Background
Akershus University Hospital (Ahus) provides digital follow-up at home (DHO) to around 6,000 patients. Most people are able to use the service unaided, but some, for various reasons, need help from others to use it. This can be provided by next of kin, assistants or other helpers. Ahus lacks a solution that gives helpers independent access, and has identified an unfortunate practice that has developed where helpers use the patient's login information.
This means that Ahus does not know who is logging in, nor does it have an overview of who has seen or done what. The patients themselves can also lose track. Sharing login information also entails a risk of misuse of other solutions the patient uses.
Ahus is looking for a solution that allows patients to give their helpers power of attorney to perform certain tasks for them. The solution will enable helpers to log in as themselves. This will improve data protection and benefit more patients and patient groups who struggle to use digital tools without assistance.
About the project
Through the Norwegian Data Protection Authority’s regulatory sandbox, we have assessed whether Ahus can use a national supplier of power of attorney solutions for the healthcare sector, rather than developing its own solution or purchasing it from a private provider. Norsk helsenett (NHN), owned by the Norwegian Ministry of Health and Care Services, has a power of attorney solution in place for its users.
The sandbox project has looked at what data protection assessments Ahus must make to ensure data protection for patients who could use the power of attorney solution in connection with follow-up at home.
Summary of the project's discussions and findings
Ahus determines the purpose of the data processing and how the power of attorney solution will be adapted. It is therefore natural that Ahus is the data controller.
The term ‘data controller’ corresponds to the Norwegian term ‘dataansvarlig’ used in Norwegian health law. (In Norwegian, the term ‘dataansvar’ is used instead of ‘behandlingsansvar’, as ‘behandling’ can refer to both medical treatment and processing in the context of data).
- Which legal basis could be used for allowing patients to use the power of attorney solution?
- The Norwegian Patient and User Rights Act regulates who can consent to health care and when children can consent. We specify that this is not the same as a consent in the sense of the GDPR. In the first instance, the power of attorney solution will be used by adults (persons over the age of 18) with the capacity to consent. In line with this, consent may be a relevant legal basis, cf. Article 6(1)(a), cf. Article 9(2)(a) of the GDPR.
- However, consent is not valid if there are negative consequences of not consenting, or if consent is in other ways given under pressure. The patient must be able to choose freely. The question is how freely a person perceives their consent to be if the alternative is not being able to live at home.
- As long as the patient has the capacity to consent and can choose who is granted power of attorney, the requirement for consent being freely given may be met. Consent could therefore be a legal basis for using the digital power of attorney solution.
- How can such a solution ensure availability, confidentiality and integrity in line with the data protection regulations?
- Any solution in which personal data are processed must comply with requirements for technical and organisational measures that ensure confidentiality, integrity and availability.
- Since the DHO service uses the NHN network, and some of the data shared via the service must be documented in medical records, the security system must satisfy the security requirements for a treatment-oriented health registry.
- In this report, we review the security requirements that we believe are most relevant to this particular power of attorney solution: access management and solutions that ensure traceability.
Download
Ahus, final report - Power of Attorney for Better Data Protection (engelsk, pdf)
