EDPB-EDPS Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI)
1 EDPB - EDPS Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI) 2 TABLE OF CO NTENTS 1 Background ................................ ................................ ................................ ................................ ..... 3 2 Scope of the opinion ................................ ................................ ................................ ...................... 4 3…
How it connects
Related across sources
Full text
1 EDPB - EDPS Joint Opinion 1/2019 on the processing of patients’ data and the role of the European Commission within the eHealth Digital Service Infrastructure (eHDSI) 2 TABLE OF CO NTENTS 1 Background ................................ ................................ ................................ ................................ ..... 3 2 Scope of the opinion ................................ ................................ ................................ ...................... 4 3 Assessment ................................ ................................ ................................ ................................ ..... 5 3 The European Data Protection Board and the European Data Protection Supervisor Having regard to Article 42(2) of the Regulation 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies , offi ces and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC , Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, HAVE ADOPTE D THE FOLLOWING JOIN T OPINION 1 BACKGROUND 1. The eHealth Network is a voluntary network of responsible authorities for eHealth designated by Member States. The network is provided in Article 14 of Directive 2011/24/EU on patients’ rights in cross border he althcare. 1 The European Commission Implementing Decision No 2011/890/EU2 sets out the rules and the establishment, management and functioning of the eHealth network. 2 Among others, one of the main objectives of the eHealth network is to enhance interoperab ility between national digital health systems in exchanging patient s’ data contained in ePrescriptions 3 , Patient Summaries 4 and electronic health records. In this framework , and in order to facilitate such interoperability, the eHealth network and the Comm ission have developed an IT tool, namely the eHealth Digital Service Infrastructure (hereinafter eHDSI), in order to exchange health data under the Connecting Europe Facility programme 5 , also developed by the Commission. 2. In its Communication of 25 April 2018 6 , the Commission underlined the need to clarify the functioning of the eHDSI, as well as the role of the eHealth network concerning its governance. The draft Commission Implementing Decision repealing Commission Implementing Decision 2011/890/EU aims at clarifying the role of the eHealth network in the governance of the eHealth Digital Service Infrastructure, together with the data protection aspects in line with the General Data Protection 1 Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross - border healthcare, OJ L 88/45. 2 Commission Implementing Decision 2011/890/EU of 22 December 2011 providing the rules for the establishment, the management and the functioning of the network of national responsible authorities on eHealth, OJ L 344/48, 28.12.2011 3 ePrescriptions are medi cinal prescriptions issued and transmitted electronically. 4 Patient data summaries enable sharing information about the medical background and history of a patient from a country with a healthcare professional from another country. 5 Regulation (EU) No 13 16/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010, OJ L 348, 20.12.2013. 6 Communicati on from the Commission on enabling the digital transformation of health and care in the Digital Market; empowering citizens and building a healthier society, SWD(2018), 126 final, p.7. 4 Regulation 2016/679 (hereinafter GDPR) 7 and Regulation 2018/1 725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices or agencies (hereinafter Regulation 2018/1725). 8 2 SCOPE OF THE OPINION 3. On 13 May 2019, the European Commission (Directorate - G eneral for Health and Food Safety, “SANTE”) submitted a request to the European Data Protection Board (hereinafter EDPB) and to the European Data Protection Supervisor (hereinafter EDPS) for a joint opinion in accordance with article 42(2) of Regulation 20 18/1725, on the data protection aspects of the draft Implementing Decision. The European Commission asked, in particular, three specific questions: i. In this particular case, should the making available and maintaining of the secured and encrypted connection TESTA - ng private network for the transmission of personal data of patients from one Member State to another be considered as a processing of personal data? If the reply to the first question is affirmative: ii. Is it correct to consider the following two p rocessing operations as separate, with possibly different controllers? o Processing of personal data of personnel from National Contact Points for eHealth for the purpose of managing their access rights to the eHDSI core services (see Annexes VII - IX for description of relevant processing activities); o Processing of personal data of patients for the purpose of their exchange from one Member State to another. iii. Considering that Member States shall be regarded as joint controllers for the processing of patients’ data in eHDSI as confirmed by the Article 29 Data Protection Working Party in its opinion (see page 2 of Annex V), is it correct to consider as explained in the background information in this note that, with rega rd to the processing of patients’ data in the eHDSI, the Commission is a processor? 4. The EDPB and the EDPS have had the opportunity, at different points in time, to address different aspects in relation to the processing of personal data within the eHe alth Network and the eHDSI itself. Following a request from the eHealth Network in June 2017, the EDPB, at the time still the Article 29 Working Party (hereinafter WP29), has had the opportunity to assess the agreement between national 7 Regulation (EU) 2016/679 of the European Parliament and of the Counc il of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119/1, 4.5.2016. 8 Regulation (EU) 201 8/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and r epealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L295/39, 21.11.2018. 5 authorities or organ isations responsible for national contact points for eHealth 9 , on the criteria required for the participation in Cross - Border eHealth Information Services. 10 A letter with recommendations concerning topics such as lawfulness and joint controllership was iss ued in April 2018. 11 The EDPS, on t he other hand, during the inter - service consultation of the draft Implementing Decision, has recently issued a set of informal comments, which have been sent to the Commission last December 2018. 12 Given that previous asses sments have been conducted on different aspects of the eHDSI, and that the processing of personal data within the system at stake entails certain specificities by an organisational and technical point of view, both bodies have agreed to address solely the three questions raised by the Commission. As such, the omission of any references, in this joint opinion, to any other aspects of the processing of personal data within the system does not signal either approval, nor disapproval from any of the two bodies. 5. Furthermore, the EDPB and the EDPS would like to underline that the present opinion concerns solely and exclusively the issues raised by the European Commission in its consultation and does not constitute an exhaustive evaluation of the processing ope rations within the eHDSI. This is without prejudice to any further assessments conducted by the EDPS, the EDPB or the national Supervisory Authorities. 6. Moreover, the EDPB and the EDPS would like to underline that the EDPS remains the entity responsible for the supervision of EU institutions, bodies, offices and agencies regarding the processing of personal data in the context of their mandates, as foreseen in Regulation 2018/1725. 13 As a result, any requests concerning compliance with, or implementation of any provisions regarding Regulation 2018/1725 should be addressed primarily to the EDPS. On the other hand, in line with the GDPR, the national Data Protection Authorities remain entirely responsible for the supervision of the processing of personal dat a within the eHDSI by the national contact points of the Member States part of the eHealth Network and using the platform. 7. Finally, the EDPB and the EDPS would like to point out that the assessment conducted in the context of this joint opinion is based solely on the documents provided by the European Commission, as well as on additional clarifications provided by DG SANTE upon request. 3 ASSESSMENT i. In this particular case, should the making available and maintaining of the secured and encrypted connection TESTA - ng private network for the transmission of personal data of 9 National contact points for eHealth means organisational and technical gateways for the provision of Cross - order eHealth Information Services under the responsibili ty of the Member States. 10 See Agreement between National Authorities or National Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross - Border eHealth Information Services, available at: https://ec.europa.eu/health/sites/health/files/ehealth/docs/ev_20170509_co06_en.pdf 11 Article 29 Data Protection Working Party, letter to eHealth Network, available at: https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=52057 12 EDPS informal comments on the Commission draft implementing de cision repealing Commission Implementing Decision 2011/890/EU providing the rules for the establishment, the management and the functioning of the network of national responsible authorities on eHealth, 12 December 2018. 13 See article 52 of Regulation 2018 /1725. 6 patients from one Member State to another be considered as a processing of personal data? 8. The definiti on of “processing” both in the GDPR and Regulation 2018/1725 means “ any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structur ing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ” of data. 14 According to the information provided by the European Commission in its request, including in the draft Implementing Decision, the eHDSI system enables the exchange of electronic health data of European patients, in particular e - prescriptions and summaries of patient medical records, between nat ional contact points, using a secure private network (hereinafter TESTA), set up by the Commission. 15 Therefore, if personal data are being made available through a private network, it results that these are being processed, independently of the fact that t he Commission may or may not have access to it, or of adequate safeguards implemented for its transmission (such as a secured and encrypted connection). 9. It is relevant to address here the issue of the encryption of the private network connection mentio ned by the Commission. Encryption is a commonly known technique used to protect the confidentiality of the transmitted information, thus of the personal data involved. The EU legal framework imposes a duty to secure the personal data 16 by implementing the a ppropriate technical and organizational measures on a risk - based approach. The implementation of encryption techniques as referred to in article 33 par.1 (c) of Regulation 2018/1725 is the process of encoding the information where personal data are included in such a way that only authorized parties may access it. Moreover, it does not affect the fact that personal data, even though encrypted, are still personal data. ii. Is it correct to consider the following two processing operations as separate, with possib ly different controllers? a. Processing of personal data of personnel from National Contact Points for eHealth for the purpose of managing their access rights to the eHDSI core services; b. Processing of personal data of patients for the purpose of their exchange from one Member State to another. 10. In order to properly answer the question asked by the Commission, it is necessary to define the two different scenarios presented and analyse whether they are two separate processing operations, or on the con trary, these should be considered as a ‘set of operations’. 11. With regard to the first processing operation, the purpose of managing access rights to the eHDSI core services needs to be analysed. Firstly, the concept of “core services” shall be clarifie d. According to Regulation 283/2014, core services are “ central hubs of digital service infrastructures aiming to 14 See article 3(3) of Regulation 2018/1725 and article 4(2) GDPR. 15 See information provided in the request letter; see information provided in recitals (5), (6) and (7) of the draft Implementing Decision. Please note that the numbering may be subj ect to changes in the adopted version of the document. 16 See article 33 of Regulation 2018/1725 and article 32 GDPR. 7 ensure trans - European connectivity, access and interoperability ”. 17 The eHDSI core services are provided by the Commission, 18 and include the Co nfiguration Services (hereinafter CS) and Central Terminology Server (hereinafter CTS). The CS is used by each National Contact Point eHealth (hereinafter NCPeH) gateway to publish and store technical details and configuration information. As a specificati on, no personal data are stored, transmitted or processed through it. The CTS is used to store health code systems and the Members States’ translation of medical terms. Semantic experts appointed by the Member States’ authorities have access to the CTS upo n request to the Commission; however, they have no access to patients’ personal data. Likewise, access rights are also granted to experts appointed by Member States with regard to the eHDSI Test Platform, a tool for users’ registration to the eHDSI test ev ents 19 and to grant them access to the restricted area of the eHDSI ArtDecor platform, which supports the creation and maintenance of templates and commonly agreed formats between the Member States. In sum, according to the documents provided, it seems that the processing of personal data of staff from NCPeH is carried out with the sole purpose to enable user account management and authorisation mechanism within the eHDSI core services. 12. According to the documents provided by the Commission, with regard t o the processing of patients’ personal data, there currently are two use cases: ePrescriptions and electronic patients’ summaries. Thus, the personal data processed in this case concern patients’ health data. The purpose of such processing is embodied in t he Agreement between National Authorities on the Criteria for the participation in Cross - border eHealth Information Services (hereinafter “the Agreement”) as “ achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high - quality safeguards ” and “ ensuring continuity of cross - border healthcare ”. 20 This purpose is envisaged in Article 14.2. of Directive 2011/24/EU. Therefore, from the documents provided, it stems that the purpose of the processing of personal he alth data of patients is to enhance and ensure the continuity of cross - border healthcare. 13. In line with the information made avail able and following the analysis , it appears that the two processing operations described above could in fact be considered as separate, since their purposes are clearly different. This may potentially lead to a different allocation of responsibilities among the actors involved. iii. Considering that Member States shall be regarded as joint controllers for the processing of patien ts’ data in eHDSI as confirmed by the Article 29 Data Protection Working Party in its opinion (see page 2 of Annex V) 21 is it correct to consider as explained in the background 17 Article 2.1(d) of Regulation (EU) No 283/2014 of the European Parliament and of the Council of 11 March 2014 on guidelines for trans - Euro pean networks in the area of telecommunications infrastructure and repealing Decision No 1336/97/EC. 18 Governance model for eHDSI during the CEF funding as adopted by the eHealth Network on 21 November 2016, p. 11. 19 Draft Data Protection Record of eHDSI T est Platform. 20 Clauses I.1(1) and I.1(4) of the Agreement between National Authorities or national Organisations responsible for National Contact Points for eHealth on the Criteria required for the participation in Cross - Border eHealth Information Service s. 21 Please note that, while the EDPB has not expressly confirmed the existence of joint controllership in its letter assessing the agreement mentioned in footnote 10 , it has stated the following: “ The Working Party acknowledges that both the Member State of affiliation [...] and the Member State of treatment [...] are involved in this process and therefore share the responsibility of ensuring that the fundamental right to privacy of the individual is protected in accordance with the relevant data protectio n law.” 8 information in this note that, with regard to the processing of patients’ data in the eHDSI, the Commission is a processor? 14. In order to answer this question, it is necessary to analyse the actual role of the Commission with regard to the processing o f patients’ data in the eHDSI. As stated by the WP29 in Opinion 1/2010 on the concepts of “controller” and “processor”, “ the role of processor does not stem from the nature of an entity processing data but from its concrete activities in a specific context . ” 22 Furthermore, the Opinion also states that, when it comes to assessing the determination of the purposes and the means with a view to attribute the role of data controller, “ while determining the purpose of the processing would in any case trigger the q ualification as controller, determining the means would imply control only when the determination concerns the essential elements of the means. In this perspective, it is well possible that the technical and organizational means are determined exclusively by the data processor ”. 23 15. The decision to use the eHDSI system was agreed upon by the voluntary members of the eHealth Network in the Agreement, as part of the eHealth network objectives foreseen in article 14(2) of Directive 2011/24/EU. In this regard , it is noteworthy to mention that the type of data to be exchanged, listed as an essential element of the means according to the WP29, was also decided by the eHealth Network in the Guidelines adopted for that purpose. It is for the eHealth Network to set the priorities of the eHDSI and oversee its operations, being also responsible for deciding on guidelines on the operation of the eHDSI and the strategy regarding the standards used. 24 Moreover, in accordance with article 4 of the draft Implementing Decisi on, 25 it may provide guidance on the security of the eHDSI and facilitate greater interoperability by agreeing which requirements, specifications and standards should be used to achieve technical, semantic and organisational interoperability between nationa l digital healthcare systems. 16. In this regard, Article 6 of the draft Implementing Decision states that the Commission shall provide support to the eHealth Network, composed by representatives of Member States, in relation to the tasks referred to in Ar ticle 4. 26 In its letter of 11 April 2018 assessing the Agreement, the WP29 also acknowledged that, as supplier of the network infrastructure provided for the transmission of health data, the Commission has “ a certain degree of involvement ” in the processin g of personal data, “ also in terms of defining security and communication standards ”. 27 Furthermore, the Commission is responsible for the development and maintenance of the eHDSI core services. According to Article 6 of the draft Implementing Decision, thi s entails “ developing appropriate technical and organisational measures related to the core services of the eHDSI ”, among other tasks. Thus, the Commission is in 22 WP 169 Opinion 1/2010 on the concepts of “controller” and “processor”, p. 25. Please note that this opinion is currently under revision. 23 WP 169 Opinion 1/2010 on the concepts of “controller” and “processor”, p. 14. Please note that this opinion is currently under revision. 24 Governance model for eHDSI during the CEF funding as adopted by the eHealth Network on 21 November 2016, p. 8. 25 Ple ase note that the numbering of the articles in the draft Implementing Decision may be subject to changes in the adopted version of the document. 26 Idem . 27 WP29 Letter of 11 April 2018 regarding the Agreement between National Authorities on the Criteria req uired to participate in Cross - Border eHealth Information Services, p. 4. 9 charge of the technical planning and programming of the DSI’s software and services, 28 includin g the provision of the TESTA - ng private network. As seen above, personal health data are transmitted via the TESTA - ng private network from one NCPeH to another, through an encrypted channel established between both NCPeHs as an additional safeguard. The en crypted channel will be set up in a technical way that will guarantee that the Commission cannot access the personal health data in clear text . 29 17. Therefore, in the present case, and based on the documentation provided, it appears that, even though the Commission is involved in some of the procedures regarding the development of technical and organisational solutions, as well as the systems’ security elements, it does not have decision - making power in terms of defining the purpose or the essential means related to this processing operation. Thus, as the EDPS also states in its informal comments from December 2018, 30 given the legal framework related to the definition of the purposes and means of the infrastructure, and the strict limitations of the Commiss ion’s tasks to ensure the security of the core services of the eHDSI, the EDPB and the EDPS consider that, in this specific situation and for the concrete operation of the processing of patients’ data within the eHDSI, there is no reason to dissent from th e Commission’s assessment. 18. Finally, the EDPB and the EDPS take note that the Commission has chosen to revise an adopted Implementing Decision in order to clearly clarify its role within this processing operation and to set the rules governing its role as a processor, including those laid down in points (a) to (h) of Article 29(3) of Regulation 2018/1725 (“Processor”). Nevertheless, the EDPB and the EDPS ask the Commission to make sure that all its duties, as specified in the applicable data protection legislation, as a processor of this processing operation , be set in the draft Implementing Act. 28 Governance model for eHDSI during the CEF funding as adopted by the eHealth Network on 21 November 2016, p. 11. 29 The documents sent to WP29 which describe the system, p. 7. 30 EDPS informal comments on the Commission draft implementing decision repealing Commission Implementing Decision 2011/890/EU providing the rules for the establishment, the management and the functioning of the network of national responsible authorities on eHeal th, 12 December 2018.