Marius Dumitrescu, President of the Association of Specialists in Privacy and Data Protection (ASCPD), presented the conclusions of the study "GDPR in HEALTH" Romania during the second edition of the National Conference on Data Protection in the Health Sector held on 28 January 2019 in the Palace of Culture from Tirgu Mures.
This study is based on data collected from 15 October 2018 to 01 December 2018 from 195 organizations in 36 counties in Romania, all in the healthcare sector. Using the questionnaire technique, three indicators of each organization were evaluated through 44 questions: organizational structure, awareness of the need for compliance and protection of personal data, and information security.
From all the 195 participating organizations, 38% were hospitals, 14% pharmacies, 12% medical clinics, 9% medical practices, 8% health authorities, 7% professional organizations, the rest being laboratories, NGOs, medical devices and training services. The selected organisations employs 45,400 employees, of whom 2,140 hold managerial positions, these organizations providing services and medicines for approximately 2,582,338 patients in a year.
The conclusions of the statistical - quantitative study:
- The awareness of the measures that need to be adopted in relation to Regulation (EU) 2016/679 is high, 81.03% of organizations implementing minimum measures to achieve compliance, yet 42.05% have not yet designated a DPO, with the reference that not all interviewed operators have this obligation.
- It is confirmed that several categories of information are not seen as personal data (video, GPS, photos, etc.), most of the personal data being on the ID card;
- 79.49% of organizations have contracted outsourced services, having the obligation to verify the activity of suppliers in terms of complying with Regulation (EU) 2016/679, also taking into account that the liability is shared between the operator and the empowered person;
- 73.85% of healthcare organizations have video surveillance systems installed, 55.90% monitoring staff during working hours;
- 74.36% own and update information on the website and 37.44% have Facebook page;
- Only 16.41% did not implement an archive system, instead 52.31% did not have a strict access to the personal data archive;
- 73.33% of the organizations have implemented technical security procedures and 76.41% have trained personal on the security of personal data;
- 37.44% were confronted with security incidents and yet 73.85% did not implement a security incident response plan;
- 70.26% use email @ yahoo.com and @ gmail.com for business interests;
- 11.28% did not implement antivirus protection systems;