Pilot #1: GDPR compliance in own infrastructures and owned data in governmental services

Overview

Project partner IDIKA, serving as the National IT solution provider for healthcare, as well as social security & welfare, operates some of the most critical systems in Greece, including, among many others, the Social Security Number registry, the National ePrescription/eDispensation system with >>98 % coverage of private pharmacies and doctors, Hospital Information Systems, and the National Appointment Management System (eRDV) for primary healthcare and hospitals. The data collected, stored, managed and processed by IDIKA are characterised by critical sensitivity, broad scope, large volume and vast heterogeneity, referring to every citizen in Greece. The IDIKA BPR4GDPR trials span three use cases.

Use case 1: ePrescription management

This use case deals with the actions done by a doctor in order to search and find an ePrescription Document, as well as to issue a new prescription, which is thereupon dispensed by a pharmacist. It involves three actors —the doctor, the patient and the pharmacist— whereas a variety of personal data becomes available as a result of this procedure. The most relevant processing operations taking place are the following:

  • Access of the doctor to the medical record of the patient.
  • Provision of consent on behalf of the patient (data subject).
  • Creation of a medical prescription by the doctor.
  • Access of the pharmacist to the ePrescription Document, thus, the data contained therein.
  • Storage of information (mainly logging)

All test cases apply to this use case, whereas the BPR4GDPR tools used are the following:

  • Process planning and re-engineering tool
  • Access and usage control tool
  • Compliance Ontology modeller
  • Data Management Bus

Use case 2: booking a doctor’s appointment online

This use case deals with the actions done by a citizen in order to book a doctor’s appointment online. Citizens have the option to choose the Health Center, the Medical Specialty or even the Doctor they desire and book their appointment online. Specific authentication and other checks are performed with external IT systems in order to finalise the doctor’s appointment booking. The most relevant processing operations taking place are the following:

  • Authentication of the citizen using a third-party service, specifically provided by the Independent Authority for Public Revenue (National Tax Authority).
  • Correlation of two identifiers (Tax Number and Social Security Number)
  • Collection and processing of personal data, used for booking the appointment.
  • Creation of a medical appointment.
  • Storage of information (mainly logging)

All test cases apply to this use case as well, whereas the tools used are the following:

  • Process planning and re-engineering tool
  • Access and usage control tool
  • Compliance Ontology modeller
  • Data Management Bus

Use case 3: ePrescription dispensation by a hospital pharmacy

This use case deals with the actions carried out mainly by a hospital pharmacist in order to dispense an ePrescription of an external patient, concerning expensive or special medicines that are only provided by hospitals (i.e., not private pharmacies). Data falling in both healthcare and social security are being used, whereas a variety of systems participate in the process, thus increasing the risk of data leakage, mainly due to unauthorised access. The most relevant processing operations taking place are the following:

  • Identification and authentication of the entities involved.
  • Access to personal data.
  • Exchange of personal data among different systems.
  • Storage of information (logging, as well as data update).

Also in this case, all test cases of Section 3.1.4 will be applied, whereas the tools used are the following:

  • Process planning and re-engineering tool
  • Access and usage control tool
  • Compliance Ontology modeller
  • Data Management Bus

 

Process re-engineering IDIKA trial