Home / Press Room / News / TI audit follow-up report: "How to protect personal data in the field of primary health care processed within automated information systems?"

TI audit follow-up report: "How to protect personal data in the field of primary health care processed within automated information systems?"

March 27, 2019 views 731

 

The Court of Accounts of the Republic of Moldova (CoA) examined at the meeting of March 27th 2019 the TI Audit Follow-up Report: "How to ensure the protection of personal data in the field of primary health care processed within the automated information systems?"

The Supreme Audit Institution, being concerned about the improvement of the personal data protection situation, processed in the information systems in the field of primary health care (PHC), including the implementation by the responsible entities of the requirements and recommendations submitted by the Decision Of the Court of Accounts no. 48 of 05.12.2016, as a result of the audit mission carried out in 2016, conducted the respective follow-up mission.

The purpose of the mission was to assess the actions undertaken by the entities concerned by the Court's previous audit in order to comply with the requirements and recommendations submitted by the respective Decision and their effect.

The scope of the mission was the actions undertaken during the period 2017-2018, referred to as the reference period by the entities referred to in the above mentioned Decision of the Court of Accounts, namely: the National Center for the Protection of Personal Data (CNPDCP), the Ministry of Health, Labor and Social Welfare (MSMPS), Public Medical Sanitary Institutions (IMSP): AMT Center, University Clinic for Primary Health Care, Balti Family Doctors Center, collecting audit evidence from other 9 IMSP providing Primary Health Care Services.

The results of the verification mission show a slight improvement in the situation, and some resolving measures taken by decision-makers of the authorities concerned, such as:

CNPDCP:

- has drafted and submitted in the established way draft legislative acts related to personal data protection, two of which (the draft Law on Personal Data Protection and the draft Law on the National Center for Personal Data Protection, which transpose the provisions of the European Community Law in the field of personal data protection) were approved at first reading at the end of 2018 in Parliament's Plenary;

- elaborated, with the support of the Twinning Project experts, some draft internal normative acts in correlation with the provisions of the new laws in the field, which regulate the core activity of CNPDCP;

- has developed and placed on the web page of the institution the Guide on the procedure for registration of operators and personal data recording systems,

- provided consultations and training in the field to the MSMPS and medical institutions in order to familiarize them with the provisions of the normative framework on the protection of personal data;

MSMPS:

  • elaborated a series of regulations on the regulation of activities in the SIA AMP (System Operation and Usage Regulations, Security Policy and Personal Data Protection);
  • has concluded / revised the necessary agreements with the National Health Insurance Company (CNAM) and CRIS Registry to provide data exchange between the Automated Information System for Primary Health Care (SIA AMP) and the Information System (SI) held by them;
  • with the support of the Developing Company, eliminated some shortcomings related to the operation of SIA AMP, etc.

At the same time, the actions undertaken at the beginning of this year (identifying the authority responsible for the administration, maintenance and development of the System - CNAM, initiating the adjustment of the regulatory framework related to the functioning of the System, starting the authentication activities in SI through the electronic signature - MPass, of the System, one of the basic conditions for the protection of personal data) creates the necessary prerequisites for the elimination of the shortcomings and malfunctions found by the Court's previous audit and the achievement of the expected impact from the protection of sensitive personal data and citizens’ information security.

Thus, it is emphasized that, given the sensitivity and volume of personal data processed in the medical field, especially through the information systems, CNPDCP, in its capacity as guarantor of the protection of personal data, is to intensify its activities in order to ensuring adequate control of citizens' data protection.

MSMPS is also expected to deliver a unique strategic vision of process automation in the medical field in order to avoid partial implementation and usage (at IMSP level) of ISs that are not interconnected and compatible, generating maintenance and development costs, as well as major risks to the confidentiality of citizens’ data processed by the systems. In the same note, it is necessary to strengthen the joint efforts of MSMPS and NHIC in order to strengthen the IT controls of the SIA AMP, implemented at national level, in order to ensure its full compliance with the legislative framework requirements.

In the context of the above, the follow-up mission offered a series of recommendations and solutions to the target entities, in order to eliminate the identified deficiencies and failures and to ensure the impact of the policy in the field of personal data protection.