– Data-driven tools in the healthcare sector, where the privacy requirements are built into the solution, usually give better efficiency and security than manual routines, says Ingrid Egelandsaa, Privacy Officer at DIPS.

The legislation around personal data is strict, especially for sensitive information about a person’s health.

– If we are able to automatise more work processes with data-driven tools, the healthcare institutions will become less dependent on manual routines and the data security will increase significantly, explains Ivar Hukkelberg, Director of Customer Success & Marketing at Deepinsight.

GDPR and the development of healthcare tools

In 1995, the EU launched a privacy directive with strict guidelines for the treatment of personal information. In 2001, Norway adopted a personal data law which was built on the EU directive.

– Norwegian IT suppliers have therefore dealt with strict privacy laws for 20 years already, says Egelandsaa.

Portrait photo of Ingrid Egelandsaa
EXPERIENCED: Ingrid Egelandsaa from DIPS has expertise in how the health laws and privacy legislation work in combination. She shares this knowledge with Deepinsight as an advisor and sparring partner.

In 2018, the EU's Privacy Regulation came into force, also known as GDPR. All EU and EEA countries must implement this regulation as it is, with some possibilities of adapting it to existing legislation.

GDPR brought the content of the directive from 1995 one step further, and made it more extensive and compulsory. In addition, it lays down guidelines for stricter sanctions and fines.

The most important change that GDPR brought about for Deepinsight, is the requirement for documenting that privacy is built into the product and ensured throughout the entire development process.

– We consider privacy from the start. Before exploring an opportunity, we always ask ourselves if it’s possible to develop the tool without the use of sensitive personal information, explains Hukkelberg.

– We take strict precautions for everything we do, making sure we always have a solid foundation of data security and privacy in our projects, adds Håkon Lorentzen, CTO at Deepinsight.

To ensure high quality data security, Deepinsight will use the guide «Software development with built-in privacy» developed by the Norwegian Data Protection Authority. The guide contribute to understanding and complying with the legislation.

A Deepinsight employee explains something on a whiteboard to two colleagues.
ENABLE PATIENT TREATMENT: Deepinsight works to develop solutions that enable data access while maintaining privacy and security.

Data access leads to better patient care

The privacy legislation, ie GDPR and the Personal Data Act, states that it is prohibited to process identifiable health information unless there is a legal basis. In Norway, we have comprehensive health legislation that regulates this, such as the Health Register Act and the Patient Records Act, which clearly define that the Personal Data Act applies unless otherwise specified in the relevant health act.

– Data-driven technology can help the healthcare sector gain access to important information that ensures the best possible patient care and diagnosis, explains Hukkelberg.

– In order to provide proper healthcare, access to personal information is as important as ensuring confidentiality and integrity, which means ensuring that the information is not available to unauthorised persons and that the information is always correct, adds Egelandsaa.

How Deepinsight ensures privacy

Deepinsight is responsible for ensuring that privacy is built into the final product, as well as ensuring privacy throughout the product development. The health institutions are responsible for the data, and are thereby responsible for ensuring that privacy and GDPR are safeguarded when sharing data with Deepinsight. They are the ones who have to decide if the sharing is secure and how it should take place.

Close up photo of a screen with a lot of code and a hand that points.
DOCUMENTATION REQUIREMENT: It is the health institutions’ responsibility to log who has been given access to data, what data is shared and what the information is used for.

Although the health institutions are the data controller, Deepinsight as a data processor must meet and fulfill the requirements of the customers and the authorities. Internally, Deepinsight has clear security routines and works thoroughly with employee training to clarify the guidelines for the use and analysis of data.

It is entirely possible to use health information to build data-driven solutions, and at the same time safeguard privacy. Nevertheless, the legislation is clear that no more identifying information should be used than what is strictly necessary.

– Several guidelines have been launched recently, that make the legislation regarding the use of personal data, in general and in the health sector, clearer. This makes the important work of technology companies such as Deepinsight much easier, Egelandsaa concludes.

Want to know more about how Deepinsight builds effective and secure health tools?
Contact us!