Patient Personal Data Protection
The European Network for Innovative Diagnosis and Treatment of Chronic Neutropenias (EuNet-INNOCHRON) maintains a medical database known as the EuNet-INNOCHRON COVID-19 Registry, denoted in this document as “The Registry”. The Registry contains anonymized clinical data such as aspects of the diagnosis, laboratory findings, treatment, complications and outcome of SARS-CoV-2 infected chronic neutropenia (CNP) patients and applies the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).
Why is Patient Data collected?
The EuNet-INNOCHRON COVID-19 Registry collects data for the better understanding of the frequency and severity of SARS-COV-2 infection in patients with CNP in order to improve patients’ care and treatment. The importance for “coupling information from registries” in order to obtain “new knowledge of great value” has been explicitly recognized in the European legislation (consideration 157 GDPR).
How is personal data obtained?
The partners of EuNet-INNOCHRON will collect data from the files of their own patients and/or patients from the local collaborators.
Following the GDPR, and to ensure the maximum accordance with the law of all EU/EEA nations, data of patients residing in EU member countries shall only be used in the EuNet-INNOCHRON COVID-19 Registry when appropriate Hospital approval is given. The approval will be collected and ensured by the physicians submitting data to the Registry.
What personal data is sent to the EuNet-INNOCHRON COVID-19 Registry?
Data collected to identify a person is limited to the hospital , the hospital UPN (Unique Patient Number), age, gender and employment. These items will not be used for identification of the individual and stored separately as enhanced security.
This process of separate storage is known as pseudonymization[1] and is defined in the GDPR regulations. Each patient’s report is given a unique and non-informative database number (Unique Identity Code) which is the one used for research purposes.
How is personal data processed?
The EuNet-INNOCHRON ensures that all personal data under its responsibility is processed according to the GDPR:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Collected for scientific research legitimate purposes;
- Processed adequately, relevantly and limited to what is necessary in relation to the purposes for which they are collected and/or further processed;
- Accurate and up to date;
- Kept for an unlimited period in a form which permits identification of data subjects for no other purpose than scientific research purposes;
- Processed in a manner that ensures appropriate security of the personal data through technical and organisational measures.
Where is the Personal Data Stored?
The data is stored in an electronic database located in Greece. The database is protected by safeguards that ensure security, including compliance with NEN7510/ISO27001 certification. The data will only be accessible by the the EuNet-INNOCHRON members following a stringent access control policy
Personal Data Transfers
The EuNet-INNOCHRON will not distribute or lease personal data to third parties.
[1] Pseudonymisation -the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. Article 4 sub (5) GDPR. |