Karolinskas board of directors is the data controller, and the DN's disclosure that the procedure for the preparation of the so-called digital scorecard, then the data from the medical records merged with, inter alia, the quality and personuppgiftsregistret may be contrary to law, has received the board of directors to respond.
says that he asked the hospital for a review on how to live up to the regulations.
the board of directors, we want to get a review of the issue in January and have the opportunity to discuss the matter. We shall, of course, follow both patient data act and the GDPR.
the Database is built up of a central unit separate from the actual health care, and as a part of the hospital's work with value-based care. The goal is to be able to follow the quality of care linked to costs in the real-time of groups of patients with different diagnoses. Data from patient records are transferred in the control cards each night. Patients are not informed of the work going on, and asked if they would like to be included in the new system.
Experts that DN talked with, including lawyer Caroline Olstedt Carlström said that the hospital's management is contrary to the new datadirektivet GDPR, which inter alia provides that patients have the right to be informed about processing of personal data. The Swedish data inspection board, which is the regulator, also stresses the GDPR's express requirements for clarity. Olstedt Karlström also believe that it should be legal if the database constitutes a new regional quality registers. In such cases, the patients right to oppose personuppgiftsbehandlingen.
After the DN's publication went the hospital out with the information on the website, with some new information about the control cards. The hospital report now, unlike before, secondly, that it is all about personal data, and to patientdatan not completely anonymous, but pseudonymiserad, that is to say, without direct possibility to identify a patient.
the Hospital writes on the website:
"in Order to ensure that it is not possible to identify individual patients in the control cards via, for example, rare diseases or rare diagnoses are presented uppföljningsresultaten only if there are more than five patients in the dossier."
personuppgiftsbehandlingen refer the hospital to the patient data act, which allows personal data processing without consent for quality in health care. According to Karolinska, the database is an it-solution for the follow-up and nothing registers.
Sörman said that the board already earlier in the year had a review of the enforcement of the GDPR, but then was not the procedure with control cards. He says that the information the board received, in and of itself does not suggest any irregularities.
" It is clear that a lawyer should explain it here, so that we can clarify if there has been a misunderstanding of how data is used or if it would be the case if the failure to comply with the regulatory framework.
the DN has sought the hospital's dataskyddsombud for an interview.