The purpose of access control is to ensure that unauthorized persons do not have access to patient data. In practice, this means frequent random controls are performed to ensure that those who have accessed the data have not illegally read them.
The Government Bill 2007/080:126 p. 149 states among other that care providers are obliged to systematically and continuously perform checks to ensure that unauthorized access to patient data does not occur. One of the intentions of this provision is to strongly deter personnel from illegally reading the data. Affected personnel must be given clear information about log monitoring and its purpose. The care provider must follow up how the authorization system functions, and the way in which the unauthorised access occurred; to safeguard traceability, the care provider is obliged to document all electronic access. See also Chapter 4 Section 3 The Patient Data Protection Act and Chapter 2 Section 11 SOSFS 2008:14 which stipulates that the care provider must have routines for access control.
For a quality register this means that the care provider whose personnel have authorisation to the register must ensure that there is access control locally and that there are routines that ensure continuous control of the register. CPDC and PDC should furthermore set requirements for log in support for a quality register . The support should include...
- that the log details include the actions that were taken with the data
- that the log details indicate the care unit and the time that the actions were taken
- that the log contains data that identifies the user and the patient's identity