Press release 22/2019
The DSK takes a Stance on Personal Identifiers and Responsibility in the Telematics Infrastructure
The Conference of the Data Protection Commissioners of the Federation and of the Länder (DSK) rejects the use of unique, inter-administrative personal identifiers for the direct identification of citizens, which was taken into consideration by the Federal Government. As to the connectors used for connecting doctors’ surgeries to the telematics infrastructure of the health care system (TI), the DSK thinks that doctors’ surgeries and the Gesellschaft für Telematikanwendungen (“company for telematics applications” (gematik)) share responsibility for compliance with data protection law.
The main topic of the DSK’s Intermediate Conference taking place in Mainz, on 12/09/2019, was the Federal Government’s envisaged modernisation of the domain of registers in Germany and the introduction of inter-administrative personal identifiers, which has been discussed within this context.
In its resolution on this issue, the DSK points out that the creation of an infrastructure with inter-administrative unique personal identifiers would cause significant risks for data protection and it would raise severe constitutional concerns. The DSK recalls that for decades, the Federal Constitutional Court has been imposing very tight restrictions on the introduction and processing of such personal identifiers.
The Deputy BfDI, Mr. Jürgen H. Müller, said:
We are generally open-minded towards the modernisation of registers. It is certainly a gain for citizens to be able to use administrative services more easily by using data that have been stored only once. However, it is imperative that this advantage and the expected efficiency improvements for the public administration are accompanied by a high level of data protection.
Another subject of the Conference was the distribution of responsibility relating to data protection law as to the TI. For a long time there has been uncertainty as to whether the so-called connectors functioning as an interface and connection point between the surgeries ‘systems, for example in doctors’ surgeries and the TI, fall within the responsibility of the persons running the surgery or of the gematik.
As it is the gematik’s statutory task to guarantee the operational and secure operation of the TI and, as in this connection, the gematik essentially determines the means for data processing in the TI, the DSK concluded that, in addition to the operators of doctors’ surgeries, the gematik has a share of responsibility for the connectors with regard to data protection law. In order to achieve a legally secure regulation of this sharing of responsibilities in the future, the DSK recommends to the legislator to establish a legal regulation with normative clarity.