Information Security Policy - Wielkopolskie Centrum Onkologii

A failure to apply IT safeguards or data protection measures, which are subject to control under applicable regulations, is like disclosing a code to a bank vault – Jim Hurley, Managing Director of IT Policy Compliance Group

Dear Sir / Madam,

Information is the most valuable asset of the Greater Poland Cancer Centre, and the foundation on which it operates. Therefore, it is our top priority to protect that information by designing, implementing and maintaining an information security system, based on Information Security Policy of the GPCC.

The Policy is based on the national laws, quality standards and guidelines of the supervisory authority in the area of personal data protection.

In the face of the growing value of information being processed, particularly sensitive data on patient health condition, the Policy has been supplemented with the Centre Management Support Declaration to acknowledge the need for implementing an information security system.

The Policy encompasses many aspects which arise from the nature of the activity conducted and the size of an organisational unit. It defines the rules for the management and protection of information that constitutes a secret of of a unit concerned or is legally protected; providing access to information and processing systems for operational purposes, and critical procedures in case of safety incidents.

In particular, the following documents have been drawn up under GPCC’s Information Security Policy:

Personal Data Security Policy
Privacy Protection Policy

Personal Data Security Policy

Personal Data Security Policy (PDSP) developed in pursuance of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – RODO and laws relevant to the medical sector, pertains to the overall system of protecting personal data, i.e. protection of both data processed conventionally and those processed through IT systems.

PDSP takes priority over any other internal by-laws and instructions issued in this regard.

The Policy contains detailed guidelines for numerous obligations imposed on the Personal Data Administrator (PDA). One of the most important obligations – apart from the that to take particular care in protecting the interests of persons concerned (obligation to protect data), is the information requirement (Article 13 RODO) .

To learn more about the information requirement click here.

Privacy Protection Policy

Attaching particular importance to protecting the privacy of all persons, including patients visiting GPCC’s websites, we have put in place the Privacy Protection Policy, that provides a framework for the processing (in particular: collecting, modifying, removing, and sharing) of data about person visiting GPCC web services.

This information is easily accessible on the GPCC home page and at the bottom of each GCC web page. GPCC strictly complies with rules specified in the Policy.

Please read carefully the Privacy Protection Policy before starting to use the service. If you do not accept the terms of Privacy Protection Policy, you must exit any GPCC service.

This notice relates to all websites and domains controlled by the GPCC, except for specific websites where other privacy protection rules have been published to be applicable instead of the above notice.

Contact for matters related to Personal Data Protection

Dear Sir / Madam,
in matters related to personal data privacy policy please contact our Data Protection Supervisor – dr Mirosława Mocydlarz-Adamcewicz, tel. (+48) 61-8850-678, room no., 3078, e-mail: daneosobowe (at) wco.pl .

Contact in case of personal data breach

In case of personal data breach, please contact our Data Protection Supervisor – dr Mirosława Mocydlarz-Adamcewicz.

Excercise of data subject rights

In accordance with art. 15 – art. 22 of GDPR the data subject has specific rights, and especially the right to:

a) to receive confirmation from the Administrator whether the processed personal data concerning that person, and if in place, to get access on processing the data,
b) to demand immediate correction of concerning personal data, which are incorrect,
c) removal of data (the right to be forgotten),
d) to limit data processing,
e) notification on correction or personal data removal, or limitation od data processing,
f) to transfer data,
g) objection,
h) objection to automated decision making process in individual cases, including profiling.

If you wish to exercise your rights, please fill in the form and submit it or send it to the Data Protection Supervisor.

Video-surveillance

Greater Poland Cancer Centre applies video-surveillance in order to ensure specific surveillence over the centre and the site around the centre in the form of technical solutions that enable image registration (monitoring). It is essential to ensure our Staff security, protection of property, and confidentiality of information, which exposure could harm the GPCC.

The monitoring excludes the following centre areas: sanitary spaces, canteen, or space available for internal trade union, unless the use of surveillance in the above spaces is essential for the implementation of the aim stipulated in point 2b of the hereby procedure and will infringe the dignity and other Staff personal rights, and principle of autonomy of trade unions, and especially through the use of techniques that make recognition impossible for the persons staying in those spaces.

The monitoring images are processed by the GPCC for the purposes they were meant to be gathered and stored for the period that does not exceed 3 months since the day of its recording.

In case in which monitoring recordings constitute the evidence in legal proceedings, or our centre has been informed that they may constitute the evidence, the date shall be prolonged until the final disposal of those proceedings.

After expiry of the above-mentioned dates, the recordings including personal data shall be destroyed, unless there are other provisions in place that specify otherwise.

The rooms and spaces are visible and legible thanks to appropriate signs.

The information clause is available in the attachments.

Appendices