The Government of the Republic of Serbia has formed the Coordination Body for Digitalisation of the Healthcare System in mid-January this year (“Coordination Body”). The Coordination Body includes the representatives of the relevant institutions, chambers, and business associations. The patients’ associations, their alliances and civil society organisations involved in the protection of the patients’ rights, have been included in the respective process as well.

The project of the Serbian healthcare system’s digitalisation is the project of tremendous importance, extreme complexity, and high sensitivity. This is due to the fact that its implementation should enable that the information systems of both state-owned and private healthcare institutions, become part of one unified and contemporary system within which the relevant healthcare related data should be exchanged.

The objective of this project is that each and every citizen of the Republic of Serbia has its own e-record which includes healthcare related information regarding that particular individual (e.g., lab analysis results, information on any allergies which a particular patient may have, information contained in such individual’s examination reports prepared by both general healthcare practitioners and specialists, etc.), whereas such information shall originate from both state-owned and private healthcare institutions visited by the patients and shall be available to both the patients and their doctors at any moment (“E-Record”).

This shall also result in the creation of the environment in which the healthcare institutions’ resources shall be managed more efficiently and more transparently than they currently are. As a result, significant benefits for the patients, but also for the system itself, should occur, considering that the expected savings should be used for introducing more innovative therapies, improvement of the healthcare infrastructure as a whole and better working, including financial conditions for the Serbian healthcare professionals.

At the moment, the Serbian healthcare regulations, including the Law on Health Documentation and Records in the Field of Health, govern the existence of so-called Integrated Healthcare Information System known under the abbreviation IZIS (in Serbian, Integrisani zdravstveni informacioni system).

There are also certain e-healthcare related services/portals which have been established/are operational in practice (e.g., portal eHealth, service ePrescription, and other). However, further development is necessary, considering that majority of the Serbian healthcare institutions, in particular those which are state owned, still have their patients’ medical records in a hard-copy format predominantly.

For this reason, the project of the fully operational and comprehensive E-Record’s establishment is the project of numerous challenges. The one which should be positioned centrally from the very beginning of and throughout the whole process, is the challenge of efficient protection and safety of personal data.

This is due to the fact that the processed data include particularly sensitive data (i.e., health related data of the patients). Accordingly, their unauthorised processing of any kind, disclosure or misuse, may lead to severe and long- term consequences for the patients, their privacy and life in general (in particular when it comes to particularly vulnerable groups of patients such as, for example, HIV patients or patients with psychiatric diseases).

Accordingly, the questions which should be answered prior to commencing realisation of the intended digitalisation and prior to implementing any particular solutions, are the following questions: (i) who will have the position of the data controller/-s of the E-Records, i.e. of the overall e-health system covering the respective records, (ii) would any third parties be engaged for the whole process and, if so, on which grounds and to which extent, in particular considering the statutory principle of the patients’ data secrecy, (iii) how would the patients’ data be protected, in particular in the case of their transmission from one healthcare institution to another (e.g., would the respective data’s encryption be a feasible option), (iv) how would the chosen technology support the principle of data protection by design and default, as well as all other data protection principles, (v) what types of processing purposes (and related legal grounds) would be envisaged, and (vi) would the Serbian Data Protection Authority (i.e. Commissioner for Information of Public Importance and Protection of Personal Data) be actively involved in the whole process (e.g., in relation to the performance/requesting of the prior data protection impact assessment).

The above is certainly not the definite list of questions. It is rather just an excerpt from the exhaustive questionnaire which is yet to be answered. None of the answers shall be easy to provide. However, we can say with absolute certainty that the huge first step will be undertaken successfully if the importance of personal data’s adequate protection and maximum safety, would be kept in mind and treated as the highest priority, by all the stakeholders throughout the whole digitalisation process, with no exception and undue compromise of any kind.