JMIR Publications

ABSTRACT

As of May 2018, all relevant institutions in the European Economic Area member countries are required to comply with the European General Data Protection Regulation (GDPR) or face significant fines. This regulation has had a notable effect on the European Union (EU) candidate countries, which are undergoing the process of harmonizing their legislature with EU, as part of the accession process. The Republic of Serbia is an example of a candidate country where the GDPR is highly relevant. Serbia’s 2018 Personal Data Protection Act (PDPA18) mirrors the majority of provisions contained in the GDPR. The paper outlines the context for the implementation of the PDPA18, presents the experiences of delivering change in health data management across the health system so far, and traces the impact on the capability of candidate countries to conduct international health data research projects. Data protection incidents reported in Serbia are examined to identify common underlying causes. This is done using a novel taxonomy of contributing factors that are spread across aspects and health system levels, allowing exploration of relationships between incidents, factors, aspects, and levels. The GDPR has an extraterritorial application for non-EU data controllers who process the data of the EU citizens and residents. In Serbia, this mainly affects private practices used by EU citizens, although some visitors are also treated in public healthcare institutions. Serbia is a popular destination for medical tourism due to low prices, quality services, and geographical proximity. There are also ex-pat visitors, dual citizens, regular tourists from the EU, business visitors, and those in transit to and from member countries. Serbia generally does not have well-established procedures to support international research collaborations around data created in Serbian healthcare organizations. In minor ventures, arrangements can be made with organizations’ management bodies and their ethics committees and then secured through contracts. Even then, small organizations that have not previously participated in similar ventures may require approval or support from health authorities. Extensive studies that involve multi-site data typically require the support of central health system institutions such as the Ministry of Health (MoH), the National Health Insurance Fund (NHIF), or the National Institute of Public Health, as well as the support of any relevant research data aggregators and electronic health records (EHR) vendors. The lack of a framework for preparation, anonymization, and assurance of privacy preservation requires the researchers to rely heavily on local expertise and support. Given the current limitation of its health and data governance systems and potential issues with the forthcoming legislation, it remains to be seen whether the move toward the GDPR will be beneficial for the Serbian health system and medical research concerning the protection of personal data and privacy rights and research capacity. Although significant progress has been made so far, a direct application of the implementation methods designed for more advanced health data environments could be risky but it could also stimulate the community to move forward. Serbia needs a strategic approach at the national level, systematic elimination of problems arising from insufficient resources in the area of data protection, and further development of a modern personal data protection regulatory and institutional environment. This can only be achieved through a targeted educational effort among health workers and decision-makers, aiming to improve awareness and develop the necessary skills and knowledge in the workforce.