Last year, the health platform, Carte Blanche Partenaires, which manages more than 2 million flows per year with personal data, decided to tackle the problem of private data management. « Very few insurance players are already involved while it is time. »
C. C. (Code Courtage) : What is the legitimacy of Carte Blanche to talk about privacy in data management?
Jean-François Tripodi (J.F.T.) : Carte Blanche is at the heart of the management of personal data through its activities that concern the world of health: management of care networks, support and prevention health and third-party paid. For example, we manage the visual correction datas of our customers. The CNIL remains very vigilant on the methods we apply to ensure the protection of personal data.
Beyond the role of the CNIL, Europe has taken over by publishing the Regulation on the management of personal data (GRDP) which will apply in May 2018. To be ready, work must be done now to be able to process, store and manage health data in accordance with the requirements of the new regulations.
C. C. : What measures have you already taken knowing that the transposition in France is far from being finalized?
J. F. T. : We thought fact-based information was the best way to educate our partners and their clients. Beyond informing, we have already taken concrete measures with our partners. Thus, all our health data is hosted at Docapost, which has obtained accreditation for this purpose.
C. C. : Hosting data in a secure environment is not sufficient to comply with the GRDP. What are your plans for their treatment?
J. F. T. : We identify the workstations that manage our customers’ personal data and are connected to each partner’s software that processes health flows. We have set up a specific server that stores personal data, such as a black box. In this device, a health decision software developed with Suadeo is responsible for processing personal data to make them anonymous and establish our dashboards for us and our customers.
C. C. : Where are you in practice with regard to the GRDP regulation?
J. F. T. : We plan to finalize our GDPR compliance automation project on April 1, 2017. On the same date the entire perimeter of dental surgeons and audiologists will be in the same environment, the manual process will be stopped.
C. C. : What do you think of brokerage in the consideration of this regulation?
J. F. T. : As a management delegate, the broker is concerned by this standard. Under the European regulation, responsibility is shared between the company and its service provider. Brokers have every interest in conducting a project that is both IT and organizational to comply. Regarding the last point, we must go through the health data hosting manager, more precisely the Data Protection Officer (DPO) to access them. It is therefore imperative for the broker to have one.
Interview conducted byEmmanuel Mayega