If the implementation of ISMS 27001 had been sufficient to ensure privacy, the EU would not have rendered GDPR.
ISMS 27001 ISO/IEC 27001 is an international standard that structures how businesses should manage risks associated with information security threats; including information security policies, procedures, and staff training to apply information security. The matter of how information security is used to protect personal data is regulated by GDPR (security processing)– Article 32 of GDPR and Article 50 of Serbian Data Protection Act.
ISMS 27001 does not deal either with the legitimate interest of the controller, necessity and proportionality of processing, nor the intended purposes of processing and with compatible purposes. In case of high risks to the rights and freedoms of citizens, health institutions need to define and implement additional adequate technical and organizational measures to copy with privacy risks (Data Protection Impact Assessment).
This stated becomes even more relevant when the controller implements GDPR to protect special categories of personal data – health or genetic data or process personal data initially collected for medical treatments for scientific research. In these cases, health and other public institution have to comply with Oviedo Convention and GDPR requirements. Regulatory requirements for the formation of the bank of genes and processing of samples being personal data (if not anonymized) is a complex matter which requires significant consideration. And how personal data can be anonymized if healthcare institutions have to inform the data subject who consented to scientific research on the results of scientific research in case it is determined that the data subject suffers from rear disease?
The Law on Health Documentation and Records in Health Sector prescribes that the processing of personal data and the establishment and maintenance of registers of processing activities is performed in accordance with the Law on Protection of Personal Data.
Which steps shall be taken by health and other public institutions to protect privacy of patients and persons participating in scientific research?
For answers, join us at the Conference “Future is Now” – 15th Conference of Digital Medicine on May 31, 2022, at Hotel “Moskva”, 9.00h -13.00h. For REGISTRATION, please send an e-mail to ivan.milosevic@jpm.rs or office@jpm.rs. If you would like to follow the event ONLINE, let us know and we shall send you the link.