Dr. Paolo Balboni: TILT, EPA & IIP

www.europeanprivacyassociation.eu

www.istitutoitalianoprivacy.it

www.paolobalboni.eu


paolobalboni@istitutoitalianoprivacy.it


2

Introduction (i)


“In order to fulfil European recommendations,
national requirements and to exploit the full value of
e
-
health services,
interoperability between different
local and national Electronic Health Records
(“
EHRs
”
) has to be guaranteed

(…)
”



2

3

Introduction (ii)


“Given the strong focus on interoperability and the
potential business efficiency impact of cloud models,
a
number of Local Healthcare Authorities

(“
LHAs
”
)
are considering

to jointly enter into an agreement with
a national
‘
telco
’

for
the creation of their own cloud
(…)
”




3

4

Introduction (iii)


“(…) The LHAs plan
to migrate

to the cloud services,
i.e.,
EHRs, EHFs, online reservation of health
examinations and,
other less critical services, e.g.,

back
-
end services, HR, payroll, e
-
learning.
”




4

5

Structure of the Presentation

1.

EU Regulatory
Background

2.

ENISA
GovCloud

Project

3.

e
-
Health

Scenario

4.

Nailing
Data Protection

Issues

5.

Few Preliminary
Considerations

6.

Q&A


5

6

EU Regulatory Background

•




“
Better informed
,
More efficient
,
Patient focused
,
a



European market
”




•
E
-
Health action plan:
COM(2004) 356
e
-
Health
-

making healthcare better for
European citizens: an action plan for a European e
-
Health Area

•
i2010 Subgroup on eHealth

•
Lead Market Initiative
-

eHealth

•
Article 29 WP (
WP 131/2007
) Working Document on the processing of personal
data relating to health in electronic health records (EHR)


•
COM(2008) 414
Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL on the application of patients' rights in cross
-
border
healthcare

•
COM(2008) 415
A Community framework on the application of patients' rights in
cross
-
border healthcare

•
Study on the Legal Framework for Interoperable e
-
Health in Europe (2009)






6

7

ENISA GovCloud Project (i)


Aim



To analyse and evaluate the impact that cloud computing
have on resilience and security of services in a
Governmental organisation and to provide
recommendations and good practices for Eu MSs
planning to migrate to cloud computing

Subject



Both services to citizens (eGov) and internal IT service
(back end) are considered


7

8

ENISA GovCloud Project (ii)


Legal Aspects



Legal aspects are NOT the main focus of the paper, that is
security and resilience


We are going to publish an annex to the main report with data
protection and legal considerations

Background


The project has to be considered as follow up action of the work
done by ENISA during 2009 and, in particular, of the report:
‘
Cloud Computing: Benefits, risks and recommendations for
information security
’

8

9

E
-
Health Scenario

The analysis will be based on 4 cases/scenarios:


1.
E
-
Health
–

Local and Regional Healthcare Authorities

2.
Local and Regional Public Administrations

3.
Gov Cloud
–

Computing as a Service

4.
Supra
-
National Cloud



E
-
Health questionnaire to be distributed to 2 Italian LHAs,
NICTIZ and Rotterdam’s regional healthcare network


9

10

Nailing Data Protection Issues

Data Controller
-

Data Processor (Who is who?)


•
Article 2 (d) and (e) Directive 95/46/EC

•
Article 29 WP:
Opinion 1/2010 on the concepts of "controller"
and "processor"

•
EDPS: “
Data Protection and Cloud Computing under EU law
”
,
speech delivered by Peter Hustinx at the Third European Cyber
Security Awareness Day, Brussels, 13 April 2010

•
Article 29 WP:
Work Programme 2010
-
2011



10

11

Nailing Data Protection Issues

Does EU law apply?



“
(a) if the data controller has a relevant establishment in the EU
and (b) if it uses equipment in the EU. Thus:

•
A cloud provider established in the EU
-

or acting as processor
for a controller established in the EU
-

will in principle be 'caught'
by EU law.

•
A cloud provider which uses equipment (such as servers) in an
EU Member State
-

or acting as processor for a controller using
such equipment
-

will also be caught.

•
A cloud provider in other cases
-

even if it mainly and mostly
targets European citizens
-

would not be caught by EU law.
”


(Peter Hustinx
-

EDPS)

11

12

Nailing Data Protection Issues

Safeguards for Data Subjects


•
Right to create an EHR and/or EHF

•
Entities Processing the Data

•
How to access the EHR and/or a EHF

•
Data Subject
’
s Rights

•
Limitations on Data Dissemination and Cross
-
Border Data
Flows

•
Information notice and Consent

•
Security Measures

•
(Communications to the Local DPAs)

12

13

Few Preliminary Considerations

Key Issues


•
Limitations on Data Dissemination and Cross
-
Border
Data Flows


•
Security Measures

(
CAMM Project
)

13

Thanks for your attention!

Q&A

NVvIR voorjaarsvergadering

17 June 2010
-

Amsterdam


Avv. Dr. Paolo Balboni: TILT, EPA & IIP

www.europeanprivacyassociation.eu

www.istitutoitalianoprivacy.it

www.paolobalboni.eu


paolobalboni@istitutoitalianoprivacy.it