1. PURPOSE OF DATA PROTECTION & INFORMATION SECURITY
With the aid of this policy Oncomfort will, on a strategic level, define how data are protected, what responsibilities are assigned to whom and what priorities Oncomfort has determined on data protection.
Concerning personal data, Oncomfort plays a role on three different levels:
- As the employer of different employees, acting as a controller
- As the developer and distributor, acting as a processor
- As the provider of services, acting as a processor
Oncomfort wishes to protect all personal data concerning these three different levels in which it is active.
In particular, Oncomfort wishes to protect the data of internal/external employees, clients and the personal data these clients will make available to Oncomfort regarding their patients or others against:
- Loss: data is no longer available
- Breaches: data is in the wrong hands
- Not accessible: data is not accessible when treatment is due
- Unauthorized access: data has been seen by someone who is not authorized to do so
- Impossibility to check who have seen, changed or deleted the data
- Processes that are not in accordance with regulation, guidelines and industrial standards
This policy focuses on the protection of privacy and, more specifically, personal data. This policy will serve as the benchmark for processing personal data within Oncomfort. It will form a guideline for all processes and provides a reference standard for audit and control. This document provides every stakeholder an insight into this policy and how they should deal with personal data.
This policy is also written for anyone who, due to his specific function within Oncomfort, processes data that is controlled by health care professionals. They will use (parts of) this policy for designing procedures and guidelines for employees and third parties and to support their clients.
2. SCOPE OF THE DATA PROTECTION POLICY
2.1 Material scope
This data protection policy applies to the entire lifecycle of information within Oncomfort, from obtaining information until the final disposal of it within the organization.
This policy applies to:
- All employees of Oncomfort, both internal as external (referring to subcontractors);
- All assets and information processing systems managed by Oncomfort, as well as systems managed by third parties working as subcontractors such as databases, applications, data centers, etc.;
- All processing activities, both as controller and processor.
This includes personal data of internal/external employees and clients, but also personal data of patients Oncomfort receives from its clients. Every process that involves the processing of personal data within Oncomfort falls within the scope of this data protection policy.
For certain domains or processes (e.g. information transfer, data breaches, incident management or passwords) within Oncomfort, additional policies, procedures or guidelines may be adopted when required to address specific processing operations or domains.
2.2 Functional scope
This data protection policy applies to all processing, no matter the specific purpose. Due to its main activity, Oncomfort has three different scopes wherein it operates:
- As the employer, acting as a controller;
- As the developer and distributor of medical devices, acting as a controller;
- As the provider of services, acting as a processor.
Oncomfort is the employer of different employees, in his role as employer it undoubtedly processes personal data concerning its different employees.
Developer and distributor of medical devices
Oncomfort main activity exists of developing and distributing medical devices. Numerous professional healthcare providers rely on Oncomfort devices to support them in their day-to-day activities. In this context, Oncomfort will act as a controller. This policy will apply to all personal data, from both the healthcare provider and its patients.
After the professional healthcare providers have been set up with their application or service, Oncomfort will offer support based on a support contract. Consequently, it is possible that datasets from the professional healthcare provider will be transferred to Oncomfort. This data protection policy remains applicable for all personal data that gets transferred to Oncomfort. In some occasions Oncomfort employees are granted access to local information processing environments of clients in order to perform these services.
2.3 Territorial scope
This data protection policy applies to all processing of personal data by Oncomfort itself or by entities appointed by Oncomfort, notwithstanding where the processing takes place. If the processing takes place outside the European Economic Area this policy will also apply. Oncomfort will take appropriate measures to monitor and guarantee compliance of this policy.
3. POLICY OBJECTIVES
The General Data Protection Regulation establishes a framework of rights and duties which are designed to safeguard personal data. It balances the legitimate needs of organizations to collect and use personal data for business purposes with the right of individuals to retain the control of their personal details. Oncomfort, both in its role as controller and processor (where applicable), will abide by the following data protection principles:
1. Oncomfort is transparent towards the data subjects, the customers and the different supervisory authorities concerning the personal data it processes and the purpose for processing. The communication will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The principle of transparency will be applied within every level of Oncomfort.
2. The processing of personal data shall be lawful. This means that every processing shall have a corresponding legitimate basis.
3. Oncomfort will only process personal data for specified, explicit and legitimate purposes. Further processing is only allowed when this purpose of this processing is compatible with the initial purposes.
4. Especially where Oncomfort operates as a processor, processing should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Oncomfort will ensure that the period for which the personal data are stored is limited to a strict minimum.
5. Concerning Oncomfort’s role as a controller, personal data should be accurate and, where necessary, kept up to date.
6. Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
7. Oncomfort will implement appropriate technical and organizational measures to guarantee the integrity of the personal data during the entire processing cycle. These measures will be a remedy against unauthorized or unlawful processing of personal data and against accidental loss, destruction or damage of personal data. These measures will apply for the entire data life cycle.
8. These measures will limit the chances of a data breach. In the unfortunate event that a data breach does occur, this will be internally documented and reported in accordance with the relevant legislation and recommendations. These measures will apply for the entire processing cycle.
9. Oncomfort has appropriate measures in place to answer the requests of the data subjects concerning their rights in a timely manner. These rights include (but are not limited to) the right of access, right of rectification and right to data portability.
10. Oncomfort will mainly process personal data within the European Economic Area. If any personal data is transferred to third countries, Oncomfort will take appropriate measures to ensure that these countries have an adequate level of protection for the rights and freedoms of data subjects in place in relation to the processing of personal data. Oncomfort will monitor possible code of conducts within their sector and will enforce these codes.
11. Oncomfort shall implement appropriate technical and organizational measures to ensure data protection by default. Only personal data which are necessary for each specific purpose of the processing are processed. Exuberant processing is not allowed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
12. Oncomfort shall, no matter the concrete processing, implement appropriate technical and organizational measures to enforce data protection by design. Oncomfort will take internal measures so that privacy and data protection are taken into account from the very start of the process and remains important during the entire life cycle of the system or process development.
13. Oncomfort is responsible for enforcing these aforementioned principles and is able to demonstrate compliance in line with the accountability principle. This compliance will be guaranteed by performing internal audits.
4. THE ORGANIZATION OF INFORMATION SECURITY
4.1 Involved actors
As being a controller, the competence of this policy lies with the board of directors of Oncomfort. The board of directors is responsible for formulating, determining and overseeing compliance with the policy principles within Oncomfort.
Responsible for the execution
The board of directors acts as a formal decision-making platform for data protection. The board of directors is entitled to make decisions that are related to the following aspects:
- The risk analysis and associated methodology;
- Developing the data protection policy and the accompanying guidelines;
- The implementation of security measures (e.g. the content of the security plan);
- The structural response to data protection issues and advice (within 3 months).
The board of directors will involve its key employees in the definition of data protection policies and work with them to realize adoption throughout the organization.
Data Protection Office
The substantive follow-up of this data protection policy lies with the Data Protection Office (DPO). It performs this tasks in accordance with the provisions of the General Data Protection Regulation (GDPR). Oncomfort reports its identity (and possible changes) to the Data Protection Authority (in Belgium: Gegevensbeschermingsautoriteit). The DPO reports to the board of directors of Oncomfort NV.
Anyone (contracted employee or contracted independent worker) who processes data (for example viewing, registering, modifying…) has to do this according the guidelines in this data protection policy. The employee processes data in accordance with discretion, and is responsible for:
- The data of clients and patients that he/she processes;
- Performing safety guidelines during his/her processing assignment;
- Only processing data that is associated with his/her task;
- Taking care of the data;
- Reporting violations;
- Following article 458 of the Belgian Penal Code and article 17 of the Belgian Labor Law (‘Arbeidsovereenkomstenwet’/’Loi relative aux contrats de travail’): the employee has to respect professional secrecy.
Third parties have the same responsibilities as a privileged user. Additional they have the following responsibilities:
- Indicating the security risks of delivered applications;
- Informing the supplier about the remaining security tasks;
- Pursuing a transparent data protection policy for the supplier by communicating about its own current security level and the handling of security incidents.
4.2 Data Protection Officer
4.2.1 Designation of the Data Protection Officer
The General Data Protection Regulation introduces the role of the Data Protection Officer. Due to the fact that Oncomfort develops and distributes medical devices in different areas for the healthcare industry, its core activities will consist of processing large quantities of personal data concerning health. Therefore, Oncomfort is obliged to designate a Data Protection Officer.
The legal base of the Data Protection Officer has been written down in article 37 and the following of the General Data Protection Regulation.
The Data Protection Officer shall be designated on the basis of professional qualities and expert knowledge of data protection law and practices. The Working Party 29 (WP29) introduces relevant skills and expertise for the Data Protection Officer:
- Experience in both national & European legislation and practices in the field of data protection;
- In-depth knowledge and understanding of the General Data Protection Regulation;
- Know-how of Oncomfort and the healthcare sector in general;
- Soft skills such as integrity, diplomacy and high professional ethics;
- Having a good understanding of information security.
Oncomfort shall publish the contact details of its Data Protection Officer and communicate them to the supervisory authority. The Data Protection Officer will ensure that he or she shall be easily accessible. Changes in the future will be well communicated.
4.2.2 Position of the Data Protection Officer
Oncomfort shall ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
Oncomfort shall support the Data Protection Officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his expert knowledge.
It is of the most utterly importance that the Data Protection Officer remains independent at all times. Therefore, Oncomfort has to ensure that the Data Protection Officer does not receive any instructions regarding the exercise of its tasks. He/she shall not be dismissed or penalized for performing his tasks. He/she shall directly report to the highest management level of Oncomfort.
The Data Protection Officer shall be bound by secrecy or confidentiality concerning the performance of his/her tasks.
4.2.3 Tasks of the Data Protection Officer
The tasks of the Data Protection Officer can be divided into three different groups, referring to the three different functional scopes where Oncomfort will operate.
A. Oncomfort as a controller
When Oncomfort acts as a controller, the Data Protection Officer shall have the following tasks:
- Informing and advising Oncomfort and its employees concerning data protection;
- Monitoring compliance with both the actual regulation and the policies from Oncomfort, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Providing advice where requested in regard to data protection impact assessment and monitor its performance;
- Cooperating with the supervisory authority, being the Gegevensbeschermingsautoriteit in Belgium, and where applicable any other national data protection authority.
- Acting as the contact point for the supervisory authority on issues relating to processing.
B. Oncomfort as a software developer
When Oncomfort acts in his role as a developer and as a distributor, the Data Protection Officer shall have the following tasks:
- Aiding the devices developers with the practical consequences of data protection by design and data protection by default;
- Assisting the devices developers with implementing appropriate technical and organizational measures to ensure a certain level of security.
C. Oncomfort as a service provider
When Oncomfort acts in his role as a service provider, the Data Protection Officer shall have the following tasks:
- Notifying the controller after becoming aware of a personal data breach. He/she will assist the controller as much as possible with the following tasks:
- Describing the nature of the personal data breach;
- Describing the likely consequences of the personal data breach;
- Proposing countermeasures to mitigate the consequences;
- Aiding in documenting any personal data breaches;
- Providing advice where requested in regard to data protection impact assessments and monitor its performance;
In general, the Data Protection Officer shall have a documentary, stimulating, advising and controlling role within Oncomfort.
4.3 Board of directors
The board of directors will be the deciding body concerning data protection. The Data Protection Officer will report on a monthly basis to the board of directors.
The board of directors takes decisions on all responsibilities that the data protection organization carries:
- Modifying the Data Protection Policy;
- Appointment of a Data Protection Officer;
- Monitoring the independence of the Data Protection Officer;
- Monitoring the business processes described in this policy for data protection purposes;
- Formulating advisory questions to the data protection officer;
- Modifying the policy and its implementation on the advice of the Data Protection Officer;
- The risk management decisions in the processing of personal data. The employee's time allocation is part of this risk management.
- The approval of the classification schedules, which determine, for example, when a data protection impact assessment should take place, as well as the classification schedules for reporting infringements;
- The design and maintenance of the business processes described in this policy text
- Assigning responsibilities for executing business processes;
- Decisions on all considerations under Regulation 2016/679, including those based on legitimate interests and those relating to children, as well as decisions regarding compatibility of the purposes of further processing of personal data;
- Creating the necessary documentation for all (proposals for) decisions;
- Formalizing the decisions by the board of directors;
- The application of sanctions for violations;
- Reporting of the data protection policy and the relevant underlying policies;
- Recommending on data protection by design and data protection by default;
- Determining the purchasing policy with regard to processors.
5. INTERACTION BETWEEN DATA PROTECTION AND INFORMATION SECURITY
5.1 Data protection vs. information security
Data protection attempts to protect personal data of a data subject. Personal data is any information relating to an identified or identifiable natural person. This could be an individual name, social security number but also health information or religious beliefs. Furthermore, data protection emphasizes e.g. on lawfulness, purpose, collection limitation, data minimization, access and accountability, but also on information security as whole.
Information security on the other hand can be defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability. It refers to the technical and operational measures that an organization must take to ensure that the data they hold is safe and secure and is not limited to personal data.
5.2 Same purpose
While the scope of data protection and information security both have a certain overlap, and serve the same overarching purpose, these terms do not intertwine and have a significant difference. Both data protection and information security requirements should be implemented at the same time to meet the obligations set out in the General Data Protection Regulation and this data protection policy.