Privacy & Information Security Law Blog

On January 25, 2012, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on data protection issues relating to the European Patients Smart Open Services (“epSOS”) project. epSOS is a pilot project focused on developing an information and communications technology infrastructure that enables access to patient health information (i.e., Patient Summaries) among different EU Member States for the purpose of providing medical treatment. The project also aims to facilitate the cross-border use of electronic prescriptions (i.e., ePrescriptions). epSOS involves the collaboration of a significant number of health care provider organizations and companies that contribute their knowledge and expertise to the project.

Below are some key conclusions of the Working Party related to the processing of patient data in the context of the epSOS project:

• The legal basis for the processing of health data (which are sensitive data) should be a “two-steps-consent;” the first consent is for participating in the program and the second consent is for receiving actual treatment. The second consent may not be required if the treatment is necessary to protect a patient’s vital interests or if the patient is incapable of giving his or her consent in the event of an emergency.
• The processing of health data must be strictly limited to the minimum necessary to fulfill the epSOS purposes (purpose limitation principle). Access to the data by data controllers (e.g., health care providers) must be based on a real need to access specific data related to the care or treatment of the individual (proportionality principle).
• The epSOS project should decide on a maximum retention period for the health data involved in the project, as well as a common procedure regarding what will happen to the data when the retention period ends.
• Patients should be sufficiently informed about the processing of their data and should be able to exercise their rights of access, correction, erasure and blocking of data through any of the data controllers (transparency principle). A data controller that does not handle the data of a patient exercising such rights should forward the relevant request to the controller in charge.
• A high level of technical and organizational measures must be ensured, including clear instructions for staff using the epSOS system, secure communication protocols and end-to-end encryption for data exchanges, strong authentication mechanisms, logging and audit mechanisms (especially when data are accessed in emergency cases without the required authorizations), professional secrecy obligations, and measures ensuring that pharmaceutical operators can only access digital prescriptions for providing the prescribed medicines.
• A participating health care provider is a data controller for the disclosure and retrieval of patients’ data and therefore must notify the appropriate data protection authority of its processing activities regardless of whether the relevant data originated from a data controller in another EU Member State.

View a copy of the Working Document.