The activity of Population Cancer Registries (PCR) involves the collection, storage and subsequent use of information for its analysis or for carrying out specific studies. The individual identification of each patient is a basic and essential requirement for PCR. This allows the correct monitoring of patients and integrates, in a single case, all the information received from different sources from the same patient, thus avoiding the inclusion of duplicate cases.
Current legislation General Data Protection Regulation EU 2016/679 (GDPR) and Law 03/2018 on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) establishes that health data is specially protected data due to its potential impact on the privacy, public freedoms and fundamental rights of patients.
Any treatment requires respect for the principles established in the GDPR and the LOPDGDD, which can be stated as:
- Personal data must be treated in a lawful, fair and transparent manner.
- Personal data must be collected for specific, explicit and legitimate purposes.
- Personal data must be adequate, relevant and limited to what is necessary in relation to the treatment.
- Personal data must be accurate and always up to date.
- Personal data must be kept in a way that allows the identification of the interested parties for no longer than is necessary for the purposes of the treatment.
- Personal data must be treated in such a way as to guarantee its security.
- The proactive responsibility of the Data Controller, defined as the need for the Controller to apply whatever technical and organizational measures are appropriate to guarantee and demonstrate compliance with current legislation.
The practical application of the principles of the GDPR and LOPDGDD requires:
- The correct treatment of the data by authorized personnel, under a commitment to confidentiality, with the required training and only for the stipulated purposes.
- The implementation of the technical and organizational measures necessary for the proper maintenance of personal data, according to the risk and the impact periodically evaluated and the regulations in force.
- The development of security protocols, standards, controls and policies that guarantee adequate protection.
- Updating and development of the Records of Treatment Activities, as well as their publication.
- The exercise of all the rights of the interested parties: Rights of access, rectification, cancellation, opposition, portability, forgetfulness and limitation of treatment.
- Carrying out audits and other continuous security improvement processes in accordance with the "proactive security" principle established by both the RGPD and the LOPDGDD.