A Data Protection Perspective on Training in the mHealth Sector

  • Erik KamenjasevicEmail author
  • Danaja Fabcic Povse
Part of the EAI/Springer Innovations in Communication and Computing book series (EAISICC)


The mHealth services have brought to the healthcare operators, professionals and patients numerous advantages and, at the same time, opened a door to new cyber-threats that might have a significant influence on patient’s health and life. Often, cyber-attacks are successful due to a human error and a poor knowledge about the cyber-security. Therefore, deploying innovative trainings of healthcare professionals could lead to a higher level of the cyber-resilience. This chapter explores how the healthcare operators may do so in a legally compliant manner by examining the implications of the new General Data Protection Regulation.


General data protection regulation Cyber-security Training Employees’ data Legitimate interest Consent 



The research leading to these results was partially funded by the European Union’s Horizon 2020 Research and Innovation program as the DOGANA project (aD- vanced sOcial enGineering And vulNerability Assessment), under grant agreement No. 653618 and COMPACT (COmpetitive Methods to protect local Pub- lic Administration from Cyber security Threats), under grant agreement No. 740712.


  1. 1.
    Ariu, D., et al.: Social Engineering 2.0: A Foundational Work, Proceedings of ACM Computing Frontiers conference, 2017, available at:
  2. 2.
    Arndt, R.Z.: In Healthcare, Breach Dangers Come From In-side the House, Modern Healthcare 2018, available at: For example, more than 20% of the reported data breaches are due to a human error. At the same time, around 13% of reported data breaches concerned celebrities healthcare records that are of particular interest to hackers
  3. 3.
    Article 29 Data Protection Working Party, Guidelines on Automated individual decision- making and Profiling for the purposes of Regulation 2016/679Google Scholar
  4. 4.
    Article 29 Data Protection Working Party, Opinion 03/2013 on purpose limitation, 2 April 2013Google Scholar
  5. 5.
    Article 29 Data Protection Working Party, Guidelines on Transparency under Regulation 2016/679, WP260rev.01, adopted on 29 November 2017 and as last revised and adopted on 11 April 2018Google Scholar
  6. 6.
    Article 29 Data Protection Working Party, Guidelines on data protection officers (DPO), WP243, 13 December 2016Google Scholar
  7. 7.
    Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, [1]WP259 rev.01, adopted on 28 November 2017 and as last revised and adopted on 10 April 2018Google Scholar
  8. 8.
    Article 29 Data Protection Working Party, Guidelines on Personal data breach notification under Regulation 2016/679, WP250 p. 6Google Scholar
  9. 9.
    Article 29 Data Protection Working Party, Opinion 2/2017 on data processing at work, adopted on 8 June 2017, 17/EN, WP249, available at
  10. 10.
    Bundesschutzgesetz.: For English Translation see
  11. 11.
    Cain, A., Edwards, M., Still, J.: An exploratory study of cyber hygiene behaviors and knowledge, J. Info. Sec. Appl. 42 (2018). Scholar
  12. 12.
    Custodio, F.: DOGANA D5.2 Legal Requirements for Privacy by Design, 2016 pp. 10–12, available at: Files/D5.2-Legal-Requirements- for-Privacy-by-Design.pdf
  13. 13.
    Court of Justice of the European Union, Case C210/16, Unabhngiges Landeszentrum fr Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, 05.06.2018Google Scholar
  14. 14.
    Court of Justice of the European Union, case C 582/14, Patrick Breyer v. Bundesrepublik DeutschlandGoogle Scholar
  15. 15.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such dataGoogle Scholar
  16. 16.
    Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the UnionGoogle Scholar
  17. 17.
    ECSO, Cyber Security for the Healthcare Sector, WG3, Sectoral Demand, 2018Google Scholar
  18. 18.
    Boyraz, E.: v. Turkey, ECtHR judgment of December 2 2014, 54Google Scholar
  19. 19.
    European Union Agency for Fundamental Rights, Fundamental Rights Report 2018Google Scholar
  20. 20.
    European Convention on Human RightsGoogle Scholar
  21. 21.
    European Social CharterGoogle Scholar
  22. 22.
    European Commission.: GDPR Implementation: State of play in the Member States on 6 December 2017,
  23. 23.
    European Parliament.: Legislative train: Anti-discrimination directive, rights/file-anti-discrimination-directive
  24. 24.
    Finn, P., Jakobsson, M.: Designing ethical phishing experiments. IEEE Technol. Soci. Magazine Spring 26(1), 46–58 (2007)CrossRefGoogle Scholar
  25. 25.
    Gold, M.: Griggs’ Folly: Essay on the Theory, Problems, and Origin of the Adverse Impact Definition of Employment Discrimination and a Recommendation for Reform, 7 Indus. Rel. L.J. 429 (1985)Google Scholar
  26. 26.
    Gratian, M., Bandi, S., Cukier, M., Dykstra, J., Ginther, A.: Correlating human traits and cyber security behavior intentions. Comput. Sec. 73, 345358 (2018)CrossRefGoogle Scholar
  27. 27.
    Gutwirth, S.: Hildebrandt, Mireille. Some caveats on profiling, In: Gutwirth, S., Poullet, Y., De Hert, P. ( (eds.) Data Protection in a Profiled World, 2010. Springer, Dordrecht, pp. 31–41CrossRefGoogle Scholar
  28. 28.
  29. 29.
    How Effective Is Security Awareness Training for Threat Prevention?
  30. 30.
    IAPP: Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation,
  31. 31.
    IAPP: EU Member State GDPR Implementation Laws and Drafts,
  32. 32.
    Jones, M.L.: A right to a human in the loop. Soc. Stud. Sci. 47(2), 216239 (2017)Google Scholar
  33. 33.
    Kamp, M., Krffer, B., Meints, M.: Profiling of Customers and Consumers Customer Loyalty Programmes and Scoring Practices. In: Hildebrandt, Mireille, Gutwirth, Serge (eds.) Pro- filing the European Citizen: Cross-Disciplinary Perspectives, pp. 201–215. Springer, New York (2008)CrossRefGoogle Scholar
  34. 34.
    Konstantin Markin v. Russia, ECtHR Grand Chamber judgment of 22 March 2012, 127Google Scholar
  35. 35.
    Le-Khac, N.A., Markos, S., Kechadi, M.T.: Towards a New Data Mining-Based Approach for Anti-Money Laundering in an International Investment Bank. In: Goel S. (eds.) Digital Forensics and Cyber Crime. ICDF2C 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Tele-communications Engineering, vol. 31. Springer, Berlin, Heidelberg (2010)Google Scholar
  36. 36.
    Meisner, M,:Financial Consequences of Cyber Attacks Leading to Data Breaches in Health-care sector, CJFA 2017, vol. 6(3), p. 70Google Scholar
  37. 37.
    Martnez-Prez, B., et al.: Privacy and Security in Mobile Health Apps: a Review and Recommendations (2014)Google Scholar
  38. 38.
    Regulation (EU): 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
  39. 39.
    Resnik, D.B., Finn, P.R.: Ethics and phishing experiments. Sci. Eng. Ethics 24, 1241 (2018). Scholar
  40. 40.
    Schermer, B.: The limits of privacy in automated profiling and data mining. Comput. Law Sec. Report 27(1), 45–52 (2011)CrossRefGoogle Scholar
  41. 41.
    Selbst, A., Powles, J.: Meaningful information and the right to explanation, Inter- national Data Privacy Law, Vol. 7, Issue 4, 1 November 2017, p. 233242, Scholar
  42. 42.
    Wu, S.: A legal guide to enterprise mobile device management, ABA Section of Science & Technology Law, 2013, pp. 50–60, ISO/IEC27002:2013, Information technology. Security techniques. Code of practice for information security controls, 2013Google Scholar
  43. 43.
    Title VII of the Civil Rights Act of 1964Google Scholar
  44. 44.
    Veale, M., Binns, R.: Fairer machine learning in the real world: Mitigating discrimination without collecting sensitive data, Big Data & Society, 2017, available at:
  45. 45.
    Verhenneman, G., et al: WITDOM D6.2 Legal requirements on privacy, data protection and security in WITDOM scenarios, 2016, available at:
  46. 46.
    Van der Hof, S., Prins, C.: Personalisation and its Influence on Identities, Behaviour and Social Values. In: Hildebrandt, M., Gutwirth, S. (eds.) Profiling the European Citizen: Cross-Disciplinary Perspectives. Springer, New York (2008)Google Scholar
  47. 47.
    Vogiatzoglou, P., et. al.: DOGANA D5.3 Legal and Ethical Conditions for Cautious Organisations (2017)Google Scholar
  48. 48.
    Wachter, S., Mittelstadt, B., Floridi, L.: Why a right to explanation of automated decision- making does not exist in the General Data Protection Regulation, International Data Privacy Law, 2017, vol. 7, No. 2CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.The KU Leuven Centre for IT & IP Law (CiTiP)LeuvenBelgium

Personalised recommendations