Standard Post with Image

New Zealand Privacy Commissioner investigates complaint about health data storage

New Zealand’s Privacy Commissioner has launched an investigation following a complaint issued by four New Zealand and Australian IT healthcare companies. Primary health organization ProCare Health (PHO) is accused of having stored privacy information of over 800.000 Auckland patients in a large database. Data regarding names, addresses and financial information are alleged to have been endangered, although the PHO strongly denies that patient information has been compromised and that the amount of data was legitimately collected with the patients’ consent. A representative of the Ministry of Health declared that they were aware of the issue. The Privacy Commissioner is expected to decide if it represents an infringement of the NZ health information privacy code.

A link to the original NZ Herald article is available here
Standard Post with Image

Europe and Japan start adequacy decision procedure

Europe and Japan have reached one of the most important goals of mutual recognition in the area of privacy law, having considered each other’s system of protection as equivalent. Although the procedure has just been launched, reciprocal evaluation of an equivalent data protection system will have a major impact on the economy of data and foster its circulation. Data flows between countries have been in the focus lately as the GDPR requires strong proof of adequate protection from non-EU countries. The draft is expected to be approved, but this will require several steps including the opinion of the European Data Protection Board.

The European Commission’s press release is available here
Standard Post with Image

French CNIL presents brand new reference methodologies for processing health data

Five new reference methodologies have been adopted and presented by the French CNIL to reduce the formalities related to data processing in health research. The aim is to “provide a secure framework for the implementation of research treatments in the field of health” after the GRPR required an adaptation of the legislative environment. Simplifying formalities in the field of health research has been a priority for the Commission and the adoption of these methodologies is intended to build a framework favourable to researchers and innovators.

A link to the CNIL website is available here (in French language)
Standard Post with Image

LabCorp fears massive data breach

On July 16 LabCorp, a healthcare diagnostics company, announced that suspicious activity detected on its information technology network triggered a preventive measure of taking certain systems offline to contain the activity and reduce risks of a wider network breach. The response affected the full functioning of the system, including test processing and customer access. Although there is no evidence of unauthorized transfer or misuse of data, LabCorp has already notified the authorities declaring that they will cooperate in any investigation. Considering that the company processes the information of more than 2.5 million patients per week, the main concern regards the possible exposure of millions of health records kept to provide diagnosis, drug development and technology-enabled solutions. In  August 2017, the data of 1.2 million NHS patients was hacked.

A link to the form sent to the U.S. Securities and Exchange Commission is available here
Standard Post with Image

Lithuania introduces new law on legal protection of personal data


On July 16 the new Lithuanian data protection law entered into force. Its 35 articles are mostly focused on the powers of supervisory authorities, processing employee data and national identification numbers. The law “applies to controllers and processors established in Lithuania, as well as to controllers following the Lithuanian law by virtue of the public international law”. With respect to businesses offering goods or services or monitoring of behaviour of data subjects in the EU, the law applies only to those controllers and processors that have designated a representative in Lithuania. The new law comes more than a month after May 25 deadline set by the EU.

The Lithuanian law on data protection is available here (in Lithuanian language)