The Law on the Exchange of Data, Documents and Notifications in Case of Temporary Inability for Work Using Software Solution “e-Bolovanje – Poslodavac” introduced the software solution with objectives to enable efficient information exchange regarding inability for work at the level of the selected physician – employer – Republic Fund of Health Insurance (retrieval of personal data from healthcare ICT systems into the said software solution is carried out), clear definition of the roles of responsible stakeholders, protection of employees’ privacy and personal data, increased efficiency in the work of healthcare institutions, reduction of costs related to paper-based documentation, reduction of queues in healthcare institutions, fewer errors in record-keeping, decreased burden on healthcare practitioners, reduced risks and abuse in exercising rights based on temporary inability for work.
Yet, form the documents provided by the Office for Information Technology and Electronic Administration, Ministry of Health and the regulator for data protection and privacy the under right to free access to information of public importance, we learned that basic requirements in regard to security of processing of personal data and privacy in the course of application of the software solution and healthcare JCT systems are not met. Moreover, there is a serious misunderstanding in applying relevant provisions governing risk assessment of security of processing of personal data and data protection impact assessment resulting in inappropriate assessments, lack of assessments and absence of the regulator’s control resulting in serious risks for personal data of all citizens.
This article writtten by Partner Ivan Milošević, from JPM Belgrade office, addresses the difference between the risk assessment of security of processing of personal data and the data protection impact assessment and necessity for greater intervention of the regulator.
