See your doctor in the ”cloud” – click send and say aahhh!

The non-physical physical is an up-and-coming reality for many of us. That is, going to the doctor’s surgery or – even more exotic – having a doctor coming to your house to give you a consultation and a prescription may soon be a thing of the past. No, in the future, like so many other things, you will be doing it on the Internet – a blessing for some, no doubt. Recent developments in this field have laid bare a number of issues including the processing and storage of patient data.

Processing of data

One issue is processing. The processing of data is regulated by the Data Protection Act, which implements directive 98/34/EC. Patient data is sensitive data that is regulated specifically by the Patient Data Act. This legislation limits access to patient data, basically stipulating a strict ‘need to know’ basis for access. The principle is that patients’ data should not be made accessible unless the patient has given his or her express consent; nor should it be to a greater extent than necessary. Furthermore, it should be possibleto vary the accessibility on the basis of the need a particular official may have for the information.

• There must also be efficient tools for follow-up and traceability of access. The identification of the user must comply with security restrictions.
• There should be technical “barriers”, meaning that the user must make active choices in order to reach data about a particular patient.
• There should be tools to handle patients’ requests.
• There must be procedures to handle secrecy-marked personal data so that the risk of sharing such data with an unauthorised person is minimised.

Storage in the cloud

The other issue is storage. It is, of course, tempting to use one of the available cloud services for storage of patient data. The Swedish Data Protection Agency has issued guidelines on the topic of cloud services generally.

First of all, when a data controller stores data in the cloud it relinquishes control of the data, but is still its controller. The cloud provider becomes a data processor. The data controller must therefore enter into an agreement whereby it gives instructions to the processor as to the processing of the data. Cloud providers often use standard agreements with predetermined user conditions, and appoint subcontractors – both of which you have to know or at least know about. The providers are typically reluctant to amend or alter these agreements – especially for small or medium-sized companies. You also have to consider that the data might be transferred to a third country. Mostly this is the U.S.A. and Google, for example, is party to what is known as the ‘Safe Harbor list’. So that normally turns out all right.

But you have to do your homework. First, is the processing of the data, which is to be carried out by the cloud service provider, permitted under the Personal Data Act? Secondly, you have to carry out a risk and impact assessment to assess whether it is possible for you to appoint the cloud service supplier for processing of the personal data envisaged, what security level is appropriate and what measures need to be taken. Remember, the greater the privacy risks a particular element of personal data processing involves, the greater the requirements for security measures. Then, onward to the agreement!

Agreement with the cloud service provider

According to the Data Protection Agency the processor agreement shall

• prescribe that the processor is obliged to apply Swedish legislation with regard to the processing of personal data;
• prescribe that the processor is obliged to take appropriate security measures in accordance with Section 31 of the Personal Data Act;
• prescribe that the processor may only process personal data in accordance with the instructions of the controller of the personal data and thereby ensure that the processor does not process personal data for purposes other than those for which the processor has been appointed;
• ensure that the controller has knowledge of which other processors may come to process the personal data of the controller;
• ensure that the controller of personal data has the opportunity to monitor, in an appropriate manner, that the processor meets the requirements of the controller with regard to the personal data processing and actually takes appropriate security measures;
• ensure that there are technical and practical solutions for investigating suspicions that someone has had unauthorised access to personal data; and also
• ensure that the parties know what measures are to be taken upon the termination of the agreement so that the personal data processor does not have access to the personal data beyond that point in time.

Call your lawyer

With the Data Protection Authority’s supervision of use of cloud services the standard agreements are getting better and better now – at least according to the Authority. But with patient data you have to be absolutely sure, and how do you do that? Well, you need to limit the scope of processing done by the processor. You also have to ensure that you can follow up the processing, e.g. check that the processor is following your instructions, ensure limitation of access and use of the data by and for the processor, and finally get information about the subcontractors the processor uses.

Do not forget your own processing. Make sure that the cloud service does not prevent you from complying with the requirements concerning patient data and make sure that your own safety measures are also adequate and in place.

And another thing: do not try to “heal yourselves”. Read this sentence again and call your lawyer in the morning!