IP - 07120-1/2020/290

From GDPRhub
IP - 07120-1/2020/290
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 58 GDPR

Article 49(1)(g) ZVOP-1

Article 2 ZInfP

Type: Advisory opinion
Outcome: Non-binding
Decided: 22.4.2020
Published: n/a
Fine: none
Parties: anonymous
National Case Number: 07120-1/2020/290
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Slovenian

Original Source: IP (SI)

The Slovenian DPA (IP) issued a non-binding opinion about apps which would track the state of health and the movements of confirmed patients with SARS-CoV-2. The IP opined that a DPIA would be mandatory and that EU member states should coordinate their actions regarding such apps.

English Summary[edit | edit source]

Facts[edit | edit source]

The IP was asked about the compliance of a planned remote monitoring application for patients with SARS-CoV-2 infection confirmed.

The patient would give their consent, the app would require their identification, associated diseases and daily report of body temperature, blood pressure, blood oxygen saturation, heart rate, blood sugar and other symptoms. The app would alert the patient in case of discrepancies and their data would be available to healthcare staff who could contact the patient. The Ministry of Health would decide on mandatory quarantine and notify the patient and if the patient gave their consent to the location monitoring, the application would also monitor its movement and deviations from the permitted message to the patient and medical staff.

Holding[edit | edit source]

The IP advised that first and foremost a DPIA is mandatory, which would describe clearly the technical parameters in the light of the purpose pursued and the principle of proportionality. The IP drew also attention to the principle of transparency. It found that the proposed app would most likely require an adequate legal basis in the national law. It strongly recommended the Slovenian legislator take specific measures about such apps, following the development at EU level and coordinating with other member states.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 04/22/2020
Title: Remote Patient Monitoring Application (mHealth-covIT)
Number: 07120-1 / 2020/290
Subject matter: Definition of OP, Modern technologies, Specific types, Legal bases, Telecommunications and mail, Health personal information
Legal act: Opinion

On April 8, 2020, we received your personal data protection questions from the Information Commissioner (IP) regarding a planned remote monitoring application for patients with SARS-CoV-2 infection confirmed.

The patient would have given his or her usual consent before the investigation. I would also enter the required ID information in the application: personal name, address, ZZZS number and telephone number. The patient would indicate associated diseases and risks in the application. I would inject daily into the application: body temperature, blood pressure measured, blood oxygen saturation, heart rate, blood sugar and other symptoms (eg vomiting). The application would alert the patient to the discrepancies and the data would be available to healthcare staff who could contact the patient in case of discrepancies.
If the patient received a decision from the Ministry of Health on mandatory quarantine and gave their consent to the location monitoring in the application, the application would also monitor its movement and deviations from the permitted message to the patient and medical staff.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (hereinafter: the General Data Protection Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1), and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your questions.
First of all, it should be pointed out that (as explained in more detail in IP Opinion No. 07120-1 / 2020/288 to the Ministry of Health regarding the establishment of such applications available on our website: www.ip-rs.si/ vop /) In the light of the experience of some other countries, it is imperative, first of all, to order an impact assessment with clear technical parameters of the application against the objectives pursued and in the light of the principle of proportionality (only the elements you cite are not sufficient) ). Some of the elements to be addressed are mentioned in the IP Opinion. In particular, we draw attention to the need for care in terms of transparency about what personal data the application will actually process, for what purposes (these should be narrowly and clearly defined), where they will keep who will be the controller of that data, on what legal basis, how that data will be stored, for how long and how the data will be deleted.
Please note that in this opinion, due to the absence of directional issues and lack of information, we cannot identify all the specific aspects of the proposed solution (eg who is the data controller, the role of the service provider, the specific content and validity of the consent, patient information, concrete use of data (original , secondary), location and time of data retention, mode of data transfer, access rights of employees and service provider, minimum data principle, patient risk, system technical security…), but only to the question of the principle admissibility of the proposed solution in terms of the legal basis for processing data. We conclude that this is a mobile application on a patient-owned mobile phone.
1. Provision of telemedicine monitoring of a patient's medical condition shall be admissible in the light of the legal bases on the part of the healthcare provider, provided that:
- the patient is adequately informed of all aspects of the processing of personal data,
- that the patient is not compelled to (only) monitor this state of health, and
- that the patient's appropriate consent is given if, in addition to the purpose of providing regular medical care, personal data is collected and used for any other purpose that would not be covered by any of the grounds referred to in points (b) to (j) of the second paragraph of Article 9. General data protection regulations.
Against this background, the proposed application would most likely require an adequate legal basis in the national regulation.
The above rules also depend on who is the controller of the personal data or whether the patient primarily processes the data for personal use.
2. The conditions regarding the monitoring of the patient's quarantine location in connection with the processing of the information provided by the healthcare provider or other public sector operator from the legal basis are admissible under the conditions as defined in IP Opinion No. 07120-1 / 2020/288, which we suggest you to familiarize yourself with.
Given the many risks posed by such applications, IP expresses concern that any individual healthcare provider would undertake the design of such applications. Accordingly, the IP strongly recommends and urges that Slovenia take measures based on applications and tracking of individuals for invasiveness and interfering with their rights, to follow the development of the theme at EU level and to coordinate with other members through dedicated forums and networks regarding technical solutions. 
Justification:
The IP is of the opinion that technology can certainly make a constructive contribution to curbing the COVID19 epidemic, but only taking into account the legal framework for privacy and personal data protection. We also support the understanding that it is essential to coordinate actions within the EU Member States when developing technologies and approaches, as diverse or uncoordinated initiatives by individual Member States cannot be effective. At the same time, the Republic of Slovenia must pursue the high level of respect for fundamental rights as required by the Slovenian Constitution and advocate such solutions at EU level. An epidemic should not be a reason to nullify constitutional principles. At this point, we point out that the European Commission (hereinafter referred to as the EC) has just published recommendations on COVID 19 epidemic containment technologies, identifying solutions that can be effective in this context (including in terms of various applications that can more or they achieve their goals less effectively) and regarding the safeguards that must be put in place to protect the rights of individuals.
The EC plays a special role in agreeing on effective EC measures within the EU-based eHealth Network, of which Slovenia is also a member, where the Slovenian authorities can also play a constructive role in finding effective, proportionate and urgent technical solutions. In this context, we are also involved in the involvement of the European Personal Data Protection Authorities, which work within the European Data Protection Board. The committee is also expected to issue a unified opinion on the COVID-19 mobile restriction applications we can provide to you in the coming days. According to a communication from the European Commission, it intends to adopt guidelines on 15 April 2020 for compliance with the legal framework for the protection of personal data in the development of various applications.
Accordingly, the IP strongly recommends and urges that Slovenia take measures based on applications and tracking individuals for invasiveness and interfering with their rights, to follow the development of the theme at EU level and to coordinate with other members through dedicated forums and networks regarding technical solutions. , which are effective and pursue the goal of minimizing interference with the rights of individuals to achieve the common goal of limiting the COVID 19 epidemic while respecting fundamental rights. The development of technological solutions can only contribute to these goals, given the high level of protection of fundamental rights of individuals.