Privacy & Data Security

 This post originally appeared on our sister blog, Covington eHealth.

The European Commission has finally published its summary of 211 responses to its mobile health (“mHealth”) consultation. The summary and original responses to the consultation have been made available on the Commission’s website at
Continue Reading Summary Report of European Commission’s mHealth Consultation Published

The health sector handles substantial quantities of personal information, including information that is deemed to be “sensitive” under European data protection regimes.  For that reason, health care providers sometimes question their ability to take advantage of increasingly popular e-health cloud services.  While EU lawmakers are contemplating a “European Privacy Seal” – which could, if done properly, be useful for would-be cloud customers to assess the robustness of a cloud provider’s data protection measures – a leaked EU Council document revealed that discussions over the scheme are floundering.  We therefore learnt with interest from our colleagues at the InsidePrivacy blog that the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) jointly adopted a new standard this summer governing the processing of personal data in the cloud — ISO/IEC 27018 (“ISO 27018”).
Continue Reading E-Health Take Note: Standards Published For Personal Data In The Cloud

By Helena Marttila-Bridge and Oliver Grazebrook

Earlier this month, the UK’s Information Commissioner’s Office (“ICO”) released statistics showing that over 25% of the 335 data breaches reported between 1 April 2013 and 30 June 2013 came from the health sector.  This comes as no surprise considering that the last 12 months have seen a string of widely reported data breaches in the health sector that have resulted in the ICO issuing fines.  For example, in July, NHS Surrey was fined £200,000 for selling a laptop containing confidential patient details over eBay.

One explanation for these high figures is the fact that the English health sector, unlike many other sectors, is subject to mandatory reporting obligations following data breaches.  These reporting obligations have recently been updated, and from June 2013 onwards all public health sector bodies as well as their processors processing health and adult social care personal data have been required to use the Information Governance Toolkit Incident Reporting Tool (the Guidance for which is available here) administered by the Department of Health (“DoH”) to report certain data breaches to the DoH and the ICO.  The Guidance contains a checklist intended to help healthcare organisations decide whether the data breach needs to be reported, based on factors such as the number of people and the sensitivity of the clinical data involved.
Continue Reading New ICO Statistics Show an Unhealthy Rise in Data breaches in the Healthcare Sector

Privacy Impact Assessments (PIAs) or  data protection impact assessments used to be discussed in the context of specific technologies or industry sectors (see, for instance, the European Commission’s recommendations in relation to  applications supported by radio-frequency identification (RFID) and the development of smart grids). However, this situation is about to change. PIAs are increasingly being promoted by national data protection authorities as an element of controllers’ accountability and more importantly they also feature in the European Commission’s proposal for a new General Data Protection Regulation (see InsidePrivacy Vote on EU Data Protection Regulation Again Postponed, June 21, 2013).
Continue Reading Privacy Impact Assessments – Soon Compulsory for Companies in the Life Sciences Industry?

As reported in an earlier post, the European Commission (EC) is conducting a study of the top ten most burdensome EU laws for SMEs. This is part of an initiative – the Regulatory Fitness and Performance Programme (REFIT) – launched by the Commission in 2012 to ease the regulatory burden on SMEs in Europe. On 18 June 2013, the European Commission (EC) published the final results of its study and issued a number of recommendations to improve and simplify existing legislation, including onerous and costly employee-related legislation. The Commission recommendations in the employment context include:
Continue Reading Commission Issues Recommendations Aiming to Improve Costly Employee-Related Legislation for SMEs

Since Apple launched the first iPhone in 2007, the popularity of smart phones and tablets has sky-rocketed.  These devices, with their sleek design, touch screens and easy access to a myriad of entertainment options, have fast become the preferred method of communication for executives.

In recent years, a growing number of companies have allowed employees to forgo the less glamorous and often outdated technology assigned by their IT department and instead access corporate emails and data on their personal devices – a practice known as “bring your own device” to work, or “BYOD”.

Continue Reading “Bring Your Own Device to Work” – Can Life Sciences Employers Safely Embrace the Trend?

In its recent Opinion 03/2013 on purpose limitation (the “Opinion”), the Article 29 Data Protection Working Party, an EU advisory body on data protection, comprised of representatives of the Member States’ supervisory authorities, the European Data Protection Supervisor and the European Commission, analyzes the principle of purpose limitation and provides guidance for its practical application.  The principle of purpose limitation is one of the key data protection principles of the EU Data Protection Directive, requiring that personal data be collected for:
Continue Reading What You Need to Know about the Article 29 Working Party’s Opinion on Purpose Limitation

By Helena Marttila-Bridge and Oliver Grazebrook

In recent years healthcare providers around the world have been looking into mobile health or “mHealth” solutions to increase productivity and reduce costs.  Examples of mHealth practices include the increased use of mobile devices by doctors and nurses to access and transmit patient health data and the use of mobile health apps by patients.

Earlier this year, the NHS published a report on mHealth, which shows the potential savings that could be achieved through the widespread adoption of mHealth applications.  According to the report, the trial use of mobile technology by a selection of UK hospitals showed an “improvement in general communication, improved access to clinical information and improved access to IT equipment.”  Importantly, users also showed a greater confidence in the security of the health data and an improvement in clinical safety due to the ready availability of up to date data.
Continue Reading The Rise of mHealth and Privacy Considerations

By Chris Bracebridge

In March 2013, the European Commission published preliminary results of its study of the top ten most burdensome EU laws for SMEs.  Employee-related legislation forms a significant part of that list, and is among the most costly and onerous.

The “top ten” study is part of an initiative — the Regulatory Fitness and Performance Program (REFIT) — launched by the Commission back in December 2012 to ease the regulatory burden on SMEs in Europe.  REFIT aims to scrutinize the European legislative and regulatory framework for gaps, burdens and inconsistencies in order to correct them.  The final results and any recommendations to improve and simplify existing legislation will be announced in June 2013.

In the employment context, the Commission is currently taking the following steps:
Continue Reading European Commission Set to Ease Regulatory Burden on SMEs: Key Implications for Life Sciences Employers