Date: May 4, 2018
RE: Clarification concerning REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
To: All AcuGraph users
The EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018. Because several of our European AcuGraph users have requested further information regarding AcuGraph as it relates to this regulation, we are providing the following information.
- Article 4(1) of the regulation defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’).” Healthcare providers collect such information in the course of their normal activities with use of the AcuGraph system.
- Article 4(5) of the regulation defines “pseudonymisation” as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
- Article 4(7) of the regulation defines “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- Article 4(8) of the regulation defines “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Processing of Personal Data
All current versions of AcuGraph 4 and 5 pseudonymise all personal data within the AcuGraph software. More specifically:
- All personal data is stored on the local computer in an AES 128 encrypted database. There is no plain-text encryption key stored anywhere in the AcuGraph system or software, nor anywhere else on the user’s computer. The data is therefore properly pseudonymised, and no longer considered “personal data.”
- During the course of use, AcuGraph does not decrypt the database. All queries to the database are for specific information only, and database responses are decrypted and displayed as a function of the software, while remaining encrypted in the database. At no point is the database decrypted or rendered human readable in any way.
- Access to the AcuGraph system is password protected by a password of the user’s choosing. We do not have access to user passwords or personal data collected by AcuGraph. The only method of access to such data is through the AcuGraph software itself, using the correct password. We cannot gain access to personal data.
- The process of backing up the user database and syncing the database to our cloud servers, as well as syncing to the user’s other computers (where applicable) is, in all cases, only performed on the encrypted data. At no point does any human-readable or unencrypted data leave the user’s computer, under any circumstances. By definition, no personal data is ever transferred from or to the user’s computer.
- Based on the above facts, we have determined that Miridia Technology Inc. is not a data controller or processor. We have no access whatsoever to any personal data in any way, shape or form, and cannot gain such access. You do not need a Data Processing Agreement to use AcuGraph.
- We have performed an internal review and determined that personal data entered into the AcuGraph software is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures, as required by Article 5(1)(f) of the regulation.
Deletion of Data
Article 17(1) of the regulation establishes a right to erasure (right to be forgotten) requiring that personal data be deleted at the request of the data subject, as prescribed and allowed by the regulation. Current versions of AcuGraph 5 do not allow for such deletion, but only for archiving of personal data. We are therefore releasing an update to AcuGraph 5 that will include the ability to permanently, irrevocably delete personal data. This update will be released before May 25, 2018, and available at no charge to all current AcuGraph 5 subscribers.
AcuGraph 4 and, and all other versions prior to the upcoming AcuGraph 5 release in May, 2018, do not have the ability to permanently delete personal data. Because AcuGraph 4 has reached end-of-life status, and official support for AcuGraph 4 ended in 2016, it will not be updated to add this capability. AcuGraph users in the EU, or AcuGraph users who treat any citizen of the EU, should upgrade to AcuGraph 5 to remain compliant with GDPR requirements.
Article 20 of the regulation establishes a right to data portability. AcuGraph 5 complies with this requirement by allowing users to export patient data in a machine-readable format (.csv and .pdf). The May, 2018 update to AcuGraph 5 will include additional capabilities for this export function, making it patient specific. Users can use the data export functions of AcuGraph 5 to export personal data when requested.
Emailing Reports from AcuGraph
The updated version of AcuGraph 5 interfaces with an outside, secure email provider, sending patient reports through their secure portal, directly from the AcuGraph software. The data is encrypted end-to-end, meaning no personal data is sent or processed in the email. AcuGraph 5 installations with service and support agreements at the Professional or Enterprise level will include this email service. Service and support agreements at the basic level will not include the capability to email. In all cases, proper procedures and processes are followed to comply with GDPR requirements.
Recommendations for Users:
We recommend that all AcuGraph users obtain proper written consent to process personal data as required by Articles 6(1), 7(1), and 9(1)(a) of the regulation.
We recommend that all AcuGraph users perform proper erasure of personal data as required by Article 17(1) of the regulation.
We further recommend that all AcuGraph users, because they have processor access to personal data, review the regulation in its entirety and ensure their own procedures and practices comply with all applicable provisions.
AcuGraph 5 is GDPR compliant, and does not store or transmit personal data. It only displays personal data to a properly authenticated user. Our servers do not store or access personal data, and we do not have access to personal data. Emailing follows correct end-to-end encryption requirements and does not transmit personal data.
Users should follow applicable GDPR requirements for obtaining permission to collect data, exporting data when requested, and deleting data upon request. AcuGraph 4 and prior versions are not GDPR compliant and should be upgraded to AcuGraph 5 for compliance purposes.
Changes to Emailing within AcuGraph
AcuGraph’s email capability will change significantly, incorporating end-to-end secure encryption.
Please read the following blog post to fully understand the changes coming to AcuGraph’s email capabilities:
Questions? Need to upgrade to AcuGraph 5? Please give my office a call at 208-846-8448 and a member of my staff will be happy to help you!