The role of Data Protection Officer in an healthcare organisation

By | Wednesday November 16th, 2016

The health data are processed in a technological domain very complex, often influenced by the presence of exceptions. These exceptions to the standard management processes add cost, complexity and redundancy in the system, worsening the proper functioning of healthcare organizations.
The regulatory environment also does not provide the appropriate tools to attack the critical issues listed above: the ever changing scenario hinders a comprehensive management and long-term clinical data, prompting healthcare organizations to consider the data protection of consumers almost as an obstacle to the execution of clinical procedures. Consequently, the protection of health data is excluded from the core business and this, unfortunately, makes this area dependent on technology. For this reason, in many situations the responsibility for information security is entrusted only to the Chief Information Officer. This actor is not the suitable individual to fulfill this task: he assures the delivery of services, automation, innovation, efficiency and not the security of the data as a priority. The effective management of the security of health data, in fact, should assume an independent vision, holistic and on a high-level business process, in a standardized and simplified strategic framework aimed at ensuring regulatory compliance, adherence to the framework and standards of safety, risk protection. In addition, as stated by the General Data Protection Regulation 2016/679 (Art. 38, Position of the data protection officer, paragraph 6), the reference point for the protection of data, the Data Protection Officer, should be a figure to above any conflict of interest and should therefore not be dependent on technology.
The activities to be carried out are considerable. For these reasons, it is clear that the most suitable solution to manage this area is the establishment of a dedicated internal structure, composed by a team of certified experts in the legal field and in computer security.
Most likely, most of the initial energy would be expended in removing the opposition to this change, often related to the existence of technical / operational constraints and managerial will to keep alive the current bureaucratic and organizational system.

Category: Data Protection Officer Tags: ,

About Giampaolo Franco

Giampaolo Franco, degree in Computer Science, Certified Information Security Manager (CISM). Dr. Franco has more than 10 years of experience in governance, risk management, and compliance at Azienda Provinciale per i Servizi Sanitari (APSS, the main healthcare provider of the Autonomous Province of Trento). He is involved in several activities at APSS, including business continuity and disaster recovery, risk analysis, privacy compliance, awareness, internal / external audits, incident management, optimization and quality control of IT processes. Previous work experiences include project management, analysis and programming for several financial institutions. He has also been a consultant for the University of Trento, working in a project aimed to define organizational and security aspects related to the introduction of integrated models of digital teaching in school. Dr. Franco continues to pursue research, education and awareness activities related to information security for the Public Administration with remarkable passion and leadership. He is a member of the ISACA VENICE Chapter, Oracle Community for Security and contributor of Europrivacy. In 2016 he's the winner of the European Institute of Innovation & Technology - EIT Digital pre-incubation programme with a project on Art&Technology.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.