We are not lawyers, this is not legal advise.
It is your responsibility to discover what law applies to you and how to best comply with it. In case of doubt, consult your Data Protection Officer (DPO) or equivalent.
How do I comply with HSLF-FS 2016:40 4 kap. 9 § Kontroll av åtkomst till uppgifter?¶
Here is how we recommend to comply with Swedish Patient Data Laws, specifically HSLF-FS 2016:40 4 kap. 9 § if you host your application on Welkin.
Legal Context¶
Swedish Patient Data Laws mandate having audit logs (who did what and when) for accesses to healthcare data. Socialstyrelsen has rulemaking power. Their regulation, HSLF-FS 2016:40, states the following:
9 § Vårdgivaren ska ansvara för att
- det av dokumentationen av åtkomsten (loggar) framgår vilka åtgärder som har vidtagits med uppgifter om en patient,
- det av loggarna framgår vid vilken vårdenhet eller vårdprocess åtgärderna vidtagits,
- det av loggarna framgår vid vilken tidpunkt åtgärderna vidtagits,
- användarens och patientens identitet framgår av loggarna,
- systematiska och återkommande stickprovskontroller av loggarna görs,
- kontroller av loggarna dokumenteras, och
- loggarna sparas minst fem år för att möjliggöra kontroll av åtkomsten till uppgifter om en patient.
Technical Context¶
In IT systems used in healthcare, we usually have two types of accesses:
- "Front-door" access used by the caregiver, e.g., via a web browser or mobile app.
- "Back-door" access used by the technician, e.g., via the Kubernetes API, SSH-ing to the server, walking into the server room.
It is clear that HSLF-FS 2016:40 4 kap. 9 § demands a 5-year retention period for access logs generated by caregiver access. (They also want said logs to be regularly reviewed, but that's a different story.) Application Developer can read this page for details on how to correctly implement this part.
For access logs generated by technicians -- i.e., application developers, platform administrators and the administrators of infrastructure providers -- the answer is complex. We had discussions with IMY, and they seem to want us to observe both:
- Art. 5 GDPR "purpose limitation", which pushes to shorter platform audit logs;
- Art. 32 GDPR "security of processing", which pushes to longer platform audit logs; in fact, IMY gave a reprimand for missing access logs in some cases.
We talked to some industry experts. Some interpreted this as "retain platform access logs for exactly 30 days and no more". Others interpreted this to be 90 days.
We recommend you set up long-term log retention (5 years) for relevant application logs according to the link above, but retain platform audit logs for 30 days.