DATA PROTECTION BY DESIGN IN THE E-HEALTH CARE SECTOR: THEORETICAL AND APPLIED PERSPECTIVES

In the digital age, e-health technologies play a pivotal role in the processing of medical
information. As personal health data represents sensitive information concerning a data
subject, enhancing data protection and security of systems and practices has become a
primary concern. In recent years, there has been an increasing interest in the concept of
privacy by design (PbD), which aims at developing a product or a service in a way that it
supports privacy principles and rules. In the European Union, Article 25 of the General
Data Protection Regulation provides a binding obligation of implementing data protection by
design (DPbD) technical and organisational measures.
This thesis explores how an e-health system could be developed and how data processing
activities could be carried out to apply data protection principles and requirements from the
design stage. Currently, there is a lack of clarity and knowledge on the topic for developers,
data controllers and stakeholders. The research attempts to bridge the gap between the legal
and technical disciplines on DPbD by providing a set of guidelines for the implementation of
the principle in the e-health care sector. The research is based on literature review, legal and
comparative analysis, and investigation of the existing technical solutions and engineering
methodologies. So, this thesis uses both legal comparison and the interdisciplinary method.
The work can be differentiated by theoretical and applied perspectives. First, it critically
conducts a legal analysis on the principle of PbD and it studies the DPbD legal obligation
and the related provisions. Later, the research contextualises the rule in the health care
field by investigating the applicable legal framework for personal health data processing.
Moreover, the research focuses on the US legal system by conducting a comparative analysis
since PbD is an international principle and in the US federal law there is a specific rule for
the e-health care sector that mandates the implementation of technical and organisational
safeguards. Adopting an applied perspective, the research investigates the existing technical
methodologies and tools to design data protection and it proposes a set of comprehensive
DPbD organisational and technical guidelines for a crucial case study, that is an Electronic
Health Record system.