New regulations? A key office wants to reward better data protection in healthcare.
- The President of the Personal Data Protection Office calls for rewarding medical facilities that apply GDPR codes – this is to increase the security of patient and employee data
- Codes of conduct demonstrate what is legal and ethical in a given industry, and their use can reduce the risk of financial penalties.
- So far, two codes have been approved for the medical industry, and another one for the pharmaceutical sector is under consultation.
– Awarding points for taking additional actions to secure data would be a good step towards strengthening the rights of patients and medical sector employees as well as the cybersecurity of these services critical to society – says Mirosław Wróblewski, President of the Personal Data Protection Office.
In a statement published on the office's website, he appealed to the Minister of Health to amend the regulations in order to introduce the possibility of awarding bonuses to medical facilities that apply so-called codes of conduct or have certificates within the meaning of the General Data Protection Regulation (GDPR).
The head of the Personal Data Protection Office (UODO) indicates that he was recently forced to impose fines on medical facilities for failing to implement appropriate organizational and technical measures to protect the personal data of patients and employees.
"This demonstrates that a problem exists. Meanwhile, codes can support medical entities by demonstrating what is correct, legal, and ethical in their specific sector's activities. They also strengthen the trust of data subjects," argues Mirosław Wróblewski.
He adds that similar benefits for controllers and processors result from certification, which assesses the compliance of personal data processing processes with certification criteria, and a certificate confirms this compliance. No entity has yet applied to the President of the Personal Data Protection Office (UODO) for approval of certification criteria. The President of the UODO is cooperating with the Polish Centre for Accreditation in this area.
GDPR codes of conduct must be approved by the President of the Personal Data Protection Office. The benefit of using an approved code is greater security for the personal data controller in the context of potential fines. When imposing a fine on an entity, the supervisory authority always considers whether the entity has properly applied the approved code of conduct of which it is a member.
To date, two codes of conduct have been approved, both for entities in the healthcare industry. The first was a code for the healthcare sector for small medical facilities (proposed by the Zielona Góra Agreement), and the second was a code for entities performing medical activities and processing entities (proposed by the Polish Hospital Federation).
In Rynek Zdrowia we informed that consultations on the code of conduct for the pharmaceutical sector, initiated by the Employers' Association of Innovative Pharmaceutical Companies INFARMA, are ongoing until August 18 this year .
Write to the author: [email protected]
Copyrighted material - reprint rules are specified in the regulations .
rynekzdrowia
