Skip to main content
Top

2019 | OriginalPaper | Chapter

5. A Data Protection Perspective on Training in the mHealth Sector

Authors : Erik Kamenjasevic, Danaja Fabcic Povse

Published in: m_Health Current and Future Applications

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

The mHealth services have brought to the healthcare operators, professionals and patients numerous advantages and, at the same time, opened a door to new cyber-threats that might have a significant influence on patient’s health and life. Often, cyber-attacks are successful due to a human error and a poor knowledge about the cyber-security. Therefore, deploying innovative trainings of healthcare professionals could lead to a higher level of the cyber-resilience. This chapter explores how the healthcare operators may do so in a legally compliant manner by examining the implications of the new General Data Protection Regulation.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Footnotes
1
Arndt [2].
 
2
Reference [38].
 
3
Ibid, Articles 4(15) and 9.
 
4
Ibid, Article 4(15).
 
5
Reference [3], WP250 p. 6.
 
6
Ref [6].
 
7
ECSO [17].
 
8
Ibid, p. 8.
 
9
Meisner [36]. In her article, Meisner draws a hypothetical situation regarding financial cost of cyber data breach in Polish hospital. These costs include forensic investigation, breach notification, post-breach patient protection, attorney fees and litigation expenses, regulatory compliance, cybersecurity improvements, loss of reputation and patients churn, other potential costs that would in total amount up to around 2.5 million euros.
 
10
See, for example: Ariu D et al. [1].
 
11
Article 4(7) of the GDPR: “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
 
12
Article 4(8) of the GDPR: “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
 
13
Articles 2 and 3 of the GDPR.
 
14
Article 4(2) of the GDPR.
 
15
Article 4(1) of the GDPR.
 
16
See, for example, Martnez-Prez et al. [37].
 
17
Verhenneman et al. [45].
 
18
Ibid, p 29.
 
19
Veale and Binns [44].
 
20
Verhenneman et al. [45].
 
21
See Ref. [9].
 
23
Reference [10].
 
24
Section 26(1) of the Federal Data Protection Act.
 
25
Reference [15].
 
26
Recital 26 of the GDPR.
 
27
Article 24 of the GDPR.
 
28
Articles 33 and 34 of the GDPR.
 
29
Wu [42].
 
30
Vogiatzoglou et al. [47].
 
31
Custodio [12].
 
32
Gratian et al. [26]; Cain et al. [11].
 
33
Gratian et al. [26].
 
34
Reference [3].
 
35
Ibid, p. 6.
 
36
Unlike the prohibition of automated decision-making, which applies solely to purely automated processes, without human intervention.
 
37
Reference [4].
 
38
Ibid.
 
39
Reference [43]. See also Gold [25].
 
40
See European Convention on human rights and its Protocol No. 2: https://​www.​echr.​coe.​int/​Documents/​ConventionENG.​pdf. Reference [20].
 
41
For example, in Ref. [19].
 
42
One of the most debated criteria in Europe is gender. The European Court of Human Rights has recently confirmed that “the advancement of gender equality is today a major goal in the member States of the Council of Europe” and that justification for disparate treatment based on gender must pursue a legitimate aim and be justified with “very weighty reasons”. A new Directive, addressing inequality and mandating equal treatment even between individuals, i.e., in the workplace, has been proposed by the European Commission. However, it has been debated for the last ten years and is currently being blocked by the Council. In that regard see, for example, Refs. [18] [34].
 
43
Jones [32].
 
44
Le-Khac et al. [35].
 
45
Kamp et al. [33].
 
46
Schermer [40].
 
47
Gutwirth and Hildebrandt [27].
 
48
See among others: Van der Hof and Prins [46]. Selbst and Powles [41].
 
49
See Art. 13, 14 and 15 of the GDPR, and the Article 29 Data Protection Working Party, Guidelines on Transparency under Regulation 2016/679, WP260rev.01, adopted on 29 November 2017 and as last revised and adopted on 11 April 2018. Reference [8].
 
50
Due to inconsistencies and unclear wording, it is contentious whether the right to an expla- nation exists in the GDPR. See: Selbst and Powles [41]; see also Wachter et al. [48].
 
51
Reference [5].
 
52
Reference [6].
 
53
See Article 4(11), Article 6(1)(a) and Article 7 of the GDPR.
 
54
Reference [7].
 
55
Finn and Jakobsson [24].
 
56
Resnik and Finn [39].
 
57
Recital 47 of the GDPR.
 
58
Reference [14].
 
59
Recitals 47 and 48 of the GDPR.
 
60
IAPP [30].
 
61
See Part I. 11 of the ESC: Everyone has the right to benefit from any measures enabling him to enjoy the highest possible standard of health attainable.
 
62
IAPP suggest a LIA legitimate interests assessment, and provide a template. See Ref. [31].
 
63
Art. 6(3) of the GDPR.
 
65
Healthcare operators are subject to the NIS directive if they meet the criteria, laid down in its Article 5, and those in point (g) of Article 3 of Directive 2011/24/EU.
 
Literature
3.
go back to reference Article 29 Data Protection Working Party, Guidelines on Automated individual decision- making and Profiling for the purposes of Regulation 2016/679 Article 29 Data Protection Working Party, Guidelines on Automated individual decision- making and Profiling for the purposes of Regulation 2016/679
4.
go back to reference Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013 Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013
5.
go back to reference Article 29 Data Protection Working Party, Guidelines on Transparency under Regulation 2016/679, WP260rev.01, adopted on 29 November 2017 and as last revised and adopted on 11 April 2018 Article 29 Data Protection Working Party, Guidelines on Transparency under Regulation 2016/679, WP260rev.01, adopted on 29 November 2017 and as last revised and adopted on 11 April 2018
6.
go back to reference Article 29 Data Protection Working Party, Guidelines on data protection officers (DPO), WP243, 13 December 2016 Article 29 Data Protection Working Party, Guidelines on data protection officers (DPO), WP243, 13 December 2016
7.
go back to reference Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, [1]WP259 rev.01, adopted on 28 November 2017 and as last revised and adopted on 10 April 2018 Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, [1]WP259 rev.01, adopted on 28 November 2017 and as last revised and adopted on 10 April 2018
8.
go back to reference Article 29 Data Protection Working Party, Guidelines on Personal data breach notification under Regulation 2016/679, WP250 p. 6 Article 29 Data Protection Working Party, Guidelines on Personal data breach notification under Regulation 2016/679, WP250 p. 6
13.
go back to reference Court of Justice of the European Union, Case C210/16, Unabhngiges Landeszentrum fr Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, 05.06.2018 Court of Justice of the European Union, Case C210/16, Unabhngiges Landeszentrum fr Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, 05.06.2018
14.
go back to reference Court of Justice of the European Union, case C 582/14, Patrick Breyer v. Bundesrepublik Deutschland Court of Justice of the European Union, case C 582/14, Patrick Breyer v. Bundesrepublik Deutschland
15.
go back to reference Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
16.
go back to reference Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union
17.
go back to reference ECSO, Cyber Security for the Healthcare Sector, WG3, Sectoral Demand, 2018 ECSO, Cyber Security for the Healthcare Sector, WG3, Sectoral Demand, 2018
18.
go back to reference Boyraz, E.: v. Turkey, ECtHR judgment of December 2 2014, 54 Boyraz, E.: v. Turkey, ECtHR judgment of December 2 2014, 54
19.
go back to reference European Union Agency for Fundamental Rights, Fundamental Rights Report 2018 European Union Agency for Fundamental Rights, Fundamental Rights Report 2018
20.
24.
go back to reference Finn, P., Jakobsson, M.: Designing ethical phishing experiments. IEEE Technol. Soci. Magazine Spring 26(1), 46–58 (2007)CrossRef Finn, P., Jakobsson, M.: Designing ethical phishing experiments. IEEE Technol. Soci. Magazine Spring 26(1), 46–58 (2007)CrossRef
25.
go back to reference Gold, M.: Griggs’ Folly: Essay on the Theory, Problems, and Origin of the Adverse Impact Definition of Employment Discrimination and a Recommendation for Reform, 7 Indus. Rel. L.J. 429 (1985) Gold, M.: Griggs’ Folly: Essay on the Theory, Problems, and Origin of the Adverse Impact Definition of Employment Discrimination and a Recommendation for Reform, 7 Indus. Rel. L.J. 429 (1985)
26.
go back to reference Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Sec. 73, 345358 (2018)CrossRef Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Sec. 73, 345358 (2018)CrossRef
27.
go back to reference Gutwirth, S.: Hildebrandt, Mireille. Some caveats on profiling, In: Gutwirth, S., Poullet, Y., De Hert, P. ( (eds.) Data Protection in a Profiled World, 2010. Springer, Dordrecht, pp. 31–41CrossRef Gutwirth, S.: Hildebrandt, Mireille. Some caveats on profiling, In: Gutwirth, S., Poullet, Y., De Hert, P. ( (eds.) Data Protection in a Profiled World, 2010. Springer, Dordrecht, pp. 31–41CrossRef
32.
go back to reference Jones, M.L.: A right to a human in the loop. Soc. Stud. Sci. 47(2), 216239 (2017) Jones, M.L.: A right to a human in the loop. Soc. Stud. Sci. 47(2), 216239 (2017)
33.
go back to reference Kamp, M., Krffer, B., Meints, M.: Profiling of Customers and Consumers Customer Loyalty Programmes and Scoring Practices. In: Hildebrandt, Mireille, Gutwirth, Serge (eds.) Pro- filing the European Citizen: Cross-Disciplinary Perspectives, pp. 201–215. Springer, New York (2008)CrossRef Kamp, M., Krffer, B., Meints, M.: Profiling of Customers and Consumers Customer Loyalty Programmes and Scoring Practices. In: Hildebrandt, Mireille, Gutwirth, Serge (eds.) Pro- filing the European Citizen: Cross-Disciplinary Perspectives, pp. 201–215. Springer, New York (2008)CrossRef
34.
go back to reference Konstantin Markin v. Russia, ECtHR Grand Chamber judgment of 22 March 2012, 127 Konstantin Markin v. Russia, ECtHR Grand Chamber judgment of 22 March 2012, 127
35.
go back to reference Le-Khac, N.A., Markos, S., Kechadi, M.T.: Towards a New Data Mining-Based Approach for Anti-Money Laundering in an International Investment Bank. In: Goel S. (eds.) Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Tele-communications Engineering, vol. 31. Springer, Berlin, Heidelberg (2010) Le-Khac, N.A., Markos, S., Kechadi, M.T.: Towards a New Data Mining-Based Approach for Anti-Money Laundering in an International Investment Bank. In: Goel S. (eds.) Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Tele-communications Engineering, vol. 31. Springer, Berlin, Heidelberg (2010)
36.
go back to reference Meisner, M,:Financial Consequences of Cyber Attacks Leading to Data Breaches in Health-care sector, CJFA 2017, vol. 6(3), p. 70 Meisner, M,:Financial Consequences of Cyber Attacks Leading to Data Breaches in Health-care sector, CJFA 2017, vol. 6(3), p. 70
37.
go back to reference Martnez-Prez, B., et al.: Privacy and Security in Mobile Health Apps: a Review and Recommendations (2014) Martnez-Prez, B., et al.: Privacy and Security in Mobile Health Apps: a Review and Recommendations (2014)
40.
go back to reference Schermer, B.: The limits of privacy in automated profiling and data mining. Comput. Law Sec. Report 27(1), 45–52 (2011)CrossRef Schermer, B.: The limits of privacy in automated profiling and data mining. Comput. Law Sec. Report 27(1), 45–52 (2011)CrossRef
42.
go back to reference Wu, S.: A legal guide to enterprise mobile device management, ABA Section of Science & Technology Law, 2013, pp. 50–60, ISO/IEC27002:2013, Information technology. Security techniques. Code of practice for information security controls, 2013 Wu, S.: A legal guide to enterprise mobile device management, ABA Section of Science & Technology Law, 2013, pp. 50–60, ISO/IEC27002:2013, Information technology. Security techniques. Code of practice for information security controls, 2013
43.
46.
go back to reference Van der Hof, S., Prins, C.: Personalisation and its Influence on Identities, Behaviour and Social Values. In: Hildebrandt, M., Gutwirth, S. (eds.) Profiling the European Citizen: Cross-Disciplinary Perspectives. Springer, New York (2008) Van der Hof, S., Prins, C.: Personalisation and its Influence on Identities, Behaviour and Social Values. In: Hildebrandt, M., Gutwirth, S. (eds.) Profiling the European Citizen: Cross-Disciplinary Perspectives. Springer, New York (2008)
47.
go back to reference Vogiatzoglou, P., et. al.: DOGANA D5.3 Legal and Ethical Conditions for Cautious Organisations (2017) Vogiatzoglou, P., et. al.: DOGANA D5.3 Legal and Ethical Conditions for Cautious Organisations (2017)
48.
go back to reference Wachter, S., Mittelstadt, B., Floridi, L.: Why a right to explanation of automated decision- making does not exist in the General Data Protection Regulation, International Data Privacy Law, 2017, vol. 7, No. 2CrossRef Wachter, S., Mittelstadt, B., Floridi, L.: Why a right to explanation of automated decision- making does not exist in the General Data Protection Regulation, International Data Privacy Law, 2017, vol. 7, No. 2CrossRef
Metadata
Title
A Data Protection Perspective on Training in the mHealth Sector
Authors
Erik Kamenjasevic
Danaja Fabcic Povse
Copyright Year
2019
DOI
https://doi.org/10.1007/978-3-030-02182-5_5