Legal framework of personal data protection
Since 1995, the concern on personal data protection has been stated on laws such as the ‘Data Protection Act’  and the ‘Health Insurance Portability and Accountability Act’ (HIPAA) . In May 2018, the General Data Protection Regulation (GDPR)  reinforced the processes of personal data protection in Europe. According to the GDPR, healthcare organisations need to demonstrate that appropriate procedural security measures are being applied to safeguard patient privacy for the electronic medical records (EMR) they guard. Most importantly, access to the data needs to be compliant with the GDPR, which – among other regulations – states that the data subjects (for example, patients) have the right to know how and when their data is processed. Data processing actions, therefore need to be controlled and monitored and, when requested by the patient, should be shown in an understandable form.
The ASCLEPIOS Privacy Analytics Module (APAM)
The ASCLEPIOS project has addressed this transparency requirement in the ASCLEPIOS Privacy Analytics Module (APAM). The main goal of APAM is to provide tools that facilitate verification if data processing is taking place as intended and authorised and to disclose this information as requested. The module addresses the perspectives of two main stakeholders: the patient (EMR data subject) and the data protection officer (DPO) of the healthcare organisation (EMR data controller). APAM includes functions to retrieve and present data access history and to detect abnormal or illegitimate data processing. APAM can present the metrics outcomes from the functions through a visualisation interface. Moreover, APAM offers a REST-API that can be used by other applications to retrieve the metrics. The featured image presents an illustration of the APAM’s visualisation interface made with Kibana.