What are the electronic cross-border health services in Europe?
In 2011 the European institutions adopted a new Directive (2011/24/EU) which ensures the continuity of care for European citizens across borders. This gives Member States the possibility to exchange health data in a secure, efficient and interoperable way.
The following two electronic cross-border health services are currently progressively introduced in all European countries:
- ePrescription (and eDispensation) allows citizens in Europe to retrieve their medication in a pharmacy located in another European country, thanks to the online transfer of their electronic prescription from their country of affiliation (hereafter referred to as the country of residence) to their country of travel. Your country of residence is informed about the medicine you retrieve in the country of travel (eDispensation).
- Patient Summary provides information on important health related aspects such as your allergies, current medication, previous illness, surgeries, etc. It will form part of a larger collection of health data called European Health Record, whose implementation across Europe is planned at alater stage. The digital Patient Summary is meant toprovide doctors with essential information in their own language concerning the patient, when the patient comes from another EU country and there may be a linguistic barrier. On a longer term, not only the basic medical information of the Patient Summary, but the full Health Record should become available across the EU.
By 2021, services will be phased in in 22 EU countries: Austria, Belgium, Estonia, Germany, Greece, Ireland, Spain, Italy, Cyprus, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovenia, Hungary, Finland , France, Croatia, Czech Republic and Sweden.
The scope of the Opinion referred to in Article 42 (2) of Regulation 2018/1725 answers three specific questions raised by the European Commission:
1. Should the making available and maintaining of the secured and encrypted connection TESTA-ng private network for the transmission of personal data of patients from one Member State to another be considered as a processing of personal data?
If the reply to the first question is affirmative:
2. Is it correct to consider the following two processing operations as separate, with possibly different controllers?
i. Processing of personal data of personnel from National Contact Points for eHealth for the purpose of managing their access rights to the eHDSI core services (see Annexes VII-IX for description of relevant processing activities);
ii. Processing of personal data of patients for the purpose of their exchange from one Member State to another.
3. Considering that Member States shall be regarded as joint controllers for the processing of patients’ data in eHDSI as confirmed by the Article 29 Data Protection Working Party in its opinion (see page 2 of Annex V), is it correct to consider as explained in the background information in this note that, with regard to the processing of patients’ data in the eHDSI, the Commission is a processor?
On the first question, the opinion is given by analysing the definition of personal data processing.
Having in mind the definition of “processing” both in the GDPR and Regulation 2018/1725 and that the eHDSI system enables the exchange of electronic health data of European patients, in particular e-prescriptions and summaries of patient medical records, between national contact points, using a secure private network (hereinafter TESTA), set up by the Commission it can be stated that processing of personal data is at hand. Accessibility of data by the Commission or if adequate safeguards implemented for its transmission (such as a secured and encrypted connection) are practically irrelevant.
The answer to the second question is to define and differentiate between the two different scenarios and analyzed whether these are two separate processing operations or whether they should be considered as a ‘set of operations’.
With regard to the first processing operation, the purpose of managing access rights to the eHDSI core services needs to be analysed. Firstly, the concept of “core services” shall be clarified. According to Regulation 283/2014, core services are “central hubs of digital service infrastructures aiming to ensure trans-European connectivity, access and interoperability”. The eHDSI core services are provided by the Commission, and include the Configuration Services (hereinafter CS) and Central Terminology Server.
The CS is used by each National Contact Point eHealth (hereinafter NCPeH) gateway to publish and store technical details and configuration information. By default, no personal data are stored, transmitted or processed through it. The CTS is used to
store health code systems and the Members States’ translation of medical terms. It seems that the processing of personal data of staff from NCPeH is carried out with the sole purpose to enable user account management and authorisation mechanism within the eHDSI core services, without processing or personal data.
With regard to the processing of patients’ personal data, there are currently two means of use: ePrescriptions and electronic patients’
summaries. Thus, the personal data processed in this case concern patients’ health data. The purpose of such processing is embodied in the Agreement between National Authorities on the Criteria for the participation in Cross-border eHealth Information Services as “achieving a high level of trust and security, enhancing continuity of care and ensuring access to safe and high-quality safeguards” and “ensuring continuity of cross-border healthcare”.
Therefore, the purpose of the processing of personal health data of patients is to enhance and ensure the continuity of cross-border healthcare.
The two processing operations described above could in fact be considered as separate, since their purposes are clearly different. This may potentially lead to a different allocation of responsibilities among the actors involved.
The opinion on the third point is that, although the Commission is involved in some of the procedures relating to the development of technical and organizational decisions, as well as to the elements of system protection, it does not have the power to decide on the purpose or the main resources associated with this processing operation.
Here again, the concept of role assessment, controller and processor, is repeated, which is, from a practical point of view, one of the most complex and difficult for both public and private entities.
When it comes to assessing the determination of the purposes and the means with a view to attribute the role of data controller, “while determining the purpose of the processing would in any case trigger the qualification as controller, determining the means would imply control only when the determination concerns the essential elements of the means. In this perspective, it is well possible that the technical and organizational means are determined exclusively by the data processor”.