The implementation of the Shared Medical Record in Luxembourg (dossier de soins partagé) : data protection aspects to consider

Posted - 03.07.2020


Now reading : The implementation of the Shared Medical Record in Luxembourg (dossier de soins partagé) : data protection aspects to consider

On 1 January 2020, the Grand Ducal Regulation of 6 December 2019 specifying the terms and conditions for setting up the shared medical record1  (the "Grand Ducal Regulation") entered into force, thus implementing the dossier de soins partagé (the “Shared Medical Record”). The Shared Medical Record is deployed by the eSanté Agency, an economic interest group encompassing the Luxembourg State, the Caisse nationale de santé (national health insurance provider) and the Centre commun de la sécurité sociale (one of the social security institutions), as well as representative bodies for health care providers and associations representing the interests of patients. The Shared Medical Record is intended to provide a more efficient follow-up of the health data of patients in Luxembourg by keeping their medical history available to both the patient himself, as well as to the health professionals.

The sensitive nature of the personal data contained within the Shared Medical Record obviously calls for adequate data protection, confidentiality and security standards. As a consequence, the Commission nationale pour la protection des données (“CNPD”) was largely involved in the elaboration process and has rendered opinions2  regarding the compliance of the Shared Medical Record with existing data protection legislation, in particular the General Data Protection Regulation3   ("GDPR").

We draw your attention to the following:

  • The definition of health professionals. The Grand Ducal Regulation defines health professionals as any natural person lawfully exercising a regulated health profession and any health professional, any hospital establishment, and any health care provider lawfully exercising their profession outside the hospital sector referred to in the Social Security Code4 (such as medical analyses laboratories, pharmacies, opticians).
  • Objection and access rights to the Shared Medical Record by the holder. If the holder does not object to the creation of the Shared Medical Record, it will be automatically activated 30 days after receipt of the letter from the eSanté Agency informing the holder of its creation. Health professionals may then access the Shared Medical Record. The holder may modify access rights and deny one or more health professional(s) access to their entire file or render certain data inaccessible to one or more health professional(s). The processing of personal data by the eSanté Agency in relation to the Shared Medical Record relies on specific provisions of the Social Security Code5 .
  • Recipients. Recipients of the Shared Medical Record are the patient and any health professional related to the patient. The CNPD recommended in its opinion that the Grand Ducal Regulation expressly clarifies that recipients shall not be extended in the future to other categories of natural and legal persons (such as private insurance companies, employers, medical practitioners acting as experts on behalf of third parties, etc.). This recommendation has not, however, been taken into account in the final version of the Grand Ducal Regulation.
  • Joint controllership. Both the Grand Ducal Regulation as well as the Social Security Code6  provide that the eSanté Agency is responsible for the processing of personal data contained in the Shared Medical Record. The CNPD questioned this sole controllership, stressing that the eSanté Agency on the one hand and the health professionals on the other hand, jointly participate in achieving the purposes and means of the processing of personal data contained in the Shared Medical Record. In the CNPD's view, the eSanté Agency and the health professionals act in practice as joint controllers. The CNPD analysis was partly taken into account since the final version of the Grand Ducal Regulation refers to the health professionals in their capacity as controllers of the personal data they process in the context of the Shared Medical Record (for example, when they enter information regarding a patient’s illness or results of medical analysis directly in the relevant Shared Medical Record). It must be noted that the legal basis relied upon by the health professionals for processing such health data is not clear.
  • Data retention and data subject rights. The holder of a Shared Medical Record may close his Shared Medical Record at any time via the website or upon request addressed to the eSanté Agency. Within 10 years following the closing of the Shared Medical Record, the holder may reopen it, without losing the data contained therein. However, if not reopened within the period, the data contained in the Shared Medical Record shall be deleted 10 years after its closure. From the date of closure, the personal data contained in the Shared Medical Record are archived and rendered inaccessible. The Shared Medical Record will also be closed after 10 years of inactivity from the latest access. The patient benefits from the right to erasure or the right to rectify inaccurate or incomplete data. Those rights shall be performed by the health professional or the eSanté Agency.
  • Data Security. The health professionals, in their capacity as data controllers, shall implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risks.

In conclusion, the Shared Medical Record is without doubt an ambitious step towards a more efficient and modern health care service in Luxembourg. It remains to be seen and verified if the data protection standards implemented for this eHealth tool (in particular the technical and organisational security measures) are high enough to encourage the population to trust and adhere to it.

Stay informed

Receive our regular newsletters and newsflashes.