February 8, 2023
Dr. Zoltán Alexin (Department of Software Engineering) was invited as a data protection specialist to MedIT’s Podcast about digital healthcare.
The MedIT podcast provides insight into the latest achievements in health technology by bringing experts into the conversation. Their goal is to make the understanding of health accessible to professionals and non-professionals alike.
The episode, which aired on the 18th of January 2023, is titled “How should we protect our health data?”. In it, Dr. Zoltán Alexin gives examples that prove that our most intimate health data is not getting the strict protection it deserves.
Data subjects of the national EHR system, EESZT (Electronic Health Cooperation Service Space), are given a privacy notice under Article 14 of the GDPR, but this does not tell them how to configure access restrictions on the public portal. The system has been in operation for five years without any meaningful information being provided to the public to date. The default settings provide no protection whatsoever, making virtually all data available to any logged-in doctor, even those unknown to the patient. It must be added that the uploading of data into the EESZT is compulsory, the system collects every single piece of medical information about citizens and keeps it for ten years after their death.
Unauthorized access to data cannot be sanctioned because the offense of abusing personal data in the Criminal Code is subject to a threshold (HUF 5 million), so the doctors charged simply walk away in the absence of a crime because the damage caused is below the threshold as most of the courts consider.
Moreover, the use of personal health data for research is also a coercive measure; patients don't have the right to self-determination. Confidential, private data are given to researchers without informing the patients and without the possibility to object. Although the law stipulates that no direct personal identifiers (e.g. name) can be included in the data, these data are still personal under the GDPR since they are very easy to re-identify as they often contain internal identifiers (e.g. medical log number, internal electronic patient identifier).
Under the Health Data Protection Act, data can be processed for around thirty purposes. Of these, two or three are covered by the EESZT’s self-determination module, and the remaining 27-28 data processing purposes are again coercive, where the state exercises its unlimited right to get to know, monitor, analyze, and evaluate citizens' health.