The Commissioner for Information of Public Importance and Personal Data Protection reiterated today his opinion that the situation regarding the Integrated Health Information System (IHIS), i.e. the “My Doctor” portal, in terms of personal data protection is worrying and could potentially have immensurable harmful consequences.
The Commissioner recommends that citizens, in the absence of a proper response from the competent authorities, do everything within their means to protect their personal data. The Commissioner suggests that citizens ask their chosen physicians whether they had changed and individualised the “passwords” assigned to them upon activation of the “My Doctor” service and, if not, insist that their physician does so.
The existing, initially assigned passwords are very weak and offer virtually no protection. Because of this, the “My Doctor” portal allows easy access by unauthorised persons to all data contained in the database, including not only the patient’s name and surname and Unique Personal Identification Number, but also all data on diagnoses, disease history, treatment, medicinal products, referrals to specialists, dates of visits and check-ups etc.
Under the Law on Personal Data Protection, these data belong to the category of the so-called particularly sensitive data, which warrant special safeguards. And under the Law on Patients’ Rights, only attending physicians can access those data, while all other persons – unless they have the patient’s consent – must obtain a court decision in order to do so. It is therefore harmful, risky and absurd that, in reality, these data can be accessed online by an undefined, but potentially very large, number of unauthorised persons.
The Commissioner has already warned the competent Ministry of Health several months ago that it was implementing the IHIS without a proper legal basis. Under the Serbian constitution, implementation and functioning of such a system that involves robust processing of huge quantities of particularly sensitive data is possible only on the basis of and in accordance with the provisions of a law and no relevant law in the field of health currently provides for such a possibility.
However, in addition to the clearly unavoidable issue of the lack of a proper legal basis, an equally serious issue has now emerged – that of weak safety and potential harm and abuse of personal data within the system. The Commissioner warned the competent authorities several months earlier and followed this by a repeated warning and a letter to the Prime Minister. As none of these efforts produced the expected results and as the media failed to give this warning the level of publicity it deserved given the potential scope of the threat to citizens’ rights, while the social media were flooded with disparaging and unsubstantiated comments, the Commissioner believes it is incumbent upon him to once again warn about the unacceptable risks that are unavoidably involved in the current functioning arrangements of the IHIS and in particular the “My Doctor” portal.
