Who/What has responsibility for personal data when processing personal data in a regional or national quality register is divided between two different  legal entities (prop. 2007/08:126 pp. 181-184)... 

  • The Personal Data Controller (PDC) locally who is the reporter,
  • and the Central Personal Data Controller (CPDC), who deals with the central processing.

PUA CPUA small

Common to both roles or concepts is that the responsibility can only be held by a legal entity.

PDC
The Personal Data Controller (PDC) for registering (reporting) data to a register is the local care provider whose data are being reported. For example, it is stated that "each authority in the health and care sector or a private care provider is the personal data controller for all processing of personal data that it undertakes". This means that the PDC is responsible for safeguarding that all personal data are handled correctly in accordance with the Patient Data Protection Act and the Public Access to Information and Secrecy Act when reporting. The PDC could just as easily be called the local PDC to further clarify the local affiliation.


CPDC
Only one or more authorities in the health and care services are permitted to process personal data at the central registry level. The Swedish Data Protection Authority can make exceptions to this rule. With regard to central processing, the Central Personal Data Controller (CPDC) is responsible for all data processing. This responsibility includes security issues and correction of data in the registry, if necessary.

Having CPDC responsibility for a national or regional quality register must be considered to be a long-term commitment. It is therefore not ideal to replace the CPDC when a new register holder is appointed. It is also important that there is a natural link between the CPDC and the register in question. Examples of a natural link include the same authority in which the register holder operates, or that an authority has a centre of expertise.

The appointment of a CPDC involves the legal determination of who should be made liable and who would be obliged to pay any injury compensation  if anything should go wrong.

 
A quality register must have a CPDC. If it is not clear which health and care authority is acting as the CDC, the local DC must stop handing over personal data.

There are no requirements regarding the formalities of how to document the decision on the appointment of  the CPDC, but  a formal decision taken by the current Board is preferred e.g. the relevant County Council Board. 

See "What is the Steering Group's responsibility towards the CPDC? " for a description of the relationship between the CPDC and the Steering Group of a quality register.

See "What regulations apply to the data of registered patients? " for a description of the division of responsibility between the CPDC and PDC with regard to data of the individual.

 

We use cookies
Cookies make this site work properly. By continuing to use the site, you agree that we use cookies.
OK
Our policy on cookies and personal data