Health data protection a headache for authorities and individuals

Since the announcement of StopCoviD, the tracking application, several debates have been initiated, conducted and will continue to emerge as they go along.

The key, if not worry, issue at the overwork centre is nothing more than health data management. Health data is personal data that allows you to have certain information about a particular person.

This article will also interest you: Protecting personal data to the test of the coronavirus pandemic

It may be his state of health but even more so. That is, personal information such as names, first names and even marital statuses, not to mention geographical location. To say that speaking of personal health data, the delicate nature of the thing pushes some people especially human rights defenders and computer security specialists to react.

The idea of the application and the lens behind it are not bad in itself. However, there are several realities to consider. Like the fact that all stakeholders in this program could have access to all the data that will be collected and managed. And the players in this tracking chain to date are quite numerous. These include doctors, pharmacies, laboratories, military health services, health facilities, health insurance, territorial occupational health communities and all the structures that have been created since the beginning of the pandemic to fight the disease. Far too many stakeholders for all this data. This makes it difficult to make any transparency in the management of these difficults.

Under such conditions, applying certain rules would be impossible. Even if on the other hand the Constitutional Council tries to broaden the scope of existing principles by trying to include certain ideas of public necessity. The supreme legal institution noted to this effect: "the scope of persons who may have access to this personal data, without the consent of the person concerned, is particularly extensive, this extension is made necessary by the mass of steps to be taken to organize the collection of information necessary to combat the development of the epidemic." In the current context, it would be unconstitutional if and only social workers were to become aware of the files belonging to individuals without their consent, because "there is no justification that the disclosure of personal data processed in the information system is not conditional on the collection of consent of the persons concerned."

It should also be noted that the Ministry of Health has mobilized a group of agents called "guardian angel brigades", their objective being to ensure the tracking of people detected positive to coronavirus as well as people with whom one flies in contact. To ensure the security of the information that would be connected about the people involved in this tracking, the intervening structures should implement a means to comply with the current standard in this regard, including the European Regulation 2016/679 of 27 April 2016, where the existence is made to stakeholders: "respect the essence of the right to data protection and provide appropriate and specific measures for the safeguarding of fundamental rights and the interests of the person concerned. To this end, an enabling matrix defining access rights in reading and writing according to the profiles of qualified personnel is a central element of processing security."

However, the Ministry of Health had notified the National Commission for Information Technology and Freedoms that it did not intend to reconfigure tracking devices to limit access for the sole need of users due to "operational constraints encountered". A posture that for lawyers is totally contrary to the rules of the general data protection regulation in the context of "appropriate technical or organisational measures" (Article 5.1). Indeed, you in article 32. 2 the RGPD states that: "In particular, consideration is given to the risks posed by the treatment, including destruction, loss, tampering, unauthorized disclosure of personal data transmitted, retained or otherwise processed, or unauthorized access to such data, accidentally or illegally."

In addition, another point is highlighted regarding data management after collection. It is the centralization of the information collected. For specialists, doing so exposes greatly the people involved in this tracking dynamic. Because it makes it very easy for the authority in charge of this collection and management to be abused. In the case of the French tracking application, the idea was put forward to encrypt the information even though it will be stored on a single, centralized server. An idea that is certainly not perfect, but which has the merit of being validated by the National Commission for Information Technology and Freedoms, that on April 24, 2020 w[…]rote: "The design of the StopCovid application testifies to the concern to protect the privacy of people, in particular by avoiding the centralized in a server a list of people who declare themselves sick."

Despite all these attempts, the problem remains. Personal health information has not yet found a technical and legal framework to ensure the protection of related persons.

Now access an unlimited number of passwords:

Check out our hacking software