IP - 07120-1/2021/182

From GDPRhub
Revision as of 15:15, 21 April 2021 by Msm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IP - 07120-1/2021/182
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 6(1) GDPR
Article 9(1) GDPR
Art. 84/3 Personal Data Protection Act
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 15.03.2021
Published: 12.04.2021
Fine: None
Parties: n/a
National Case Number/Name: 07120-1/2021/182
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: GDPR+

The Slovenian DPA stated that, according to the Slovenian Personal Data Protection Act, a public body could not link two medical registries without the DPA's prior permission.

English Summary[edit | edit source]

Facts[edit | edit source]

IP received a request for an opinion on the temporary connection of health databases maintained in accordance with the Health Care Databases Act (ZZPPZ), namely the Register of Infectious Diseases (NIJZ48 collection), managed by the National Institute of Public Health (NIJZ) and the Cancer Registry (NIJZ25 collection), managed by the Oncology Institute Ljubljana. The client explained that data on the presence of an infectious disease in cancer patients are crucial for determining the causes of cancer and for determining deviations from the intended treatment of oncological disease, i.e. for evaluating oncological care.

Holding[edit | edit source]

The linking of the Registry of Infectious Diseases to the Cancer Registry is (according to Article 84/3 of the Slovenian Personal Data Protection Act) not allowed without the prior permission of the IP.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.


                    
                    Temporary linking of OP collections
                    +
                    -
                    
                    
                        Date: 12.04.2021
                        Number: 07120-1 / 2021/182
                        Categories: Transmission of OP between controllers, Legal bases, Obtaining OP from databases, Personal data files, Health
                        On 15 March 2021, the Information Commissioner (IP) received your above-mentioned request for an opinion on the temporary interconnection of health databases maintained in accordance with the Health Care Databases Act (ZZPPZ), namely the Register of Infectious Diseases48 ), managed by the National Institute of Public Health (NIJZ) and the Cancer Registry (NIJZ25 collection), managed by the Oncology Institute Ljubljana.

As you state, data on the presence of infectious disease in cancer patients are crucial for determining the causes of cancer and for determining deviations from the intended treatment of oncological disease, ie for the evaluation of oncological care.

The Cancer Registry has a legal basis in the ZZPPZ for collecting data on "etiological factors that could be related to the occurrence of cancer", on "characteristics of the disease that determine its specificity", as well as on key "milestones on the course of the disease". According to the law, the Cancer Registry can obtain data on an infectious disease of an oncology patient from the Central Patient Data Registry (CRPP) as well as directly from the Register of Primary Health Care, Records of Diseases and Conditions Identified in Specialist Outpatient Activities and Records of Diseases Requiring Hospital Treatment . A direct connection with the Register of Infectious Diseases is not provided for in the ZZPPZ.

Data on an infectious disease, which is crucially related to the development of cancer or the treatment of oncology patients, have not been monitored in the Cancer Registry so far, although you have a legal possibility to do so. At the time of the COVID-19 epidemic, however, there was an urgent need to evaluate the impact of infections on the treatment of cancer patients. You tried to obtain data on the date of the COVID-19 positive test in cancer patients in the Cancer Registry from the CRPP, through which you already obtain some other data, but unfortunately it turned out that the appropriate filling of the CRPP with data on COVID-19 tests was established gradually. and that qualitative data on COVID-19 in cancer patients for the full year 2020 are not available from this source, and no retrospective completion of data in the CRPP is foreseen. This technical dilemma could be solved by directly linking the Cancer Registry and the Infectious Diseases Register, linking the collections only for the period until the appropriate record of COVID-19 tests has been established in the CRPP.

You also want to link the Cancer Register and the Register of Infectious Diseases due to a research project entitled The Impact of the COVID-19 Epidemic on Cancer Management in Slovenia, which aims to study how COVID-19 infection affected the treatment and outcomes of cancer patients.

According to your letter, you therefore want to supplement the data in the Cancer Registry with data on COVID-19 diseases, which you would obtain for a certain period of time by establishing a link and the Register of Infectious Diseases. Therefore, ask the IP for an opinion on the possibility of temporary linking of the Infectious Diseases Register and the Cancer Registry, which would supplement the Cancer Registry with data on infectious diseases important for oncology patients, and the connection would be established until the law (ZZPPZ) provides CRPP data source.


On the basis of the information you have provided us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation on Data Protection; hereinafter: General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion regarding your above-mentioned requests.

The IP clarifies at the outset that outside the inspection procedure or other administrative procedure it cannot give concrete positions on individual issues in the field of personal data protection, but can only give non-binding opinions and explanations outside these procedures.

The linking of personal data files undoubtedly constitutes an act of personal data processing and is therefore considered lawful from the point of view of the provisions of the General Regulation and ZVOP-1 only insofar as at least one of the conditions set out in Article 6 (1) is met. are also transmitted by means of a connection t. i. specific types of personal data, at least one of the conditions set out in Article 9 (2) of the General Regulation.

In the Republic of Slovenia, the connection of personal data collections from official records and public books is specifically regulated in Chapter 6 of VI. part (Sectoral regulations) of the still valid ZVOP-1, where the first paragraph of Article 84 stipulates that personal data collections from official records and public books may be linked, if so provided by law. The second paragraph of Article 84 of ZVOP-1 stipulates that controllers or controllers of personal data who connect two or more collections of personal data kept for different purposes are obliged to notify the state supervisory authority in advance. The third paragraph of Article 84 of ZVOP-1 further stipulates that if at least one collection of personal data to be linked contains sensitive personal data, or if the connection would result in the disclosure of sensitive data or the connection requires the use of the same link. sign, linking is not allowed without the prior permission of the supervisory authority. The fourth paragraph of Article 84 of ZVOP-1 also stipulates that the state supervisory body allows a connection on the basis of a written application of the personal data controller if it finds that the personal data controllers provide adequate protection of personal data.

It is evident from the above-cited provisions of Article 84 of ZVOP-1 that if any of the personal data files contains sensitive personal data [1], the connection of personal data files is not permitted without the prior permission of the state supervisory authority (IP). IP, taking into account the provisions of Article 84 of ZVOP-1 in the administrative procedure of deciding on the issuance of a decision or. permits for the connection of personal data files shall be issued in the event that two conditions are cumulatively met, namely:

that such a connection is determined by law, ie that there is an appropriate legal basis for the connection of personal data files referred to in Article 6 or 9. General Regulations;
that the managers whose collections will be connected, provide insurance or. security of personal data, which meets the requirements of Articles 24 and 25 of ZVOP-1 and Articles 25 and 32 of the General Regulation.


As can be seen from your statements and from the ZZPPZ, you want to temporarily link personal data collections (Infectious Diseases Register and Cancer Register), which are considered official records, and both records also contain sensitive or special types of personal data. It is also clear from your statements and from the ZZPPZ that the mentioned connection would not be a connection of eHealth databases, nor would it be a connection that would be established for the purpose of providing eHealth services. Therefore, in the opinion of the IP, the provision of indent 2 of the third paragraph of Article 14a of the ZZPPZ, according to which the NIJZ may, regardless of the provisions of the law governing the protection of personal data, for the purpose of providing eHealth services It also connects eHealth databases without the prior permission of the state supervisory body for the protection of personal data.

Considering that the connection of the Register of Infectious Diseases with the Cancer Registry would not be a connection of eHealth records and a connection that would be established for the purpose of providing eHealth services, such connection in accordance with the provisions of the third paragraph of Article 84 of ZVOP-1 is not allowed. prior IP permission. Therefore, the IP, as the body responsible for deciding in the licensing procedure, cannot give a preliminary opinion on the admissibility of linking the Cancer Registry with the Register of Infectious Diseases.

It follows from the above that in case you want to temporarily link the Register of Infectious Diseases to the Cancer Registry, you must address the Application for a decision on linking personal data collections in the public sector to the IP, using the form available at IP website, at:
https://www.ip-rs.si/obrazci/

As follows from ZZPPZ, and as you can see for yourself, ZZPPZ already provides a legal basis for linking the Register of Infectious Diseases with CRPP (fourth paragraph of Article 14c) and the legal basis for linking CRPP with the Cancer Registry (column 8 of Annex 1 for NIJZ records 25 - Cancer registry). However, it does not provide a legal basis for a direct link between the Infectious Diseases Register and the Cancer Registry. The IP therefore suggests that you try to regulate the matter.

Given that the Cancer Registry has a legal basis to obtain data from the CRPP, another, temporary solution could also be to obtain data from the CRPP database in the Cancer Registry. For the time being, complete, accurate and up-to-date data will be kept in the CRPP, which is a statutory source of data to which the Cancer Registry is supposed to be linked and from which you have already tried to obtain data on COVID-19 infection. on COVID-19 infection, taking into account the legal basis for obtaining data specified in Annex 1 of the ZZPPZ for NIJZ 25 - Cancer Registry records, data on COVID-19 infection could be transferred directly to the Cancer Registry directly by means of an appropriate storage medium. from the Infectious Diseases Register, as it is a record that is a source of data for CRPP. You do not need an IP permit for such a single or multiple transfer of personal data, but according to the legal basis for obtaining personal data from various databases set out in Annex 1 of the ZZPPZ for the NIJZ2 25 - Cancer Registry records, you must ensure that subject to measures to ensure the security of personal data, transfer to the Cancer Registry only those personal data that are relevant, relevant and limited to what is necessary to achieve the purpose for which such transfer will take place (principle of integrity and confidentiality and minimum principle). data).

Greetings,


Prepared:
Jože Bogataj,
Deputy Information Commissioner

Mojca Prelesnik, B.Sc. dipl. right,
Information Commissioner