GDPR and the protection of sensitive personal data in Czech health care system
There are many significant imperfections with regard to the Regulation 2016/679/EU (GDPR) in the Czech health care system. Within the other areas, establishment of the most modern technological features in IT security are discussed nowadays. However, the doctors’ practices and the hospitals are often considerably running late. The administration of the medical records could be ordinarily met inside the personal doctors’ laptop without any security measures. The wireless sharing of the medical data through the home net between the doctor and nurse could be also seen as well as the sending of the uncoded data through the email services which are free of charge. Within the larger hospitals, even though the security rules are implemented, they are often merely formalistic and ignored by the medical staff.
The usage of the data for the research, science and the health care system management is arranged insufficiently. The approach, that the experts or states are entitled to use the medical data for all purposes which are considered beneficial or professionally attractive, prevails. In addition, the protection of the privacy in the context of the electronic medical records, telemedical services, the medical records keeping in remote (cloud) storage sites, or the medical data transferring from implanted or portable monitoring devices is insufficient as well. The recordings of the patients from the CCTV systems in hospitals, the samples of material which is of human origin could be considered as the sensitive personal data as well.
The managers and the experts for the data security should enforce and explain to the medical staff within their medical facility that the compliance of the practice with the GDPR is necessary. Not merely the risk of the fines is the point, but especially the prevention of the intervention to the privacy of the patients and the disruption of the confidence between the doctor and the patient is important. For this purpose, to establish “the code of the data protection” can contribute while it will be specific for the firms within the health care as well as comprehensible for the medical staff and acceptable for the regulator.
Ondřej Dostál, PwC Legal
JUDr. Ondřej Dostál, Ph.D., LL.M. (*1979) graduated from Charles University in Prague, studied law also in Austria and USA. Author of numerous health law publications both in Czech Republic and abroad. Since 2003 teaches health law and policy at the Charles University in Prague and at the Institute of Postgraduate Education in Medicine, frequently lectures for physicians, health and pharma industry managers, insurance funds, hospitals and patient groups. Currently works as the Head of Pharmaceutical and Healthcare Practice at PricewaterhouseCoopers Legal s.r.o. dealing primarily with issues of health care organization and financing, health care reimbursement and e-health projects.