The legislation regarding personal data is strict, especially for sensitive information about a person's health.

– If we manage to automate more workflow processes with data-driven tools, healthcare enterprises will become less dependent on manual routines, and data security will increase significantly, explains Ivar Hukkelberg, CRO of Deepinsight.

GDPR and the development of health tools

In 1995, the EU launched a privacy directive with strict guidelines for the processing of personal data. Norway introduced a personal data act in 2001 that was based on the EU directive.

– Norwegian IT providers have therefore adhered to strict privacy laws for twenty years already, says Egelandsaa.

Ingrid Egelandsaa from DIPS has expertise on how healthcare laws and privacy legislation work together. She shares that knowledge with Deepinsight as an advisor and sparring partner.

In 2018, the EU's General Data Protection Regulation came into effect, also known as GDPR. All EU and EEA countries must implement this regulation as it stands, with some possibilities for adaptation to existing legislation.

GDPR took the content of the 1995 directive a step further, making it more comprehensive and mandatory. Additionally, it sets the stage for stricter sanctions and fines.

The most important change GDPR brought for Deepinsight is the requirement for documentation that privacy is built into the product and maintained throughout the development process.

– We think about privacy from the very beginning. Before we explore a new opportunity, we always ask ourselves if it's possible to develop the tool without using sensitive personal data, explains Hukkelberg.

– We take strict precautions for everything we do, ensuring we always have a solid foundation of data security and privacy in our projects, adds Håkon Lorentzen, Chief Technology Officer at Deepinsight.

To ensure the quality of data security, Deepinsight will use the guide “Software Development with Built-in Privacy” developed by the Data Protection Authority. It contributes to understanding and compliance with the legislation.

Deepinsight works to develop solutions that ensure access while also maintaining privacy and security.

Data access leads to better patient care

Privacy legislation, namely GDPR and the Personal Data Act, states that it is prohibited to process identifiable health data unless there is a legal basis. In Norway, we have comprehensive health legislation that regulates this. Among others, the Health Registry Act and the Patient Journals Act clearly define that the Personal Data Act applies unless otherwise stated in the relevant health law.

– Data-driven technology can help the healthcare system gain access to important information that ensures the best possible patient care and diagnostics, explains Hukkelberg.

– Access to personal data to provide proper health assistance is just as important as preserving confidentiality and integrity, which ensures that the information is not available to unauthorized individuals and that it is always correct, adds Egelandsaa.

This is how Deepinsight ensures privacy

Deepinsight is responsible for ensuring that privacy is built into the final product and that it is maintained throughout the development process. Healthcare enterprises are the data controllers responsible for ensuring that privacy and GDPR are upheld during the sharing of data with Deepinsight. They are the ones who must decide whether the sharing is secure and how it should take place.

It is the healthcare enterprise's responsibility to log who has access to data, what is shared, and what is done with the information.

Although the healthcare enterprises are the data controllers, Deepinsight, as a provider, must accommodate solutions that meet the requirements of clients and authorities. Internally, Deepinsight has clear security routines and works thoroughly on training employees to clarify the guidelines around the use and analysis of data.

It is entirely possible to use health information to build data-driven solutions while also safeguarding privacy. Nevertheless, legislation is clear that no more identifiable information than strictly necessary should be used.

– Recently, several guidelines have been launched that make the legislation regarding the use of personal data, both generally and in the healthcare sector, clearer. This makes the important work of technology companies like Deepinsight much easier, concludes Egelandsaa.

Read about our secure platform here.