M. SKŁODOWSKA-CURIE‘S GREATER POLAND CANCER CENTRE
Data collection rules
GPCC websites may be used without entering personal data. However, users on some websites may be asked to enter some data for identification purposes. Typically, such data is required during enrollment for health services, praticipation in led by GPPC scientific-didactic events (especially workshops, trainings, conferences) or in cases when a user decides to enter personal data allowing GPCC to establish contact with him/her. GPCC requests only such data that is essential for website functioning. However, if the user decides not to enroll or not to enter personal data then he/she may use GPCC websites. However, the access to sections that require enrollment will not be granted.
During data collection process GPCC abides by the existing legal regulations, in particular adapts to all restrictions and bans implemented by the legislator.
The following data categories may be distinguished based on criterion on data acqusition, including:
- data obtained during enrollment in order to carry out scientific-didactic activity,
- data obtained during e-registration for health services,
- data obtained automatically,
- data obtained when the user contacs GPCC,
- data obtained for questionnires.
The users are requested to provide accurate data and data that they have and may use at their disposal.
Data obtained during registration in order to carry out scientific-didactic activity.
The users of conducted scientific-didactic activity may be asked during registration to provide data such as: name, surname, scientific title, address, telephone numer, fax numer, e-mail address, user identifier, date of birth, sex, name and address of the institution/company (name of department, country, city, zip code, street name), name of society of which a given user is a member, specialization, English level, career information: professional/scientific), CV (completed courses, professional and scientific experience). Registration is compulsory for the user who wants to take part in organized by the GPCC scientific-didactic events. Data obtained during registration will be used to enable the user log in to a website dedicated to a given scientific event, to send a newsletter upon consent given and supervision on proper functioning of a conducted activity.
In case of registration for scientific-didactic event and payment requirement for an event the following data is collected: payment data, payment status, payment method (card, transfer, on site), payment date and alternatively invoice data i.e., company/institution name, address, zip code, city, country, VAT identification numer, REGON numer, VAT exemption, tax payer data (natural person/ company).
Other required data, essential for proceeding a payment, the user enters on website dedicated to payment only. Such data is stored in database providing payment services.
Data collected during e-registration for health services
During e-registration for health services user’s name, e-mail address are required and the following patient’s data: name, surname, PESEL numer, sex, date and place of birth, telephone numer, place of residence (street number, city, district, voivodeship, county, zip code). The condition legalizing acquisition of the above-mentioned data is an Act of 6 November 2008 on Patient’s Rights and Patients Ombudsman. The user deliberately and voluntary enters the above-mentioned data in order to register for health services. Data collected during registration will be used solely to enable the user log in to GPCC’s e-registration, including scheduling, cancelling or changing the date of a visit. Registration is compulsory when a given user wans to register electronically for health services.
Data collected automatically
During user’s visit on GPCC’s websites, data concerning each user’s visit is collected, in particular:
- IP addresses of devices, which connect with GPCC’s websites,
- IP address of user’s internet service provider,
- type, version and installed browser plug-ins,
- country, from which the user logs in,
- operating system name,
- resolution and monitor screen type,
- visit duration,
- website addresses which are visited by the user (within GPCC’s website),
- website address from which a given user entered GPCC website (if it was a browser then a key word entered in the search field, which is included in the link),
- external website addresses which a given user visited through a link placed on GPCC websites,
- information on downloaded documents from GPCC websites.
Information communicated by the user’s browser do not allow for his/her identification. GPCC collects such data in order to produce general statistics concerning GPCC’s usage by its users, which allows for solid estimation of the level of users interest and development of websites and also diagnosis of problems connected with the server and analysis of a potential breach of security.
Data collected when the user contacts GPCC
Data collected for questionnaires
Proposals to take part in questionnaires appear periodically on GPCC’s websites. Data required to be entered may encompass the following data, including contact details (name, surname, name of institution/organization, name of department, e-mail and shipping address), demographic data (country, city) or profile data (age, education, position, job). Filling in the questionnaires is always voluntary. Data collected in such a way will be processed annonymously for statystical analysis or for monitoring purposes and for improvement of services provided by GPCC’s webiste.
Data of persons who do not have full legal capacity
GPCC mentiones that it does not collect or monitor the data, which would enable whether a given user has legal capacity. The above mentioned persons should not use the services provided by the GPCC, unless their legal represenatives give consent for it and such consent will be sufficient in the light of applicable law.
Prerequsites legalizing user’s data processing
The basis for personal data processing collected by GPCC websites is a consent given by users and law regulations authorizing for data processing essential for realization of services provided by the GPCC and for contact with the user within conducted activity, in particular:
- Act of 6 November 2008 on Patient’s Rights and Patients Ombudsman
- Act of 15 April 2011 on Medical Activity,
- Act of 28 April 2011 on Healthcare Information System,
Act of 17 February 2005 on Informatisation of Activities of Entities Performing Public Tasks,
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
GPCC provides the user with a posibility to erase his/her data on demand and also in other cases i.e., based on the provisions of the existing law in particular. GPCC may, however, refuse to erase data, particularly when the law requires so or whenthe user has not settled all amounts payable to GPCC (e.g., payment for participation in scientific-didactic event, etc.,) and data storage is essential for clarification of a given case.
Security of the processed data
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
- Act of 18 July 2002 on Providing Services by Electronic Means
- Act of 17 February 2005 on Informatization of Activities of Entities Performing Public Tasks
- Branch Acts within the scope of medical law.
GPCC guarantees that it makes every effort in order to provide security of processed data. Therefore:
- implements security measures both organizational and technical, which main tasks are security of processed data relevant to hazards and data categories under protection. GPCC particularly protects data against making it available to third parties, unauthorised takeover, processing with violation of the Act as well as against any change, removal, damage or destruction,
- keeps a record of how data is processed and means mentioned above,
- data processing is allowed only by authorised persons and instruction to do so by the personal data administrator,
- provides control over which data, by whom it was entered to the system, and to whom it was transferred,
- keeps record of persons authorised to data processing.
GPCC provides access control mechanism to websites on which user’s data is processed. Such data may be exclusively accessed using user’s unique ID and after completed authentication. The user’s ID that lost entitlement for data processing is not assigned to other person.
Access passwords are secured in a way to prevent its usage by third parties. All passwords are encrypted, thus there is no possibility to see them through. It is recommended to use minimum 8 characters, including small and capital letters, special characters and digits. All passwords to accounts should be stored in a safe place. You must not reveal them to third parties. If there is suspicion that the password was used in an unauthorised way the GPCC’s websites administrators should be informed about the situation.
The right of access to personal data
The rights of access to personal data of the users were limited in a restricted way by the GPCC. The full control is exercised over the process of data processing to prevent the data from becoming accessible to unauthorised persons. The number of people was limited to the essential minimum necessary for proper running and administration of GPCC’s websites. These persons were granted authorisation and instruction on data processing given by the Information Security Administrator, and since May 25th 2018 GPCC’s Data Protection Supervisor on behalf of Personal Data Administrator and were entered to a record for persons authorised for data protection in Greater Poland Cancer Centre.
Backups and data archiving
Data collected by the GPCC websites is subject to regular archiving. The data is stored until it is necessary to deliver a service (conference, training, workshop, e-services of health benefits) no longer than it is required by the rules of law. Backup copies are localised on high quality equipment in properly secured rooms to which the access is limited (access only for authorised persons) and fully controlled.
Protection against power failure
Users data processed by the GPCC is secured in a way to minimalise the risk of its loss in case of power supply failure or disruptions in the power network.
Protection against software which aim is to gain unauthorised access
GPCC uses antivirus software updated on daily basis, which lowers the risk of losses caused by computer virus.
In order to minimalise the impact of data security risk, the GPCC systematically updates operating systems and software by reducing the created gaps and making the data processing process safer at the same time.
Network traffic logbooks
GPCC uses software responsible for network traffic monitoring and unauthorised access to data, detection of computer viruses and other programs, which aim is to gain unauthorised access to data. The above software is used in GPCC exclusively for the purposes of secure data processing of the GPCC’s website users.
GPCC uses organisational and technical measures securing user’s personal data to protect against unauthorised access by third parties. In spite of the above, it may not fully guarantee to completely exclude the risk of unauthorised use of personal data against unauthorised access by the third parties (e.g., hackers). GPCC is not responsible for data security breach, which remains beyond GPCC’s control. It is recommended for GPCC’s users, who enter and share their personal data, to obey by the security rules of computer networks according to GDPR (General Data Protection Regulation).
GPCC uses many various organizational and technical measures during data processing such as personal data collected during e-registration in order to secure personal data against unauthorised access, use and disclosure and providing its integrity.
Data trasmitted on the internet is encrypted using commonly used encrypted connection SSL (Secure Socket Layer). SSL protocol secures the process of data transmission through Internet thanks to encrypting data leaving the browser and its decryption after reaching GPCC’s server safely. Similarly, the data is encrypted before sending it out on the Internet during transmission in the opposite direction, i.e., to the user, and after reaching the destination it is decrypted.
Moreover, for the purposes of additional personal data protection on the Internet, all GPCC’s forms collecting personal data (conferences, trainings, workshops) are gradually changed for those using SSL protocol, which significantly increases the data transmission security on the Internet. Once the user connects with the secure website, the user is informed that the connection is secured thanks to SSL protocol.
Data sharing and transmission
GPCC does not transfer (does not sell, does not lease) and does not share the data with third parties. However, in certain and limited situations, data transmission may happen:
- when the user allows for that,
- when it is required by law to share the data with the entities including judicial authorities,
- when it is essential for the purpose of providing services,
- when it is aimed at helping to fight fraudsters, illegal or detrimental actions or GPCC’s employees personal safety.
- in case control of entitites authorised by the law (e.g., control by the supervisory body).
Pursuant to Article 18(6) of the Act of 18 July 2002 on Providing Services by Electronic Means, GPCC may be obliged to provide information, which is processed in order to implement the provisions of the agreement between the user and GPCC, upon request authorised by law relevant authorities for the purposes of conducted proceedings.
In case of such situations, GPCC takes appropriate steps in order to secure user’s personal data.
GPCC as administrator within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) may contractually delegate personal data processing collected by its website services to other entities based on art.28 of General Data Protection Regulation.
In order to improve the functioning of GPCC’s websites the cookies or similar are used. Cookies are small text files, which are transmitted by the server/ website to the internet browser or other user’s device, stored on local hard drive of the website user.
The cookies are used mainly for the indentification of the user’s browser when the user uses the wesbite in a way needed for the realisation of some functions on the website, and also allow the administrator a better adjustment of the website to the individual preferences and interests of the user, they also enable to perfect the navigation and content of the website. The data stored in cookies does not cause configuration changes in the final device or software installed on this device.
According to art. 173 of the Act of 16 July 2004 of Telecommunications Law saving all text files on the user’s PC drive is allowed as long as the user will be previously informed. Cookies work when the user accepts to the appropriate option on Interner browser and then the files (cookies) are not deleted. In most cases no configuration changes of the internet browser are required on the part of the user, as default configuration cookies are conventionally accepted. The user may however specify the way of dealing with the obtained cookies. The user may block them totally or set settings allowing every time to decide or accept cookies coming from a given website. There are functions available in configuration options of the internet browser. In order to find out more about these functions you need to acquaint yourself with the browser’s manual.
During GPCC’s website visit cookies are saved on the user’s PC (the name of currently used language version of the website, the information allowing for session identification) for the following purposes:
- better adjustment of the websites to user’s needs,
- the creation of internet surveys and securing them against multiple voting by the same people,
- maintaining the user’s session (after log in), thanks to which the user does not need to enter user’s name and password on every website.
Web-links with other websites. Exclusion of accountability
Change of personal data and obligation of the right to inform and control the processed data.
Each person, whose data is processed on GPCC’s websites has the right to access his/her data, to change, to control and obtain information about processing rules (art. 13-15 GDPR). Information Clauses have been described on GPCC’s website (www.wco.pl) on Information Security tab/ Personal Data Information Security.
Thus, in case of any queries or doubts connected with the above issues all users visiting GPCC’s websites may contact Data Protection Supervisor at firstname.lastname@example.org or using regular post address:
Greater Poland Cancer Centre
With annotation Information Security Administrator, and since May 25th 2018 Data Protection Supervisor.
Latest update: April17th 2018
Prof. Julian Malicki
Director of Greater Poland Cancer Centre