eHealth

 This post originally appeared on our sister blog, InsideMedicalDevices.

The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.

The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.
Continue Reading UK Data Protection Regulator Surveys Use Of Smart Medical Devices

The health sector handles substantial quantities of personal information, including information that is deemed to be “sensitive” under European data protection regimes.  For that reason, health care providers sometimes question their ability to take advantage of increasingly popular e-health cloud services.  While EU lawmakers are contemplating a “European Privacy Seal” – which could, if done properly, be useful for would-be cloud customers to assess the robustness of a cloud provider’s data protection measures – a leaked EU Council document revealed that discussions over the scheme are floundering.  We therefore learnt with interest from our colleagues at the InsidePrivacy blog that the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) jointly adopted a new standard this summer governing the processing of personal data in the cloud — ISO/IEC 27018 (“ISO 27018”).
Continue Reading E-Health Take Note: Standards Published For Personal Data In The Cloud

This post was originally published on our sister blog Inside Privacy

On April 10, 2014, the Article 29 Working Party adopted an Opinion on anonymization techniques.  The Working Party accepts that anonymization techniques can help individuals and society reap the benefits of “open data” initiatives – initiatives intended to make various types of data more freely available – while mitigating the privacy risks of such initiatives.  Yet, the standard for anonymization proposed by the Working Party is not an easy one to meet, and the Working Party reiterates its belief that data will remain regulated personal data in the event a party – not necessarily the recipient of the data – is capable of associating it with a living individual.

The Working Party starts by pointing out that rendering personal data anonymous is a data processing operation in itself.  As a result, data controllers can only engage in such activity if the raw data concerned has been collected in compliance with applicable data protection laws.  In addition, based on existing data minimization obligations, data controllers should treat the application of anonymization techniques to data as a form of “further use”, compatible with the original use only if the anonymization technique is reliable.
Continue Reading European Regulators Set Out Data Anonymization Standards