PIN

From NCPeH CY
Revision as of 11:11, 19 April 2021 by Mneoph (talk | contribs)
Jump to navigation Jump to search

Patient Information Notice regarding cross-border transfer of personal health data

CYPRUS

The following information is provided to fulfil the requirement of the EU General Data Protection Regulation to inform citizens about the processing of their personal data.

What is the eHealth Digital Service Infrastructure?

The eHealth Digital Service Infrastructure (eHDSI) is a system that provides European citizens with a safe and easy way to transfer their medical data cross-border by electronic means if they need treatment abroad. The electronic data is provided to health professionals in countries across the European Union (EU) 1 where the citizen is being treated. The personal data is transferred and stored in accordance with the law of the country of treatment.

The categories of your personal health data concerned

The Patient Summary is a basic medical dataset that is transferred for the purpose of receiving treatment in another country. It includes important patient data such as allergies, current medication, previous illnesses and surgeries, that is necessary to treat the patient properly abroad. Your information is available for inclusion in your Patient Summary insofar as the personal data is already recorded in electronic form in Cyprus via Nicosia and Famagusta General Hospitals.

What is the legal basis for the use of your personal data?

The eHDSI services will become available for you only upon your explicit consent. Although emergency situations may justify the use of your data for your treatment without consent, if you don’t give explicit consent before travelling, your data will not be available through the eHDSI system when you are in another country, not even in case of emergency. When you are abroad in an actual care situation, your Patient Summary data will be recorded in the country of treatment in accordance with the EU General Data Protection Regulation (GDPR), the laws of that country and the practices of the particular healthcare institution.

What is the purpose of processing?

Your medical data will only be used for your personal treatment. However, in some countries your personal data may also, under certain conditions, be used for other purposes prescribed by law, such as monitoring and research in order to improve the quality of public health. For these secondary purposes, the participating countries have committed to put in place appropriate technical and organisational safeguards, such as de-identification of personal data where necessary. In Cyprus, the data collected for inclusion in your Patient Summary will not be used for secondary purposes, other than for statistical purposes after it has been completely anonymised. Information about the purposes of such further processing according to the laws of various countries is available at the eHDSI website.

Who processes and has access to this data?

Your Patient Summary data will be accessible only by authorised and identifiable health professionals involved in your treatment, under professional secrecy, in the country of treatment. Each country of treatment participating in the eHDSI system has undertaken to ensure that the participating health professionals and healthcare providers on their territory have adequate information and training about their duties. Please refer to the eHDSI website for details of the participating countries. The Patient Summary data will be transferred through a secure gateway provided by the eHealth National Contact Point designated by each country.

Where and how long is the personal data stored?

The Patient Summary data may be stored in information systems of health institutions both in Cyprus and in the country of treatment. The data shall be stored for no longer than is necessary for the purpose for which your personal data is processed. In the case of persons domiciled in Cyprus, the storage period of medical records in Cyprus is currently for the lifetime of the patient and ten years thereafter, while in the case of other patients, such as persons visiting from other countries, the storage period is ten years. The storage period in other participating countries may vary. Information about the storage periods is available on the eHDSI website. Longer storage periods may only be used for archiving and scientific or historical research where particular privacy safeguards are in place (such as anonymisation).

Your access rights

If you consent for your Patient Summary data to be processed by the eHDSI system, you can have access to it by making a request either to the Information Management Unit of the Ministry for Health (ncpeH@moh.gov.cy) or to the National eHealth Authority. You have the right to: a) rectify any inaccurate data in your Patient Summary data, according to Article 16 of the GDPR. b) obtain the erasure of your Patient Summary data, according to Article 17 of the GDPR. c) object to the processing of your Patient Summary data on grounds relating to your particular situation, according to Article 21 of the GDPR.

You have the right to withdraw your consent at any time.

If you do not consent for your personal data to be processed by the eHDSI system, your data will not be available for you through this system when you are in another country, not even in case of emergency.

Finally, you have the right to lodge a complaint with a supervisory authority either in Cyprus or in the country of treatment, depending on the factual situation.


Contact details

Data controller

Andreas Christodoulou

DPO National eHeath Authority

1 Prodromou & Chilonos Street 17

1448 Nicosia,

Cyprus

Call Center: 00357 22 605 300/301


Data processor

Irene Georgiou

DPO Ministry of Health

1 Prodromou & Chilonos Street 17

1448 Nicosia,

Cyprus

Call Center: 00357 22 605 300/301 e–mail: ncpeH@moh.gov.cy

URL: https://www.moh.gov.cy/moh/cbh/cbh.nsf/index_gr/index_gr?OpenDocument


Supervisory authority in Cyprus

1, Iasonos str.

1082 Nicosia,

P.O.Box 23378, 1682

Telephone: +357 22818456

Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy