Anda di halaman 1dari 14

E-HEALTH IN THE CLOUD

NVvIR voorjaarsvergadering
17 June 2010 - Amsterdam
Avv. Dr. Paolo Balboni: TILT, EPA & IIP
www.europeanprivacyassociation.eu
www.istitutoitalianoprivacy.it
www.paolobalboni.eu
paolobalboni@istitutoitalianoprivacy.it

Introduction (i)
In order to fulfil European recommendations,
national requirements and to exploit the full value of
e-health services, interoperability between different
local and national Electronic Health Records
(EHRs) has to be guaranteed ()

Introduction (ii)
Given the strong focus on interoperability and the
potential business efficiency impact of cloud models, a
number of Local Healthcare Authorities (LHAs) are
considering to jointly enter into an agreement with a
national telco for the creation of their own cloud ()

Introduction (iii)
() The LHAs plan to migrate to the cloud services,
i.e., EHRs, EHFs, online reservation of health
examinations and, other less critical services, e.g.,
back-end services, HR, payroll, e-learning.

Structure of the Presentation


1.
2.
3.
4.
5.
6.

EU Regulatory Background
ENISA GovCloud Project
e-Health Scenario
Nailing Data Protection Issues
Few Preliminary Considerations
Q&A
5

EU Regulatory Background

Better informed, More efficient, Patient focused, a


European market

E-Health action plan: COM(2004) 356 e-Health - making healthcare better for
European citizens: an action plan for a European e-Health Area
i2010 Subgroup on eHealth
Lead Market Initiative - eHealth

Article 29 WP (WP 131/2007) Working Document on the processing of personal

data relating to health in electronic health records (EHR)


COM(2008) 414 Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL on the application of patients' rights in cross-border
healthcare
COM(2008) 415 A Community framework on the application of patients' rights in
cross-border healthcare
Study on the Legal Framework for Interoperable e-Health in Europe (2009)
6

ENISA GovCloud Project (i)


Aim
To analyse and evaluate the impact that cloud computing
have on resilience and security of services in a
Governmental organisation and to provide
recommendations and good practices for Eu MSs
planning to migrate to cloud computing
Subject
Both services to citizens (eGov) and internal IT service
(back end) are considered

ENISA GovCloud Project (ii)


Legal Aspects
Legal aspects are NOT the main focus of the paper, that is
security and resilience
We are going to publish an annex to the main report with data
protection and legal considerations
Background
The project has to be considered as follow up action of the work
done by ENISA during 2009 and, in particular, of the report:
Cloud Computing: Benefits, risks and recommendations for infor
mation security

E-Health Scenario
The analysis will be based on 4 cases/scenarios:
1.
2.
3.
4.

E-Health Local and Regional Healthcare Authorities


Local and Regional Public Administrations
Gov Cloud Computing as a Service
Supra-National Cloud
E-Health questionnaire to be distributed to 2 Italian LHAs,
NICTIZ and Rotterdams regional healthcare network

Nailing Data Protection Issues


Data Controller - Data Processor (Who is who?)

Article 2 (d) and (e) Directive 95/46/EC


Article 29 WP:
Opinion 1/2010 on the concepts of "controller" and "processor"
EDPS: Data Protection and Cloud Computing under EU law,
speech delivered by Peter Hustinx at the Third European Cyber
Security Awareness Day, Brussels, 13 April 2010
Article 29 WP: Work Programme 2010-2011

10

10

Nailing Data Protection Issues


Does EU law apply?

(a) if the data controller has a relevant establishment in the EU


and (b) if it uses equipment in the EU. Thus:
A cloud provider established in the EU - or acting as processor
for a controller established in the EU - will in principle be
'caught' by EU law.
A cloud provider which uses equipment (such as servers) in an
EU Member State - or acting as processor for a controller using
such equipment - will also be caught.
A cloud provider in other cases - even if it mainly and mostly
targets European citizens - would not be caught by EU law.
(Peter Hustinx - EDPS)

11

11

Nailing Data Protection Issues


Safeguards for Data Subjects

Right to create an EHR and/or EHF


Entities Processing the Data
How to access the EHR and/or a EHF
Data Subjects Rights
Limitations on Data Dissemination and Cross-Border Data
Flows
Information notice and Consent
Security Measures
(Communications to the Local DPAs)

12

12

Few Preliminary Considerations


Key Issues
Limitations on Data Dissemination and Cross-Border
Data Flows
Security Measures (CAMM Project)

13

13

Thanks for your attention!


Q&A
NVvIR voorjaarsvergadering
17 June 2010 - Amsterdam
Avv. Dr. Paolo Balboni: TILT, EPA & IIP
www.europeanprivacyassociation.eu
www.istitutoitalianoprivacy.it
www.paolobalboni.eu
paolobalboni@istitutoitalianoprivacy.it

Anda mungkin juga menyukai