It is not difficult to imagine the potential risks that a consumer faces when private information such as financial data (credit card numbers, bank account details), health conditions or sexual and political orientation can be accessed or misused by a third party. With new technologies constantly evolving at a rapid pace, the legal framework and practices must find a way to adapt to these transformations. At the same time, a high level of data protection has to be guaranteed.
The European Commission will review EU privacy rules in 2010 with the aim of increasing data protection for Internet services such as webmail, social networks and online banking, as well as in other non-virtual sectors ranging from finance to health care.
Data protection Directive of 24/10/1995
The European Union is based on the respect for fundamental rights. Article 8 of the Charter of Fundamental Rights of the European Union expressly recognizes the fundamental right to the protection of personal data.
In order to remove potential obstacles to the flows of Personal Data and to ensure a high level of protection within the EU, data protection legislation has been harmonized.
http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
With the entry into force of the Lisbon Treaty, the protection of personal data has become a fundamental right of the EU. A review of the Data Protection Directive is scheduled for 2010. This is a follow-up of the initiative of the European Commission who organised a large public consultation aimed at obtaining contributions on the new challenges in the field of privacy and on the improvement of the legal framework on data protection in the European Union.
Review of the Directive
Viviane Reding, the EU's new commissioner for justice and fundamental rights and citizenship, is planning ambitious reforms for her mandate including the introduction of a European Civil Code and a major revamp of EU data protection rules.
As a reminder, the justice and home affairs portfolio has been split into two new high-profile portfolios: one for home affairs and one for justice, fundamental rights and citizenship. The latter is the first of its kind in EU history and was created to reflect the increased emphasis on citizens' rights in the 27 EU member countries under the Lisbon Treaty. The new portfolio encompasses policy areas such as the free movement of citizens, family law, penal law, consumer rights, EU communication policy, gender equality and anti-discrimination legislation.
As information society commissioner during her previous mandate (2005-2009), Viviane Reding never missed an opportunity - particularly at the end of her mandate - to identify the hidden dangers of new technologies.
For instance, she recommended improving privacy protection in a number of fields, ranging from social-networking sites such as MySpace and Facebook where sensitive data are often collected without users' knowledge, e-commerce services such as eBay or Amazon, online banking, and webmail such as Gmail (Google) or Hotmail (Microsoft), which is increasingly replacing PC-based email clients (such as Microsoft Outlook) to radio frequency identification tags.
According to some experts, we can expect Reding to maintain a pragmatic but reform-oriented approach, aimed at allowing businesses that need easy access to private information to thrive - such as Internet search engines - but requiring them to make relevant concessions.
"Protection against data breaches cannot be limited to electronic communications networks alone, but may need to be addressed in new EU rules which cover online services as well," Reding said.
Transport, finance and health care rely extensively on private information and might be subjected to tougher rules to prevent and inform users about data breaches.
Reding made clear that at present the Commission is only studying possible measures to protect users from data breaches. This could involve "the obligation to notify breaches," a measure deemed user-unfriendly by many in the industry, since it could increase the perception of risk among users, resulting in less uptake of services.
However privacy watchdogs at the European Data Protection Supervisor's office (EDPS) underline the fact that trust in a service will increase if risks are correctly signalled and avoided,
Another option is to ensure "exemption from liabilities for operators if they can demonstrate that they have put in place certain minimum security standards," said Reding. Service providers would not have to turn into informal patrols, but it implies extra costs for the industry as it requires updated security infrastructure and will increase usage of provisions such as encryption and secured access.
>> Euractiv.com, EU Commission Justice and Home affairs
EU Public Consultation on Data Protection
EHFCN has submitted a response to the European Commission expressing our views and opinions on the development of Data Protection law taking into consideration the increasing use of new technologies and electronic record management. While recognising the individual right of every EU citizen to have their personal data protected, to combat fraud and corruption particularly in a cross border context, it is important to develop a restricted and regulated exchange of sensitive personal data between Member States in order to best identify areas of weakness and therefore minimise the losses within the healthcare sector. Please read our response in full below.
Q1 Views of EHFCN on the new challenges for personal data protection, in particular in the light of new technologies and globalization.
General comment:
The aim of the European Healthcare Fraud and Corruption Network is to improve European healthcare systems by reducing losses to fraud and corruption.
Corporate members of EHFCN are governmental or private entities directly involved or with a specific role in countering healthcare fraud and corruption.
EHFCN supports its members in their work to use effective prevention and detection systems and to conduct professional investigations in cases where fraud and corruption committed by patients, healthcare providers, suppliers and staff are suspected.
The prevention, detection and investigation of fraud and corruption in cross border healthcare moreover, require cooperation and a systematic exchange of information - personal sensitive data included - between these national operational entities. The networking of records should make it possible to prevent fraud and corruption in cross border healthcare being committed by the same offenders in different countries of the Union.
Although EHFCN recognizes the individual right of every EU citizen of having his or her privacy protected at the highest level possible, patient safety and the public interest (correct allocation of healthcare budgets) should allow a restricted and regulated exchange of sensitive (administrative and judicial) personal data between competent authorities of all Member States.
Although EHFCN acknowledges potential abuse and the risk of violation of privacy in new technologies such as the use of internet, e-health (electronic patient dossiers and billing), cyber applications (chip implants, telemedicine) etc., they are considered by EHFCN to be an added value in the fight against fraud and corruption in cross border healthcare.
New technologies facilitate data entry, data matching, data mining and data exchange under the condition however of strict but workable protocols. Another example of a new technology is wireless automation. It has been mentioned that wireless is ideal as it is fairly inexpensive and allows any sensors and devices to be installed at any time rather than just at the beginning of the installation process. Particularly relevant to hospitals and health services are indoor location awareness wireless building automation which allow tracking of patients and also allow tracking of the nearest doctor in emergency situations. But these useful services can also be tampered with which means that this new device can also be a danger.
Globalization and the consequential increase of patient and healthcare provider mobility (enhanced by freedom of movement and the Internal Market in the EU) is a risk factor for increased fraud and corruption in cross border healthcare.
The EU draft directive 2005/36/EC gives patients and practitioners the right to free movement throughout the Members States. This means that patients are more mobile than ever before. Providers in various Member States are also keen to attract patients across borders and may emphasize the higher quality of treatment outside a patient Member's State. As a result it is now common place for patients to shop around for the best quality most affordable and most readily available treatment. This increases the opportunities to commit fraud.
Variation in privacy regulations and data protection rules results in the fact that patient records and other information cannot be shared between healthcare providers, regulatory bodies, etc. This means that unscrupulous practitioners can cross borders following disciplinary action in order to escape their past and to continue to practice unsafely. Patients who commit fraud can likewise cross borders knowing that information about the fraud they have committed cannot be shared and therefore they can carry out the same activities in another member state.
The increasing mobility of patients and healthcare practitioners from non-EU countries adds to this problem.
Q2. In the view of EHFCN, the current European legal framework does not meet these challenges. There are neither protocols nor common standards of gathering and exchanging (criminal, civil and disciplinary) evidence in matters related to fraud and corruption in cross border healthcare.
Q3. EHFCN situates future action to address these identified challenges on 3 possible levels:
- Bilateral agreements between (competent authorities of) Members States. Recently France and Belgium (CNAMTS and INAMI) have signed an agreement regulating the exchange of personal data in ad hoc cross border cases of suspected fraud and corruption in healthcare.
- The clarification of existing European information channels for exchanging sensitive personal data related to fraud and corruption in cross border healthcare : Europol, the European Criminal records Information System (ECRIS),SIS II etc. Condition is however that all of the information related to fraud and corruption in cross border healthcare should be clarified through one channel only.
- The establishment of a new agency charged with the task of developing a system of information exchange related to fraud and corruption in cross border healthcare. This agency can also be the competent authority certifying healthcare providers and facilitators offering services in a cross border healthcare setting (medical travel etc.) based on quality standards and accreditation.
EHFCN is in favor of this last solution.