Newspapers: Glas Istre
The application of IT technology has enabled rapid development of medicine regarding new discoveries, diagnosticism and treatments. On the other hand, the protocols related to patients have not fully follow the advantages offered by the IT age and remained unchanged in some cases for decades. One of the everyday examples of practice is the so-called "calling" of a patient in the clinic waiting room or in the health space. How such a practice is viewed by the GDPR and whether an individual’s privacy is compromised will be illustrated by the following three examples from personal experience.
1. Example:
A family doctor's doctor's office is everyone's starting point regarding the health care system. A wide range of services that each individual receives from preventive and control examinations, through consultations and minor procedures, leads to instructions for further specialist examinations. Thus, a visit to such an office does not necessarily indicate a certain disease or even the general health condition. In the waiting rooms of such practices the calling of a patient by name and surname would not be considered to be contrary to the GDPR nor by invoking the protection of individuals with regard to the protection of personal data in normal epidemiological conditions
2. Example:
SPECIALIZED DOCTOR'S OFFICES when we meet at a reception office whose visit unambiguously refers to a possibility or suspicion of a particular disease or condition, each roll in the waiting room by name and last name would endanger the privacy of an individual. In many of our institutions, there is a common waiting room, and the surrounding offices are different specialties. If, for example, one of them only carries out hepatitis C, the patient's roll call in the waiting room would unambiguously refer to the suspicion of a particular disease and thus the privacy of the individual would be compromised and the entire procedure would then be contrary to the GDPR.
3. Example:
A COVD-19 test in the context of the COVD-19 pandemic, the epidemiological situation has imposed a health system on the organisation of specialist centres dedicated exclusively to the testing of citizens to the corona virus. Such tests are made available to all citizens and recommendations for media testing come from national authorities (National Headquarters, Croatian Public Health Service, etc.). On the other hand, a wide range of preventative reasons for testing, some of which may be an obligation before undergoing any other medical procedure, requires the organisation to be tested every employee before returning from the annual leave, the desire of citizens who have risk tastes or is a citizen of the infected person's contact. From personal experience, at such a location, health officials sometimes call a person who has come to the test.
In view of the overall situation, the arrival at the test does not necessarily mean that the person is positive to the corona virus, thus calling on the person by name and surname does not constitute an infringement of personal data. In addition to these examples, any name that includes additional information with a description of the health status (diagnosis) or specific instructions for further treatment constitutes a violation of the General Regulation and the patient's privacy
It is clear from these examples that the same procedure can have a different impact on the personal data breach. The assessment should take into account a significantly wider context, which further affects the risk of harm, but also the criteria defined outside the system itself or the organisation where the processing of personal data is carried out. As a universal and current recommendation, a number of patients can be introduced in all situations when entering a health facility or waiting room, and similar practice is known to us in banks, branch offices and the like.
It should be outlined, but only in theory, that the use of the health insurance number or other identifier assigned by the health system has been assigned to an individual by the health system is also acceptable from the perspective of the GDPR, but because of the numbering, in reality, such an identifier is ungainly and unusable.
Related topics:
Related service: