How to create and earn SaaS | Part 17 | Personal data and medical secrets in the cloud
Today is a dry post, written in close consultation with lawyers of the company Zarcin and partners and startup Dental Cloud . I have nothing to add, so we read and turn to Lyudmila Kharitonova for clarification and advice. And attention (!) In it links to 16 regulatory legal acts and I propose first to run off for popcorn.
Case
The key question for discussion is: “Can a SaaS service transfer to a third party data that is equivalent to medical confidentiality for processing and storage”? Potential provider Oblakoteka company providing PaaS "AzuRus platform"
In the case, personal data (PD) containing health information is considered in the case as a derivative of PD and for this reason it will be discussed, including and about the latter in general.
')
Personal data and medical secrecy
Personal data (PDN), containing information about health, belong to a separate category, and their processing has a number of features. However, the difficulty lies in the fact that there is no single act regulating the procedure for working with this category of PD, and judicial practice in such cases has not yet been formed. Analyzing the procedure for working with PD, we must take into account the provisions of the Federal Law "On Personal Data" (hereinafter referred to as 152-), as well as the provisions of the regulations on health care and medical confidentiality.
General provisions
According to 152-FZ, personal information refers to any information directly or indirectly related to a specific or designated individual (subject of personal data).
At the same time, in addition to general provisions, the law regulates the processing of individual (special) categories of data. These categories include PD,
relating to race and nationality, political views, religious or philosophical beliefs, health, intimate life.
According to the law, their processing is possible ONLY in cases expressly specified in the legislation. This list is not subject to extensive interpretation and in other cases PD processing of this kind is not allowed.
Special requirements
It is allowed to process personal data in special cases if:
1) the subject of personal data has agreed in writing to the processing of his personal data;
2) personal data made publicly available by the subject of personal data;
2.1. personal data processing is necessary in connection with the implementation of the international agreements of the Russian Federation on readmission;
2.2. personal data processing is carried out in accordance with the legislation on state social assistance , labor legislation , pension legislation of the Russian Federation;
3) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of other persons, while obtaining the consent of the subject of personal data is impossible;
4) the processing of personal data is carried out for medical and preventive purposes, in order to establish a medical diagnosis, the provision of medical and medical-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to keep medical secrecy ;
5) the processing of personal data of members (participants) of a public association or religious organization is carried out by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legal goals stipulated by the constituent documents, provided that personal data will not be distributed without written consent the form of the subjects of personal data;
6) the processing of personal data is necessary to establish or exercise the rights of the subject of personal data or third parties, as well as in connection with the administration of justice;
7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on defense , on security , on countering terrorism , on transport security , on counteracting corruption , on operational investigative activities , on enforcement proceedings , or with the criminal executive legislation of the Russian Federation;
7.1. processing of personal data received in the cases established by the legislation of the Russian Federation is carried out by the prosecution authorities in connection with their exercise of prosecutorial supervision;
8) the processing of personal data is carried out in accordance with the legislation on mandatory types of insurance or insurance legislation ;
9) the processing of personal data is carried out in cases stipulated by the legislation of the Russian Federation, state bodies, municipal bodies or organizations for the purpose of arranging children left without parental care to be brought up in families of citizens;
10) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on the citizenship of the Russian Federation.
In addition to the law 152-FZ, it is necessary to take into account other regulatory acts. Thus, in Letter No. 5470 / 30-3 / I dated 10.29.1999. FFOMS “On Methodical Recommendations” states that: “Medical confidentiality - undisclosed information about the fact that a patient has applied for medical care, a diagnosis and other information about his health and private life, obtained as a result of examination and treatment, prevention and rehabilitation.”
A citizen must be confirmed with a guarantee of the confidentiality of the information transmitted to them. The right of citizens to the confidentiality of the information they transmit when they apply for and receive medical care, as well as other information constituting medical confidentiality, gives rise to the responsibility of health workers and other persons for its disclosure. Thus, part 5 of Article 61 of the Basis stipulates that persons who received medical confidentiality in the manner prescribed by law, along with medical and pharmaceutical workers, are subject to disciplinary, administrative or criminal liability for disclosing medical secrets, taking into account the damage caused to a citizen Russian Federation, republics of the Russian Federation.
The requirements for the processing of personal data by special categories are established by the relatively new regulatory act “Requirements for the protection of personal data when they are processed in personal data information systems” (approved by the Government of the Russian Federation on November 1, 2012 N 1119).
This act prescribes the following set of measures:
Accordingly, for a special category of PDN, level 3 or 4 is relevant (depending on the number of PD subjects whose data are being processed).
Given the nature of the data and the limitations imposed by law, you must:
In this case, the transfer of data to a third party for storage will not be considered a disclosure of medical confidentiality, since the subject himself has permitted such transfer by written consent. This means that the condition of sub. 1 p. 2 Art. 10 152-.
In fact, the vendor of the service can place it on the side of the provider and this will not be considered a disclosure of medical secrecy. This practice is appropriate in the case when the vendor does not build its own cloud, does not provide service access services, but transfers the right to use licenses.
The post was prepared with the participation of our legal consultants of the company “Zartsyn and partners” and I highly recommend to contact our colleagues for legal support, who have a special offer for stattaps .
Alexey Kalachnikov
Materials series "How to create and earn on SaaS"
Case
The key question for discussion is: “Can a SaaS service transfer to a third party data that is equivalent to medical confidentiality for processing and storage”? Potential provider Oblakoteka company providing PaaS "AzuRus platform"
In the case, personal data (PD) containing health information is considered in the case as a derivative of PD and for this reason it will be discussed, including and about the latter in general.
')
Personal data and medical secrecy
Personal data (PDN), containing information about health, belong to a separate category, and their processing has a number of features. However, the difficulty lies in the fact that there is no single act regulating the procedure for working with this category of PD, and judicial practice in such cases has not yet been formed. Analyzing the procedure for working with PD, we must take into account the provisions of the Federal Law "On Personal Data" (hereinafter referred to as 152-), as well as the provisions of the regulations on health care and medical confidentiality.
General provisions
According to 152-FZ, personal information refers to any information directly or indirectly related to a specific or designated individual (subject of personal data).
At the same time, in addition to general provisions, the law regulates the processing of individual (special) categories of data. These categories include PD,
relating to race and nationality, political views, religious or philosophical beliefs, health, intimate life.
According to the law, their processing is possible ONLY in cases expressly specified in the legislation. This list is not subject to extensive interpretation and in other cases PD processing of this kind is not allowed.
Special requirements
It is allowed to process personal data in special cases if:
1) the subject of personal data has agreed in writing to the processing of his personal data;
2) personal data made publicly available by the subject of personal data;
2.1. personal data processing is necessary in connection with the implementation of the international agreements of the Russian Federation on readmission;
2.2. personal data processing is carried out in accordance with the legislation on state social assistance , labor legislation , pension legislation of the Russian Federation;
3) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data or the life, health or other vital interests of other persons, while obtaining the consent of the subject of personal data is impossible;
4) the processing of personal data is carried out for medical and preventive purposes, in order to establish a medical diagnosis, the provision of medical and medical-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obliged in accordance with the legislation of the Russian Federation to keep medical secrecy ;
5) the processing of personal data of members (participants) of a public association or religious organization is carried out by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation to achieve the legal goals stipulated by the constituent documents, provided that personal data will not be distributed without written consent the form of the subjects of personal data;
6) the processing of personal data is necessary to establish or exercise the rights of the subject of personal data or third parties, as well as in connection with the administration of justice;
7) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on defense , on security , on countering terrorism , on transport security , on counteracting corruption , on operational investigative activities , on enforcement proceedings , or with the criminal executive legislation of the Russian Federation;
7.1. processing of personal data received in the cases established by the legislation of the Russian Federation is carried out by the prosecution authorities in connection with their exercise of prosecutorial supervision;
8) the processing of personal data is carried out in accordance with the legislation on mandatory types of insurance or insurance legislation ;
9) the processing of personal data is carried out in cases stipulated by the legislation of the Russian Federation, state bodies, municipal bodies or organizations for the purpose of arranging children left without parental care to be brought up in families of citizens;
10) the processing of personal data is carried out in accordance with the legislation of the Russian Federation on the citizenship of the Russian Federation.
In addition to the law 152-FZ, it is necessary to take into account other regulatory acts. Thus, in Letter No. 5470 / 30-3 / I dated 10.29.1999. FFOMS “On Methodical Recommendations” states that: “Medical confidentiality - undisclosed information about the fact that a patient has applied for medical care, a diagnosis and other information about his health and private life, obtained as a result of examination and treatment, prevention and rehabilitation.”
A citizen must be confirmed with a guarantee of the confidentiality of the information transmitted to them. The right of citizens to the confidentiality of the information they transmit when they apply for and receive medical care, as well as other information constituting medical confidentiality, gives rise to the responsibility of health workers and other persons for its disclosure. Thus, part 5 of Article 61 of the Basis stipulates that persons who received medical confidentiality in the manner prescribed by law, along with medical and pharmaceutical workers, are subject to disciplinary, administrative or criminal liability for disclosing medical secrets, taking into account the damage caused to a citizen Russian Federation, republics of the Russian Federation.
The requirements for the processing of personal data by special categories are established by the relatively new regulatory act “Requirements for the protection of personal data when they are processed in personal data information systems” (approved by the Government of the Russian Federation on November 1, 2012 N 1119).
This act prescribes the following set of measures:
- determining the level of types of threats;
- determination of the necessary level of protection and implementation of measures necessary for each level.
Accordingly, for a special category of PDN, level 3 or 4 is relevant (depending on the number of PD subjects whose data are being processed).
Given the nature of the data and the limitations imposed by law, you must:
- When collecting patient data for consent to PD processing, indicate to whom this data will be transferred for storage and how it is stored and processed. We obtain consent through the form on the site and write in the contract of the offer or the License Agreement
- Develop a package of internal documents on PD processing, including determining the types of threats. Must be at the vendor, the provider - everyone who works with PD
- Depending on the level of security, implement technical measures to protect PD. On the provider side
- If the storage will be carried out by a third party, indicate it in the consent for PD processing and in the agreement with this person indicate the necessary technical measures to protect the PD and also describe the need to ensure the confidentiality of this data (taking into account a special category). Specify the name of the provider in the registration form on the service site
In this case, the transfer of data to a third party for storage will not be considered a disclosure of medical confidentiality, since the subject himself has permitted such transfer by written consent. This means that the condition of sub. 1 p. 2 Art. 10 152-.
In fact, the vendor of the service can place it on the side of the provider and this will not be considered a disclosure of medical secrecy. This practice is appropriate in the case when the vendor does not build its own cloud, does not provide service access services, but transfers the right to use licenses.
The post was prepared with the participation of our legal consultants of the company “Zartsyn and partners” and I highly recommend to contact our colleagues for legal support, who have a special offer for stattaps .
Alexey Kalachnikov
Materials series "How to create and earn on SaaS"
- Part I | remove all unnecessary, hit the target, experiment
- Part 2 | invaluable experience of Russian ISV
- Part 3 | sales through an affiliate channel that may not be needed
- Part 4 | Startup Quickme - communication and collaboration of small teams
- Part 5 | widespread SaaS integration, how nice the threat is to the rest of the software business or how 1 + 1 turns into 3
- Part 6 | Quickme story for partners or 7 reasons to do things together
- Part 7 | why not sell SaaS?
- Part 8 | SaaS - the realities of the Russian market
- Accidentally forgotten Part 9 | Legal Fog SaaS
- Part 10 | Business Model Metrics
- Part 11 / Cloud Services Reviews / UX and Usability Testing
- Part 12 | Mobile revolution of access to the clouds: how to change the operator in "one click"
- Part 13 / Three steps roaming technologies
- Part 14 | Somersaults with prices
- Part 15 | Virtual SIM? No, not heard
- Part 16 | Own mobile network WI-FI
- Part 17 | Personal data and medical secrets in the cloud
Source: https://habr.com/ru/post/254423/
All Articles