Data processing and privacy in the DignaCare solution
SensCom AS supplies the DignaCare solution, a welfare technology solution that alerts care staff when a care home resident needs attention or changing.
The sensor collects data about moisture, temperature, movement and position (expressed as x, y and z coordinates), which can take into account whether the user is standing up or lying down. These data are communicated from the sensors via BLE (Bluetooth signals) to a GW (gateway) which provides secure signal transport to the SensCom database (cloud solution).
The cloud solution itself is operated by Azure (Microsoft). In the database, the data are processed and interpreted using the SensCom algorithms. In given situations, the algorithms will trigger alerts and alarms that are then communicated to care staff via an app or an alarm interface at the institution that is using the DignaCare solution.
Illustration of the technical DignaCare solution
The data transported are “raw data” in the form of numerical information (“the Data Package”). For additional security, SensCom is currently working to establish data encryption in accordance with CRF21 Part 11. The Data Package contains no personal data or identifiable information. The Data Package is identified exclusively through a unique sensor ID (Mac address) and a GW ID.
When SensCom enters into an agreement with an institution regarding the use of the DignaCare solution, SensCom will normally enter into a Data Processor Agreement at the same time. This will either be drawn up directly with a “Data Controller” (party responsible for processing data), which will typically be the local authority where the institution is located, or with the party that runs and is responsible for the institution itself (foundation or private operator on the welfare market). In the latter case, SensCom will be the Data Processor. Alternatively, SensCom will enter into a Data Processor Agreement with a supplier of welfare technology solutions to institutions that already have a Data Processor Agreement with the responsible operator. SensCom will then enter into a Data Processor Agreement with the supplier and take on the role of subcontractor. In both set-ups, SensCom will assume the same responsibility for the storage, use and deletion of data.
The Data Processor Agreements used will comply with the standards and recommendations prepared by The Norwegian Directorate of eHealth (NDE). The agreement in question will regulate the rights and obligations of the parties pursuant to the following laws and regulations:
- Act relating to the Processing of Personal Data of 15 June 2018, No. 38 (the Personal Data Act);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), hereinafter referred to as the GDPR;
- Act No. 43 of 20 June 2014 on Personal Health Data Filing Systems and the Processing of Personal Health Data (the Personal Health Data Filing System Act);
- Act No. 42 of 20 June 2014 on the processing of medical records in connection with the provision of health care (the Medical Records Act); and
- Any laws, regulations or other regulatory frameworks that amend or replace same.
On cessation of deliveries from SensCom, SensCom is obliged – at the discretion of the Data Processor – to provide conditions for or contribute to the return or deletion of all health-related and personal data that SensCom is processing at that time.