PRESENTATION OF THE IMPACT ASSESSMENT METHODOLOGY AND TOOL FOR THE PROTECTION OF HEALTH DATA

On 17 December 2020, the Office of the Data Protection Officer (DPO) of the TIC Salut Social Foundation in collaboration with a multidisciplinary team led by Dr Itziar de Lecuona, Deputy Director of the Observatory of Bioethics and Law –UNESCO Chair in Bioethics at the University of Barcelona– presented a methodology and a tool to carry out a DPIA in the health field based on the Catalan Data Protection Authority model.

In this session on the 17 December, the team led by Dr Lecuona – and made up of Ricard Mas –industrial engineer and consultant expert in operations and digital transformation– and Paula Subías – mathematician and specialist in data science applied to the field of health– presented the methodology and tool through a use case to the data protection professionals of the entities adhered to the Health DPO (TICSALUT). The video of the presentation can be viewed at the following link.

DPIAs imply taking appropriate and proactive responsibility in the management of personal data processing risks as established by the data protection regulations since 2018. With this proposal, openly available to all, the Office of the Data Protection Officer aims to contribute to the homogenization and standardization of the methodology and criteria used by health institutions for the task of assessing. This tool enables a more in-depth approach to these aspects and particularities of the sector in a coordinated and systematized manner.

The proposed DPIA has been adapted to the specific needs of the health field to assess the processing of personal data in research and innovation processes.The result is a methodology and a tool that enables a self-assessment that can detect risks in the processing of personal data and its mitigation using plain language. It provides definitions and examples to identify actors, describe forms of processing, and measure risks to establish an action plan.

The proposal helps the data controller and the agents involved in decision-making through automated proposals and allows for a detailed analysis of the life cycle of the personal data involved. It should be noted that the DPIA includes specific sections to assess the use of emerging technologies such as artificial intelligence. The tool also incorporates mechanisms to record the advice and guidance of the corresponding Data Protection Officer.

The methodology and the tool for carrying out the DPIA in the health field can be found at the following link.