18 Chapter 1 PART IA: EUROPEAN LEGISLATION General Data Protection Regulation In several apps, personal data is used as input and sometimes even as output. For example: the covid-19 status of someone passing through the street, including the date and time of the encounter. Using or processing personal data has to be done in compliance with the General Data Protection Regulation (GDPR).10 The GDPR was adopted on April 14th 2016 and came into effect on May 25th 2018. The GDPR is a regulation on data protection, based on the principle that the individual is and remains the owner of their data. The GDPR unifies law on European level superseding the Data Protection Directive 95/46/EC.11 Most patient data qualifies as special personal data. Under the GDPR the processing of health data is prohibited, unless one of the exceptions in Article 9 of the GDPR is applicable.10,12 For example; the subject - in this scenario the patient - gives unambiguous consent to use their data and the reasons for processing the data outweigh the risks related to processing the data. It is necessary to have appropriate protection measures when processing data. The GDPR rests upon pillars like the ‘Data protection by default’ and ‘Data protection by design’ principles (Art. 25 of the GDPR).10 Sometimes, data is only used temporarily as input to generate output, such as a risk score, prognostic value, or therapeutic advice. It is important to keep in mind that software manufacturers, or the hosts of the server where the data is processed, can have temporary access when processing data and as a result becoming the data processor.9, As an organization or health institution providing a medical app (defined as the data controller), it is important to have a data processing agreement with the processor in place.10,13 It is also possible that data is stored longer or even permanently. Data storage usually takes place on a server, which is sometimes owned by the health institution itself. However, commercial applications often rely on third parties to facilitate use of apps and the related data storage. The server where data is stored must be compliant with the requirements formulated within the GDPR, see Table 1. Companies offering data storage in compliance with the GDPR can be recognised by certain certifications. These certifications are granted for a standardized period by certifying bodies if companies comply with the standards published by the International Organization for Standardization (ISO) or International Electrotechnical Commission (IEC). ISO/IEC developed and published worldwide standards for the GDPR requirements. Examples of such certifications include ISO/IEC 27001 for information security management. ISO/IEC 27002 provides control mechanisms for creating the information security as described in ISO 27001. Not all software manufacturers have experience building in medical apps and their associated specific guidelines regarding the protection of patient data. Therefore, it
RkJQdWJsaXNoZXIy MTk4NDMw