Filenews 15 March 2022
A specific framework that indicates and controls who and under what conditions have the right of access and processing to the data of each beneficiary, has been determined by the Health Insurance Organisation, in addition to the cybersecurity measures taken for the protection of the GHS IT System.
As the HIO states, the transition to the digital age is undoubtedly a positive development with multiple benefits: Simplification of procedures, reduction of waiting time, avoidance of unnecessary bureaucracy, easy and direct access to useful data. An issue that arises, however, from this necessary transition, is the preservation of the Personal Data of the persons.
WHAT PERSONAL DATA IS COLLECTED
When a beneficiary requests to register or register a third person in the GHS Beneficiary Portal, he/she will be asked to provide some personal information. This information includes first and last name, date of birth, nationality and id number or, as appropriate, alien registration number
In addition, information regarding marital status, postal address, telephone numbers of the beneficiary and the closest relative, e-mail address, the preferred method of communication and the preferred language of communication (Greek or English) are required.
The Organization has the right, in order to verify whether the applicant meets the criteria to be a GHS beneficiary, to check his/her personal data using other government databases.
In addition, each time a beneficiary receives healthcare services within the GHS, the provider enters personal data about these services. These data may include indications of the beneficiary's state of health.
Medical data are entered into the System either under the "Medical Profile" option or in the "History" category, as part of the process of imposing requirements.
The HIO has the right to process personal data concerning general information about the healthcare services received by a beneficiary, in the context of the implementation, monitoring and management of the General Health System.
WHO HAS A RIGHT OF ACCESS
The right of access to their personal data is, of course, the person themselves or their guardians. In addition, healthcare providers contracted with the GHS, GHS health professionals, as well as staff belonging to or working on behalf of the providers, have the right of access, under specific conditions that justify such access.
Always based on the need for knowledge, the right of access is granted to authorized HIO officers, as well as organizations or persons that act as subcontractors or associates of the HIO, where in the context of the services they provide, e.g. examination of claims or pre-approval requests, they manage personal data of beneficiaries. Moreover, public services may have access to specific personal data in the context of the execution of their work, such as the Auditor General of the Republic or the GHS Supervisor in the context of investigating complaints, etc.
Finally, people designated by beneficiaries to register them in the Beneficiary Portal also have access to the personal details of a beneficiary. This access is completely interrupted upon completion of the beneficiary's registration and before the provision of health care services begins.
HOW ACCESS TO PERSONAL DATA IS CONTROLLED
The appropriate cybersecurity technical measures are applied at the Beneficiary Portal as well as measures that apply the required conditions for legal access to personal data. As far as the Access of The Providers to the Beneficiary's File is concerned, there is full transparency as to who, when and under what conditions gained access. Specifically, any such access is recorded in the Access Log that is part of each beneficiary's file. At the same time, a separate e-mail is sent to the beneficiary each time a provider had access.
Finally, through the Portal, each beneficiary is given the opportunity to limit the access of providers either to specific medical data or to his entire medical history. In this case, the beneficiary is required to accept the risk that exists to receive healthcare services from providers when they are not able to have knowledge of their medical history.
FOR HOW LONG ARE THE PD OBSERVED IN THE GHS SYSTEM
If the beneficiary wishes, he has the right to discontinue the use of the GHS services at any time, by submitting a relevant request through the Portal. In such a case, access to the Beneficiary File is abolished, but the File is not deleted from the GHS System.
The data on the health of the beneficiary are kept in accordance with the guidelines issued by the Commissioner responsible for data protection of the Republic of Cyprus on 3 July 2018. Based on this, the retention period of personal data about the health of a beneficiary must not exceed 15 years after his/her death or 15 years after the last data entry on the Portal.
This period applies as long as there are no financial / legal or other outstanding issues or disputes between the beneficiary and the processor in charge, in this case the HIO.
Also, the personal health data of a beneficiary can be stored for a longer period of time in a separate filing system if:
(a) processed solely for archiving purposes in the public interest, for scientific or historical research or for statistical purposes;
(b) appropriate technical and organisational measures are in place to archive only the data of the individual needed for the purpose in question. If, for example, the family situation of the beneficiary does not serve the purpose, the relevant data shall be deleted and,
(c) appropriate technical and organisational measures are in place which will no longer allow the identification of a beneficiary (e.g. the replacement of the beneficiary's name with a number).
WHAT ARE THE RIGHTS AND OBLIGATIONS OF THE BENEFICIARIES IN RELATION TO THE PD?
Right of access: Each beneficiary has the right to request access to all personal data processed by the HIO concerning him/her. However, the HIO also has the right to make reasonable administrative costs charges if the beneficiary repeatedly submits requests for access.
To avoid this, each application must be clear and specify what kind of processing the beneficiary wishes to proceed with.
Right to rectification: Through the Portal, the beneficiary has controlled access to his/her File so that he/she can make specific modifications: Changes to the communication preferences, contact details or the concealment of parts of his/her medical history.
If a beneficiary wishes to correct any errors in his/her personal data, e.g. medical data entered by a provider, then he/she may submit a request with the relevant evidence. In this case, no fee is imposed by the Agency. The above amendments, of course, are subject to the condition of the Organization, which has the responsibility to decide whether they will be approved in order to become part of the Beneficiary's File. Once this is done, the information contained in the File is accessible to the HIO and to those individuals/services that have the right of access.
Right to restriction: In addition, beneficiaries have the right to request a restriction on the processing of their data by the Agency under specific conditions. If a beneficiary wishes to submit a request for one or more of the above, he/she may contact the Data Protection Officer at dpo@hio.org.cy e-mail address.
An e-mail requesting the exercise of a right is not considered as simultaneous consent to the processing of the beneficiary's personal data.
What the request must meet:
- Clear statement of the right that the beneficiary wishes to exercise
- The reason that requires it
- Date and signature of the applicant
- Digital scanned copy of the valid ID that proves the identity of the applicant
If the application meets the above requirements and proves to be valid, the Organization will handle it as soon as possible and no later than thirty (30) days after receipt of the request.
The HIO is constantly vigilant in order to ensure a high level of protection of the personal data of GHS beneficiaries. In addition, the Agency consults on a regular basis with the Office of the Commissioner for the Protection of Personal Data by taking relevant instructions and decisions, in order to ensure legal processing in all spectrums of the GHS's operation of personal data.
In conclusion, the Agency, as a public entity that collects and manages a large amount of personal data, has an obligation to comply with the provisions of the European General Data Regulation. Apart from the legal obligation, the protection of the personal data of the beneficiaries is part of the moral values on the basis of which the Organization operates and therefore, respect for privacy and the protection of personal data have been established as part of its overall organizational culture.
