A Data Protection by Design Model for Privacy Management in Electronic Health Records

Privacy by design (PbD) is considered an international principle for privacy protection. For understanding and applying a PbD legal provision, the context of the data processing is essential. This paper intends to analyse the data protection by design (DPbD) legal obligation in the European framework and investigate how it can be implemented in the context of e-health for Electronic Health Records. The PbD approach may play a pivotal role in this sector to fulfil the requirements of the law and to better protect the rights of the data subjects. To fulfil these goals, to understand the deeper meaning of the concept and to evaluate the approach itself, the paper conducts a theoretical legal analysis on PbD and critically compares the edges, the benefits, the challenges and the disadvantages. As the chosen legal framework is that of the European Union, the DPbD legal obligation established by the GDPR will be examined. The paper first gives a brief overview of the applicable EU legal framework for EHRs. Settled this context, the paper proposes a comprehensive DPbD model for the privacy management with technical and organisational measures to be implemented in EHRs. The purpose is to provide more guidance for data controllers and developers on how to comply with the DPbD obligation.