GDPR Compliance

COVID-19 Telemedicine can comply to GDPR regulations1 as explained here : https://en.wikipedia.org/wiki/General_Data_Protection_Regulation.
 
Consent
COVID-19 Telemedicine (C19T) assures that all patients can give their consent to data processing upon initial contact.
Such consent will be stored in the record permanently, or until patient request full deletion of data.
 
Lawful basis for processing
In addition to consent from the patient it is the responsibility of C19T clients to provide legal basis for processing – in accordance with intended use for the provided C19T system.
 
Data control
To preserve subjects’ privacy, C19T must:
  • Only process data for authorized purposes
  • Ensure data accuracy and integrity
  • Minimize the exposure of subject identities, and
  • Implement data security measures.
 
C19T has fully encrypted database, and encryption keys are stored away from the actual database resulting in full pseudonymisation compliance.
 
System is developed and released as a fully certified ISO13485 system, which insures full data control.
 
Every component of the C19T solution is extensivlt analysed with regard to patient risk, and the conclusion documented.
 
Data security
Data security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:
  • Safeguards to keep data for additional processing
  • Data protection measures, by default
  • Security as a contractual requirement, based on risk assessment, and encryption
C19T has implemented full encryption from end to end with highest possible encryption level (256bit AES).
 
Right to erasure and access
Subject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:
  • Data subjects revoke their consent
  • A partner organization requests data deletion, or
  • A service or agreement comes to an end
 
It is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however.
C19T support the ability to allow any patient or user full access to all data stored in the system. All data can be exported to ensure full portability as well.
C19T support the ability to erase patient’s data if so requested and if the request is legal according to data processing location, institution and country.
 
Risk mitigation and due diligence
Organizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:
 
Conduct a full risk assessment
Implement measures to ensure and demonstrate compliance
Proactively help third-party customers and partners to comply, and
Prove full data control
 
C19T platform is developed under ISO13485 which implement absolute and fully documentable risk analysis, compliance and data control. Same ISO13485 system regulates all changes and provide assistance to proactively support partners in compliance as well.
 
C19T has full control/track of data in an unbroken chain from user to clinician.
Due to the used ISO 13485 QMS, C19T can document all changes throughout the system, and roll back to previous versions on demand as a part of a recall or breach procedure.
 
Data protection is designed in to system as a default, which is documented by the ISO13485 implementaiton and can be audited by 3rd party. Default security is highest level. Any changes to data processing is likewise fully documented at any time.
 
 
Breach notification
When a security breach threatens the rights and privacy of a data subject or subjects, organizations must:
  • Notify authorities within 72 hours
  • Describe the consequences of the breach, and
  • Communicate the breach directly to all affected subjects
 
C19T ISO13485 QMS system implement full set of procedures for recall and data breaches, including who to notify and the relevante time limits..
 
Records of Activity
As an integral part of the product, OTH implement full audit logs for all activities in the system, including ID of operator and patient. Audit logs can be reviewed at will.
 
COVID-19 Telemedicine hereby submit full GDPR compliance.

Jesper Lodahl, CEO 
COVID-19 Telemedicine ApS
 
Deborah Cooley, Data Protection Officer 
COVID-19 Telemedicine ApS