Abstract
As of May 2018, all relevant institutions within member countries of the European Economic Area are required to comply with the European General Data Protection Regulation (GDPR) or face significant fines. This regulation has also had a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with the EU as part of the accession process. The Republic of Serbia is an example of such a candidate country, and its 2018 Personal Data Protection Act mirrors the majority of provisions in the GDPR. This paper presents the impact of the GDPR on health data management and Serbia’s capability to conduct international health data research projects. Data protection incidents reported in Serbia are explored to identify common underlying causes using a novel taxonomy of contributing factors across aspects and health system levels. The GDPR has an extraterritorial application for the non-EU data controllers who process the data of EU citizens and residents, which mainly affects private practices used by medical tourists from the EU, public health care institutions frequented by foreigners, as well as expatriates, dual citizens, tourists, and other visitors. Serbia generally does not have well-established procedures to support international research collaborations around its health data. For smaller projects, contractual arrangements can be made with health data providers and their ethics committees. Even then, organizations that have not previously participated in similar ventures may require approval or support from health authorities. Extensive studies that involve multisite data typically require the support of central health system institutions and relevant research data aggregators or electronic health record vendors. The lack of a framework for preparation, anonymization, and assurance of privacy preservation forces researchers to rely heavily on local expertise and support. Given the current limitation and potential issues with the legislation, it remains to be seen whether the move toward the GDPR will be beneficial for the Serbian health system, medical research, protection of personal data and privacy rights, and research capacity. Although significant progress has been made so far, a strategic approach is needed at the national level to address insufficient resources in the area of data protection and develop the personal data protection environment further. This will also require a targeted educational effort among health workers and decision makers, aiming to improve awareness and develop skills and knowledge necessary for the workforce.
Highlights
BackgroundThe European General Data Protection Regulation (GDPR) 2016/679 [1] was established in April 2016, replacing the Data Protection Directive 95/46/EC and detailing the constraints around the processing of individuals’ personal data inside the European Economic Area
This regulation has a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with the EU, as part of the accession process
As one of the very few low- and middle-income countries (LMICs) in Europe, Serbia is increasingly seen as an attractive ecosystem for low- and middle-income country Ministry of Health (MoH) (LMIC) implementation research projects, and this paper provides some recommendations for conducting such research in the local setting
Summary
The European General Data Protection Regulation (GDPR) 2016/679 [1] was established in April 2016, replacing the Data Protection Directive 95/46/EC and detailing the constraints around the processing of individuals’ personal data inside the European Economic Area. As of May 2018, all relevant institutions in the member countries have to comply with the GDPR or face significant fines. This regulation has a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with the EU, as part of the accession process. The Republic of Serbia is an example of a country, which is not a member of the EU but where the GDPR is highly relevant. Given the duration of the EU accession process in Serbia and other candidate countries, namely, Northern Macedonia, Albania, Montenegro, and Turkey, this situation may continue for a prolonged period
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.