Implementation of privacy by design model to an eHealth information system

Abstract

This paper reports ongoing research on the process and results of implementing a conceptual model of privacy by design. The model is based on building blocks derived from a comparative analysis of approaches to privacy by design by different authors. We then implemented the model to the data processing operations of Slovenia's central health information system (eHealth). The main goal of our research was to ensure personal data processing compliance with the General Data Protection Regulation (GDPR) and privacy by design criteria set by the model. Findings were used to answer the research questions: whether the proposed conceptual model is general enough to be used in most personal data processing operations, regardless of context; does the successful implementation of conceptual model requirements in personal data processing operations lead to compliance with the GDPR and with the additional requirements of privacy by design, and is the efficiency of complying with personal data processing higher when using the conceptual model compared to other approaches. Current results show that the model is robust enough to be used in a complex system of personal data processing. It also enables a relatively quick assessment of the gap between the actual and target situation, while suggesting which measures should be taken to comply. However, the model still must be tested in several organizations and other contexts of personal data processing, as only a comparative meta-analysis can provide reliable answers to the questions posed.