The Information and Data Protection Commissioner’s Office has conducted, on its own initiative, administrative investigations in public healthcare institutions at the primary care level (health centers and specialty clinics). In the context of efforts to digitize services and provide them online, constant monitoring of the processes for processing citizens’ personal data in this sector has become essential. This is due to the fact that healthcare institutions handle large quantities and various types of data, which have a wide-ranging, direct, and ongoing impact on individuals’ privacy.
At the conclusion of this process, the Commissioner’s Office issued the Unified Recommendation “On Compliance with Legal Obligations Regarding the Protection of Personal Data in Health Centers and Specialty Clinics”. The presentation of this document took place at an event co-organized with the OSCE Presence in Albania, attended by representatives from central institutions and entities of the public healthcare system.

In his speech, Commissioner Mr. Besnik Dervishi emphasized, among other things, the cooperation and interaction with the Ministry of Health and Social Protection to ensure the protection and security of personal data processed in this sector. “This meeting should be seen as an important step in the joint investment we must undertake for the implementation of legislation on personal data protection. This requires special attention from the Commissioner’s Office, but the awareness of sector operators, investment in human resources, and systems that guarantee data security are also crucial,” said the Commissioner.

The meeting was also welcomed by the OSCE Ambassador, Mr. Michel Tarran, who stated that “a sustainable and functional healthcare system is one of the main pillars of society. The findings of the Commissioner’s Office are essential for improving practices in this field. The OSCE Presence in Albania fully supports the immediate adoption of the necessary legislation and stands ready to assist Albanian institutions in its implementation”.

Health data, as defined by Law No. 9887/2008 “On the Protection of Personal Data,” as amended, is classified as sensitive data, which implies the implementation of a higher level of protection to ensure security in its processing by healthcare institutions. Compliance with appropriate technical-organizational measures in this process is deemed essential for maintaining citizens’ trust and will also impact the enhancement of knowledge and the updating of systems during service delivery by these structures.

The Commissioner’s Office emphasizes the need to improve the forecasting of specific timeframes for retaining personal data, allowing for their identification for a certain period in fulfillment of the purpose for which they were collected. Additionally, upon the expiration of these timeframes, measures must be taken for anonymization, archiving, and/or destruction of the data. Furthermore, concrete measures are appreciated in the context of ongoing training for medical and administrative staff who have access to and process citizens’ personal data, regarding the obligations outlined in the existing legal framework in this field. The Authority also believes attention should be paid to informing individuals about the presence of video surveillance systems in healthcare facilities, so they are aware of their rights and can exercise them in practice.