Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR)
Abstract
:1. Introduction
2. Overview of the Main Changes under GDPR
- Controller (organization)
- Processor (cloud service)
- Data subject (employee or customer)
- Supervisory authority (data protection authority)
3. Challenges of Cloud Adaptation in Healthcare Systems
- Data/Service Reliability The use of cloud for e-Health systems poses the need for high reliability of the provided services. As such services are distributed, the chance of having faulty transmission or incorrect data can increase. The data in e-Health Cloud must be consistent and constantly in a valid state regardless of any software, hardware, or network failure.
- Data Management/Control The data stored in a cloud virtualized environment can be accessed or managed through many people [25]. As such, in a healthcare cloud environment, the access control mechanisms employed for the protection of medical records are of vital importance [26]. The data may be replicated at different locations and across large geographic distances. Some of the data could be available locally. Most medical applications require secure, efficient, reliable, and scalable access to the medial records. The loss of direct data and application management can leave users feeling vulnerable to security flaws, data loss, and theft.
- Cloud Security/Privacy Internet-based access is another challenge in healthcare cloud computing. The cloud service providers offer a large number of resources that are collected in a virtualized pool to be utilized by healthcare providers. Clouds are on the Internet, and thus data could be stolen by hackers for fraudulent purposes. Data security and privacy are the primary concerns for the healthcare industry. As the service becomes distributed in nature, the chances of erroneous data increases.
- Data breach The most important thing is to prevent any data violation. Data can be comprised in in many different ways. A data breach in cloud is an incident involving unauthorized or illegal viewing, accessing or retrieval of data by an individual, application, or service. The aim is to steal and/or publish data to an unsecured or illegal location.
- Step 1 Review of existing studies on cloud computing security issues;
- Step 2 Identify threats to cloud-based healthcare systems;
- Step 3 Classify threats into distinct categories, i.e.,gates;
- Step 4 Address security requirements based on identified threats and challenges;
- Step 5 Determination of objectives in cloud-based healthcare systems;
- Step 6 Determination of assets in cloud-based healthcare systems;
- Step 7 Define security policy rules and procedures.
- Identity and Access Management, i.e., the threats associated with inappropriate access of cloud computing resources.
- Data, i.e., the threats associated with loss, leakage or unavailability of data.
- Regulatory, i.e., the threats associated with non-compliance to various governmental, national/geographic regulations or legal and regulatory requirements.
- Operational, i.e., the threats associated with the execution of business activities and services.
- Technology, i.e., the threats associated with evolving technologies and lack of standardization.
4. Results
4.1. Compliance of Our Security Policy Methodology with GDPR
4.2. New Security Policy Rules
4.2.1. Rights of Data Subjects
- Step 1 Collection of a data subject’s request
- ▪
- Physical presence, i.e., the data subject completes a standardized form on the premises of the cloud-based healthcare organization.
- ▪
- Website, i.e., the data subject, after visiting the website of the cloud-based healthcare organization, completes the online form for exercising the data subject’s rights.
- ▪
- Mail (physical or electronic), i.e., the data subject can exercise one of their rights by writing a free text and sending it to the cloud-based healthcare organization via mail (postal address) or via e-mail.
- Step 2 Identification and information of the data subject for the reception of the request
- ▪
- For the communication channel physical presence, identity card and passport, etc.
- ▪
- For the communication channel website, phone communication and identification based on the existing identification process via phone.
- ▪
- For the communication channel mail (postal address or e-mail), phone communication and identification based on the existing identification process via phone.
- Step 3 Registration of the request in the requests’ record
- ▪
- Identification of the data subject (identity card, passport, driving license, etc.) unless a third party acts on behalf of the data subject;
- ▪
- The type of exercised right (right of access, right of rectification, erasure, etc.);
- ▪
- The channel through which cloud-based health organization received the request of the data subject;
- ▪
- If the data subject wishes to receive the answer to its request through a specific communication channel;
- ▪
- Useful details and information about the request of the data subject;
- ▪
- If the data subject’s request has been assessed as excessive or without appropriate legal basis/grounds, the reasons that led to this result;
- ▪
- The date of receipt of the request by the responsible department of cloud-based healthcare organization;
- ▪
- The date the data subject was identified;
- ▪
- The date of the response by cloud-based healthcare organization;
- ▪
- The channel through which the response was sent to the data subject.
- Step 4 Forwarding the request to the data protection officer
- Step 5 Evaluation of the request
- ▪
- The purpose of processing the data;
- ▪
- The recipients of the data inside and outside of the cloud-based healthcare organization;
- ▪
- The legal basis for processing the data;
- ▪
- The information systems involved in the processing of such data;
- ▪
- Having this information, the data protection officer can effectively assess the subject’s request regarding the data subject’s rights and classify the request as “request can be settled”, “request can be settled but the subject is requested to pay a charge”, or “request cannot be settled”.
- Step 6 Requesting additional information from the data subject
- Step 7 Informing the data subject of a charge to process the request
- Step 8 Performing the required actions
- Step 9 Justified information to the data subject for delaying the satisfaction of their request
- Step 10 Informing the DPO regarding the implementation
- Step 11 Prepare the response document for the data subject
- Step 12 Informing the data subject regarding the fulfillment or not of the request
- -
- By letter to the designated postal address of the data subject;
- -
- Electronically, either if the data subject has requested so or if the request has been submitted by electronic means;
- -
- Orally, if the data subject has requested so.
4.2.2. Increased Territorial Scope
- PR1 Appropriate safeguards must be taken, if personal data are stored outside the EEA.
- PR2 Review data flows to ensure that appropriate transfer mechanisms are in place.
- PR3 Choose a transfer mechanism, such as binding corporate rules (BCRs), standard contractual clauses (SCCs), privacy shields (for the USA).
- PR4 If activities are in more member states, the provider should propose the state of the main establishment, the country that is the main residence of the provider.
- PR5 Define a cloud strategy to adhere to sufficient requirements and data localization laws of a lot of countries’ operations may have to be audited before the transfer is made.
- PR6 Binding corporate rules (BCRs) as new appropriate safeguards should be taken.
4.2.3. Appoint a Data Protection Officer
- PR1 Review the current job specification of the organization’s DPO.
- PR2 The DPO should report directly to the board, have independence, and have a separate budget.
- PR3 Depending on the size of the organization, consider whether the DPO is to require a support team to meet all the obligations of the GDPR.
- PR4 Monitor and enforce the applicability of the GDPR.
- PR5 Promote awareness and comprehension of the risks to the staff in the organization. In addition, inform the patients for their rights according the GDPR.
- PR6 Data protection certification mechanisms should be established.
- PR7 For liability, the data controller takes all appropriate security measures to protect personal data with liable way and in compliance with the regulation.
- PR8 Specific attention should be addressed to children and their data.
- RP9 The data processor must set appropriate technical and organizational measures to ensure an appropriate level of security.
- PR10 The data controller has the obligation to inform the authority and the client as long as the breach poses a serious risk.
- PR11 Codes of ethics are encouraged to be drawn up by the controllers, which are submitted for approval to the supervisory authority. In the case of trans-European activity, the European Data Protection Council is also consulted.
4.2.4. Breach Notification
- PR1 Ensure clear security policies to avoid security breaches.
- PR2 Deploy security controls that could help prevent security attacks.
- PR3 Establish clear processes that enable reacting quickly to possible breaches.
- PR4 Consider implementing security solutions that can detect, alert, and report on security breaches.
- PR5 Monitor and report systematically how users who have access to personal data behave.
- PR6 Breach notification obligations and protocols must be included in data processing agreements with cloud providers.
- PR7 Review data breach policies.
- PR8 Ensure security policies to notify the data subject when a data breach incident happens.
- PR9 Notify the national authority within 72 h in the case of a data breach.
4.2.5. Data Protection Impact Assessment
- PR1 Keep and document all information of data processing, such as what personal data are collected, as well as how data are protected, used, and stored.
- PR2 Monitor and report in a file any unauthorized or illegal access attempts.
- PR3 Monitor specific activities such as who accesses personal data and with whom the data are being shared.
- PR4 Keep a record of how long the data are to be stored.
- PR5 Ensure the data are encrypted, in order to protect it from any unauthorized access.
- PR6 Prepare a template PIA and train relevant employees about how and when it should be used.
- PR7 Ensure that outcomes and compliance steps are documented and actioned.
- PR8 Check if your organization carries out activities other than the processing of health data that would require a PIA, for example, through the use of CCTV or health monitoring devices.
- PR9 Adopt standards and show compliance through certification. In the case of cloud-based healthcare systems, the components should be compliant to industry standards GDPR or to acquire a security certification.
- PR10 Perform a security assessment.
- PR11 All systems should be commissioned and built using data protection by design and by default.
- PR12 The IT and commissioning teams should be aware of the requirements of data protection by design and default.
- PR13 Implementation of data-minimizing mechanisms.
- PR14 Appropriate privacy protection measures have to be implemented.
4.2.6. Penalties
- PR1 If the cloud-based healthcare organization supplies services for EU-based citizens, the organization needs to comply with the requirements of GDPR.
- PR2 Update and revisit the security policies in order to take the suitable steps for the protection of personal data.
- PR3 Keep proper privacy documents that can be used to get explicit and clear consent from individuals to process their personal data.
- PR4 Monitor the technical and organizational measures taken to ensure the privacy and security of personal data collected.
4.2.7. Consent/Conditions for Consent
- SP1 The data subject’s consent is required for personal data usage.
- SP2 Specific and clear instructions for consent, to provide the legal basis for processing.
- SP3 Provide separate consent options for each type of processing.
- SP4 Create a common method to record consent.
- SP5 Review the consents and identify who will carry out the review.
- SP6 Identify the process for withdrawal.
- SP7 Ensure data subjects are aware of the process for withdrawing their consent.
4.2.8. Independent Supervisory Authorities
- PR1 Performing tasks and exercising its powers in accordance with the regulation.
- PR2 Review and approval of binding corporate rules (BCRs).
- PR3 Use of approved certification mechanisms to demonstrate compliance with its requirements.
4.2.9. Data Protection by Design and Default
- PR1 Keep and document all information of data processing, such as what personal data are collected and how data are protected, used, and stored.
- PR2 Monitor and report in a file any unauthorized or illegal access attempts.
- PR3 Monitor specific activities such as who accesses personal data and with whom the data are being shared.
- PR4 Keep a record of how long the data are to be stored, while being stored.
- PR5 Ensure the data are encrypted, pseudonymized, and anonymized whenever possible, in order to protect them from any unauthorized access.
- PR6 Adopt standards and show compliance through certification. In the case of cloud-based healthcare hospitals, the components should be in compliance with industry standards GDPR or acquire a security certification.
- PR7 Perform a data protection impact assessment (DPIA) and a security assessment.
- PR8 Define a control framework with privacy and privacy by design control measures in order to audit cloud provider.
- PR9 The architecture of a cloud provider’s system should be monitored to address any changes in technology.
- PR10 Have a process in place to notify the authorities and your data subjects in the event of a data breach.
- PR11 All new systems should be commissioned and built using data protection by design and by default.
- PR12 The IT and commissioning teams should be aware of the requirements of data protection by design and default.
- PR13 Implementation of data-minimizing mechanisms.
- PR14 Appropriate privacy protection measures must be implemented.
- PR15 Update the procedures for dealing with requests and the satisfaction of data subjects’ rights, in particular as regards the deletion of data (right to forgotten) or the provision of them in a readable electronic format (data portability).
- PR16 Inform the human resources about the upcoming changes, highlighting the significant impact in case of violations.
- PR17 Assess the potential risks for the personal data collected and processed.
- PR18 Develop a strategy for dealing with potential risks with technical and organizational measures.
5. Conclusions
Author Contributions
Funding
Conflicts of Interest
References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119. 4 May 2016. p. 1–88. Available online: https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed on 16 December 2020).
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Available online: https://eur-lex.europa.eu/eli/dir/1995/46/oj (accessed on 16 December 2020).
- Council of Europe Handbook on European Data Protection Law 2018 Edition. Available online: https://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf (accessed on 16 December 2020).
- Art. 4 GDPR—Definitions. Available online: https://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm (accessed on 16 December 2020).
- Art. 9 GDPR Processing of Special Categories of Personal Data. Available online: https://gdpr-info.eu/art-9-gdpr/ (accessed on 16 December 2020).
- Convention 108 + Convention for the Protection of Individuals with Regard to the Processing of Personal Data. Available online: https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1 (accessed on 16 December 2020).
- Art.5 GDPR—Principles Relating to Processing of Personal Data. Available online: https://www.privacy-regulation.eu/en/ (accessed on 16 December 2020).
- Georgiou, D.; Lambrinoudakis, C. A Security Policy for Cloud Providers. In Proceedings of the 9th International Conference on Internet Monitoring and Protection (ICIMP 2014), Paris, France, 20–24 July 2014; pp. 13–21. [Google Scholar]
- Georgiou, D.; Lambrinoudakis, C. Cloud Computing Security Requirements and a Methodology for Their Auditing. In Proceedings of the 2015 International Conference on e-Democracy, Athens, Greece, 10–11 December 2015; Springer: Cham, Switzerland, 2015; pp. 51–61. [Google Scholar]
- Georgiou, D.; Lambrinoudakis, C. Security policy rules and required procedures for two crucial cloud computing threats. Int. J. Electron. Gov. 2017, 9, 385–403. [Google Scholar] [CrossRef]
- Article 12 EU GDPR—Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject. Available online: https://www.privacy-regulation.eu/en/article-12-transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject-GDPR.htm (accessed on 16 December 2020).
- Information Governance Alliance “The Genera; Data Protection Regulation What’s New”. Available online: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance (accessed on 16 December 2020).
- Wooten, R.; Klink, R.; Sinek, F.; Bai, Y.; Sharma, M. Design and Implementation of a secure Healthcare Social Cloud System. In Proceedings of the 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, Ottawa, ON, Canada, 13–16 May 2012. [Google Scholar]
- Wainer, J.; Campos, C.J.R.; Salinas, M.D.U.; Sigulem, D. Security Requirements for a Lifelong Electronic Health Record System: An Opinion. Open Med. Inform. J. 2018, 2, 160–165. [Google Scholar] [CrossRef] [PubMed]
- Mehraeen, E.; Ghazisaeedi, M.; Farzi, J.; Mirshekari, S. Security Challenges in Healthcare Cloud Computing: A Systematic Review. Glob. J. Health Sci. 2016, 9, 59729. [Google Scholar] [CrossRef]
- Zriqat, A. Security and Privacy Issues in Ehealthcare Systems: Towards Trusted Services. Int. J. Adv. Comput. Sci. Appl. 2016, 7, 229–236. [Google Scholar]
- Vyawahare, P.D.G.; Bende, R.B.; Bhajipale, D.N.; Bharsakle, R.D.; Salve, A.G. A Survey on Security Challenges of Healthcare Analysis Over Cloud. Intern. J. Eng. Res. Technol. 2017, 6, 4069–4073. [Google Scholar]
- Johnstone, M. Cloud security: A case study in telemedicine. In Proceedings of the 1st Australian e-Health Informatics and Security Conference, Perth, Australia, 3–5 December 2012. [Google Scholar]
- Cheng, F.C.; Lai, W.H. The Impact of Cloud Computing Technology on Legal Infrastructure within Internet—Focusing on the Protection of Information Privacy. Procedia Eng. 2012, 29, 241–251. [Google Scholar] [CrossRef]
- Alzoubaidi, A.R. Cloud Computing National e-health services: Data Center Solution Architecture. Int. J. Comput. Sci. Netw. Secur. 2016, 16, 1–6. [Google Scholar]
- Plachkinova, M.; Alluhaidan, A.; Chatterjee, S. Health Records on the Cloud: A Security Framework. In Proceedings of the International Conference on Health Informatics and Medical Systems, Dallas, TX, USA, 27–30 July 2015; pp. 152–158. [Google Scholar]
- Noufal, M.M. Smart e-Health Monitoring and Maintenance Using Cloud. Int. J. Res. Emerg. Sci. Technol. 2016, 3, 61–65. [Google Scholar]
- Rani, A.A.V.; Baburaj, E. An Efficient Secure Authentication on Cloud Based e-Health Care System in WBAN. Biomed. Res. 2016, 53–59. Available online: https://www.biomedres.info/biomedical-research/an-efficient-secure-authentication-on-cloud-based-ehealth-care-system-in-wban.html (accessed on 16 December 2020).
- Dong, N.; Jonker, H.; Pang, J. Challenges in eHealth: From enabling to enforcing privacy. In Foundations of Health Informatics Engineering and Systems; FHIES, 2011; Lecture Notes in Computer, Science; Liu, Z., Wassyng, A., Eds.; Springer: Berlin/Heidelberg, Germany, 2011; pp. 195–206. [Google Scholar]
- Velumadhava, R.R.; Selvamani, K. Data Security Challenges and Its Solutions in Cloud Computing. Procedia Comput. Sci. 2015, 48, 204–209. [Google Scholar] [CrossRef] [Green Version]
- Balasubramaniam, S.; Kavitha, V. Hybrid Security Architecture for Personal Health Record Transactions in Cloud Computing. Adv. Inf. Sci. Serv. Sci. 2015, 7, 121–130. [Google Scholar]
- Georgiou, D.; Lambrinoudakis, C. Security and Privacy Issues for Intelligent Cloud-Based Health Systems. In Advanced Computational Intelligence in Healthcare-7; Studies in Computational Intelligence; Maglogiannis, I., Brahnam, S., Jain, L., Eds.; Springer: Berlin/Heidelberg, Germany, 2020; Volume 891. [Google Scholar] [CrossRef]
- Dimitra, G. Security Policies for Cloud Computing. 2018. Available online: http://dione.lib.unipi.gr/xmlui/bitstream/handle/unipi/11007/Georgiou_Dimitra.pdf?sequence=1&isAllowed=y (accessed on 16 December 2020).
- Cloud Security Alliance. Top Threats to Cloud Computing: Deep Dive. 2018. Available online: https://downloads.cloudsecurityalliance.org/assets/research/top-threats/top-threats-to-cloud-computing-deep-dive.pdf (accessed on 16 December 2020).
- ENISA. Threat Landscape Report 2018 15 Top Cyber Threats and Trends. 2018. Available online: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 (accessed on 16 December 2020).
- ISACA. Security Considerations for Cloud Computing. 2012. Available online: https://www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=SCC (accessed on 16 December 2020).
- European Data Protection Supervisor. Guidelines on the Use of Cloud Computing. 2018. Available online: https://edps.europa.eu/sites/edp/files/publication/18-03-16_cloud_computing_guidelines_en.pdf (accessed on 16 December 2020).
Key Changes of GDPR | Articles | Description | |
---|---|---|---|
Rights of the Data Subject | |||
1. | To data access | Article 15 | Data subjects are entitled to know upon request at any time, what personal data a company is using, where and how it is being used, as well as for what purposes. With this right, data subjects will have more and clearer information and also access to data when they are collected for processing. |
To be informed | Article 13 | This right provides the data subject with the ability to ask a company for information about what personal data are being processed and what the rationale is for such processing. | |
Of rectification | Article 16 | Data subjects have the right to require data controllers to rectify inaccurate personal data. Under the Data Protection Act (DPA), this principle is an obligation, not a subject’s right, other than by court order. Organizations must reply to requests within one calendar month. | |
To data erasure | Article 17 | Data subjects have the right to request deletion of the personal data that concerns them, if they no longer wish the controller to hold the data. | |
To restrict processing | Article 18 | Data subjects have the right to require data controllers to restrict processing for the following reasons:
| |
To data portability | Article 20 | EU citizens have the right to transfer their personal data from one provider to another for processing. This right allows them to move, copy, and transfer personal data from one environment to another in an easy and secure way, but only when the processing is based on consent and the processing is automated. | |
Not to be subject to automated decision making and profiling | Articles 22, 25 and 32 | Data subjects have the right ”not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her”.
| |
To object to the processing of their personal data | Article 21, 37, 38, 39 | The controller must respect the objection unless they can demonstrate compelling legitimate grounds which override an individual’s rights or for establishing, exercising, or defending legal rights.
| |
2. | Increased territorial scope (extra territorial applicability), international Transfer of data, transfer of personal data to third countries of international organizations | Articles 44, 45, 46, 47, 48, 49, 50, 3 | According to the GDPR, International companies that collect or process EU citizen data should comply with the GDPR. The GDPR is applicable to any entity controlling or processing the personal data of EU data subjects, regardless of where it operates. This means that any foreign company based outside of the EU member states that deals with the data of EU citizens is subject to the GDPR’s stringent requirements. |
3. | Data Protection Officer (DPO) | Articles 37, 38, 39 | The GDPR introduces the role and the duties of the data protection officer (DPO) in Articles 37–40. Specific tasks of the DPO and corresponding obligations of the employers are presented there. In addition, it is stated that the contact details of the data protection officer should be made available to the public for ensuring uninterrupted communication with data subjects. It is an obligation for the controller and the processor to report to the supervisory authority the definition of the data protection officer. |
4. | Breach Notification | Article 32, 33, 34 | Organizations in all member states must report data breaches to supervisory authorities and individuals affected by a breach within 72 h (Article 33) of the detection. According to Article 34, a data subject should also be notified in the case where security breaches result in a risk to their rights and freedoms. |
5. | Data Protection Impact Assessment | Article 35 | The GDPR makes it obligatory for a data protection impact assessment to be completed where the processing is likely to result in a high risk to the rights and freedoms of data subjects.
|
6. | Penalties | Article 83, 84, 28 | Under the GDPR legislation, organizations can get fined. There is a layered approach regarding fines. The lower level of fine, up to €10 million or 2% of the company’s global annual turnover will be considered for infringements listed in Article 83 (4) of the GDPR. The higher level of fine, up to €20 million or 4% of the company’s global annual turnover will be considered for infringements listed in Article 83 (5) of the GDPR. |
7. | Consent Conditions for consent | Article 6, 7, 8 and 4(11) | Under the GDPR the conditions for consent have been strengthened. Terms and conditions should be presented in an easily accessible, understandable, and intelligible form by companies, with the purpose for data processing attached to that consent. Consent must use clear and plain language. |
8. | Independent Supervisory Authorities | Articles 51–54 | Data protection authorities are independent public authorities that supervise, through investigation, the application of the data protection law. There should be one in each EU member state and they are the main contact point for questions on data protection in the EU member state where the organization is based. |
9. | Data Protection by Design and by default | Article 25 | The GDPR requires that organizations incorporate technical and organizational measures to minimize the risk to the rights and freedoms of subjects in both the design and operation of data processing activities.
|
10. | Records of processing activities | Article 30 | The GDPR requires data controllers and processors to maintain records of their processing activities.
|
GDPR Main Requirement Classes | Security Policy Rules Covered/Not Covered/ Partially Covered by the Security Policy Proposed in [1] | Links to the Security Policy Rules |
---|---|---|
Rights of data subjects | - | See Section 4.2.1 (A) |
Increased territorial scope | ○ | See Section 4.2.2 (B) |
Appoint a data protection officer | - | See Section 4.2.3 (C) |
Breach notification | - | See Section 4.2.4 (D) |
Privacy by design | ● | See [1] |
Data protection impact assessment | - | See Section 4.2.5 (E) |
Penalties | - | See Section 4.2.6 (F) |
Consent/conditions for consent | - | See Section 4.2.7 (G) |
Independent supervisory authorities | - | See Section 4.2.8 (H) |
Data protection by design and default | ○ | See [1] Section 4.2.9 (I) |
Records of processing activities | ● | See [1] |
Request Assessment Table | ||
---|---|---|
Request | Description | Examples of Requests |
Request can be settled | Request that can be implemented within the foreseen timeframe (30 days). | Data rectification Data access Limitation of data processing |
Request can be settled but the subject is requested to pay a charge | Request that is excessive (e.g., due to its repetitive character). | Multiple copies of data (X times over Y months) |
Request cannot be settled | Unjustified request or request that is excessive (e.g., due to its repetitive character). | The subject has access to their data, but this will result in the disclosure of personal data of a third party. The subject has exercised the right to the portability of their data but has previously requested the erasure of the data. |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Georgiou, D.; Lambrinoudakis, C. Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR). Information 2020, 11, 586. https://doi.org/10.3390/info11120586
Georgiou D, Lambrinoudakis C. Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR). Information. 2020; 11(12):586. https://doi.org/10.3390/info11120586
Chicago/Turabian StyleGeorgiou, Dimitra, and Costas Lambrinoudakis. 2020. "Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR)" Information 11, no. 12: 586. https://doi.org/10.3390/info11120586
APA StyleGeorgiou, D., & Lambrinoudakis, C. (2020). Compatibility of a Security Policy for a Cloud-Based Healthcare System with the EU General Data Protection Regulation (GDPR). Information, 11(12), 586. https://doi.org/10.3390/info11120586