Contact the Maltese National Contact Point (NCP)

Kindly fill the online form through the Contact Us section or write to crossborderhealth@gov.mt.

By submitting your data via email, you consent to the processing of your data as specified in the Privacy Statement below. 

General Data Protection Regulation (GDPR) 

This section is essential because we wish to address data protection issues while informing our clients of their rights and obligations. Data protection is the process of protecting sensitive information from damage, loss, or corruption. The amount of data being created and stored has increased at an unprecedented rate making data protection increasingly important. Everyone responsible for using personal data must follow strict rules called ‘data protection principles’ and should make sure the information is used fairly, lawfully, and transparently. 

The protection of personal sensitive data is of utmost importance to a patient or client as well as to the administrator of the data. Data held for health reasons includes personal data and identifying markers such as identity card numbers and passport numbers, data pertaining to the health status of a data subject which reveal information relating to the past, current, or future physical and mental health status of the data subject. Such information can include information on the subject collected during registration or provision of healthcare as indicated in Directive 2011/24/EU of the European Parliament and of the Council of Europe. This information can be derived from testing and may include genetic data and disease, disability, disease risk, treatment, and medical history.  

The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act, (Cap 586) ​regulate the processing of personal data whether held electronically or in manual form. This office has the legal duty to respect and protect any personal information collected previously and will abide by such duty. All safeguards necessary have been taken to prevent unauthorised access and transfer of details collected from you as a visitor to any third party or Government Department unless you give your consent for such transfer. 

Clients may request at any time whatever personal information is effectively held, if any, at any particular time. Clients have the right to have any inaccuracies corrected and where applicable erased. 

Ministry for Health and Active Ageing Office of the Chief Medical Officer  Department of Policy in Health  Cross Border Health Care Unit  Data Protection and Retention Policy

SCOPE 

1. This Policy is aimed at regulating the retention, maintenance, and disposal of documentation, both personal and other, within the Cross Border Health Care Unit within the office of the Chief Medical Officer, as provided for in the terms of requirements emanating from legal provisions in such other acts as the Public Administration Act (Chap. 595) and directives emanating therefrom, and in accordance with the principles of data protection legislation, and the National Archives Act (Chap. 477).  

BACKGROUND 

• In accordance with the General Data Protection Regulation ((GDPR) (EU) 2016/679) personal and sensitive personal data should not be retained for periods that are longer than necessary. Because the Cross Border Health Care Unit collects and processes data it is setting this retention policy for all records collected and processed, with the purpose of ensuring compliance to the GDPR and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance. 

OBJECTIVES  

• The following objectives are set:  

• Regulate the retention of and disposal of records within the Cross Border Health Care Unit whilst adhering to the Data Protection principle that personal data should not be retained for longer period than is necessary; as per Article 5 (e) of the GDPR. 

• Dispose of unnecessary, no longer relevant documentation that is taking up useful storage space: as per Article 17 of the GDPR.  

• Where reasonably possible the digitisation of documentation will be promoted to minimize the use of storage space, thus promoting sustainable use of paper and printing consumables.  

THE DATA SUBJECT RIGHTS 

• The data subject is entitled to know and can request information free of charge on what type of information and processes are held in his/her name and why, as well as who has access to it, how it is held and kept up to date, for how long it is kept, and what is being done to comply with data protection legislation.  

Formal procedures for dealing with data subject access requests are established by GDPR. All data subjects have the right to access any personal information kept about them by the Cross Border Health Care Unit in electronic or manual form or both.  

Requests for access to personal information by data subjects are to be made in writing using the Request to Access that is the Personal Data Form available on the Data Protection webpage of health.gov.mt [Data Protection (gov.mt)]and sent to the Data Protection Officer within the office of the Chief Medical Officer on cmo.doh@gov.mt. The data subject identification details such as ID number, name and surname are to be submitted with the request for access. Whenever identification difficulties are encountered, the data subject may be asked to present an identification document.  

ADMINISTRATION  

5.     Documentation is held and recorded by the Cross Border Health Care Unit within the Offices of the Chief Medical Officer This policy is therefore applicable to all such documentation. It will be the responsibility of the Chief Medical Officer and any other deputy, supervisor or administrator who may be delegated to ensure that all provisions of this policy are adhered to.   

6.      All staff that create, maintain, process and store records mentioned hereunder are responsible to observe and implement the instructions given in this policy.  

7.     Following appropriate consultation and direction the Cross Border Health Care Unit, may modify this policy as deemed appropriate from time to time to ensure compliance with state laws.  

DOCUMENTATION HELD WITHIN THE CROSS-BORDER HEALTH CARE UNIT  

8.     As part of its operating requirements the Cross Border Health Care Unit requests, keeps and maintains a wide range of documentation including personal data. The type of data that is being utilised by the Cross Border Health Care Unit may be listed as follows: 

• Patient’s File 
• Electronic data  

SECURITY OF DOCUMENTATION  

9.     Documentation in the form of paper-based documents and electronic data is maintained in an accessible but secure location with adequate access provided to officials who have the clearance level to access the relevant documentation. In the case of documents with sensitive personal data with higher clearance levels, access control protocols are fully adhered to, to ensure that only those that have the required security clearance have access to such documentation.  

10     In the case of personal data, the GDPR also stipulates that only those required to process personal data should have access to personal records.  

11.   Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action as per Article 33 Clause (5) of the GDPR.  

IMPLEMENTATION OF THE RETENTION PERIOD 

12   Retention period is the period in which data is allowed to be kept and stored. Personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. 

The implementation of this retention periods shall come into force as from 1^st January 2022 and covers all data held at the Cross Border Health Care Unit.   

RETENTION PERIOD 

13.   The Retention schedule outlined in Appendix One describes the retention requirements for the various categories of documentation within the Cross Border Health Care Unit. 

14.     The same retention period will apply for both electronic (if applicable) and manual data.  

EXEMPTIONS  

15.   Situations might arise where the retention of particular documents longer than is stipulated in this document may be necessary. Examples include institution of court or ombudsman proceedings, or freedom of information requests, or requests may be still pending or in other serious cases of importance such as audits on the Cross Border Health Care Unit, the retention period shall be suspended as deemed appropriate by the management team at the Cross Border Health Care Unit and the Data Controller   

CONCLUSION  

16.   This retention policy is intended towards achieving a good working balance between the retention of useful information and the disposal of data which is no longer required and is being unnecessarily archived. Data that needs to be destroyed will be disposed of in an efficient manner to ensure that such information will no longer be available within the Treatment Abroad Unit. Data Protection Controllers, Heads, and DPOs will be made aware of the noted retention periods and will instruct all relevant personnel to follow the indicated procedures accordingly. 

NB. It is to be noted that anonymised data do not fall within the parameters of this Retention Policy, since they do not constitute identifying personal data.  

 The Data Protection Officer of the Cross Border Health Care Unit may be contacted at:  

Address:  

Office of the Chief Medical Officer  

Department of Policy in Health  

15, Merchants Street  

Valletta 

E-mail: cmo.doh@gov.mt  

Telephone: 22992578 

The Information and Data Protection Commissioner 

The Information and Data Protection Commissioner may be contacted at:  

Level 2,  

Airways House,  

High Street,  

Sliema  

SLM 1549 

 Email: idpc.info@gov.mt  

Telephone: 2328710 

Privacy Statement

*Disclosure for the protection of personal data		Information notice provided pursuant to EU Regulation 679/2016 (General Data Protection Regulation) and the Public Administration At (Chap. 595) and the National Archives (Chap. 477), for data processing aimed at facilitating access to cross-border healthcare regulated by Directive 2011/24/EU and implemented by the L.N. 389 of 2013 and subsequent amendments.
		Dear Sir/Madam,
		pursuant to Art. 6 of Directive 2011-24-EU and L.N. 389 of 2013, a National Contact Point (NCP) for cross-border healthcare has been established within the Ministry for Health. Following the receipt of your request for information, the Maltese Ministry of Health becomes the Data Controller of the data you provide, based on a regulatory obligation deriving from EU law [Directive 2011-24-EU] and from the Public Administration At (Chap. 595) and the National Archives (Chap. 477) and EU Regulation 679/2016 (General Data Protection Regulation).
		The Ministry for Health, through the National Contact Point (NCP), hereby informs you of the following:
		1 Principle of lawfulness: the National Contact Point (NCP) collects data following the voluntary submission of your data;
		2 Principle of transparency: the Cross-border Healthcare website [crossborderhealth@gov.mt] provides information on this route and all information is made available to the public. Further queries can be made via links provided in the same website.
		3 Principle of fairness: concerning cross-border healthcare services, provided in accordance with Directive 2011/24/EU, the regulations provided by the legislation of the Member State of affiliation shall apply, concerning the type, limits, and settings for which reimbursent may be granted. On the other hand, for the provision of services, the regulations of the Member State where care is provided shall apply particularly to health care providers authorised to provide health care and medical treatment. This is consistent with the provisions of Article 168(7) TFEU, under which the organisation and provision of healthcare services and medical assistance remain the responsibility of the individual Member States;
		4 Purpose of processing: the National Contact Point (NCP) is responsible to provide you with the appropriate information on cross-border healthcare so that you can exercise your rights regarding cross-border healthcare as regulated by EU law [Directive 2011-24-EU] and L.N. 389 of 2013 of the laws of Malta. Data relating to the country of affiliation, country of treatment, response time and the reason for the service will be used in an anonymous and aggregated form for statistical purposes, to be provided to the appropriate authorities at European level (pursuant to Directive 2011-24-EU and European Regulation 2018/1724). The following is the list of data used for statistical purposes: country of affiliation, country of treatment, reason for the service, city of residence, country of residence, nationality, telephone number, e-mail address, European Union member state where you are registered for healthcare.
		5 Scope of processing: if your intention is to receive healthcare in another Member State other than the state of your affiliation, it is suggested that firstly you identify the regulations that apply in the Member State where the care will be provided and those of the Member State of affiliation. You have a right to make an informed decision;
		6 Relevance of data: for making an informed decision to seek healthcare in another Member State the National Contact Point will guide you through the process and assist you to make the decision relevant to your situation.
		7 Data minimisation: the National Contact Point’s responsibility is to assist you to make the right decision in your circumstances and therefore you will be asked only for the minimum data necessary for prior authorisation and/or reimbursement.
		8 How to make contact with the NCP: the National Contact Point (NCP) may be contacted through the available contact form in this website (Contact Us section) or by sending an e-mail to crossboderheath@gov.mt or by phone (+356 2299 2381) directly as indicated in the contact us section;
		9 Types of data: in general, only essential data about your illness or condition is necessary. This can be done by using the contact form or to the dedicated e-mail address. The following information is essential  – First name  – Surname  – City of residence  – Country of residence  – Nationality  – Telephone number  – E-mail address  – Whether you are registered with a health system of a European Union Member State  – Indication of the European Union Member State you are registered in  – Country & centre where you wish to undertake treatment  – Reason for your request  – Details of your request;
		10 Data processing: the National Contact Point under the auspices of the Ministry for Health of Malta, shall process your data limited to what is necessary in relation to the fulfilment of the principles and purposes set out above, namely: collection, storage, consultation and processing, deletion, disclosure, and dissemination exclusively in an anonymous and aggregated form. Your data shall be processed and stored in accordance with the provisions contained in Regulation (EU) 679/2016 and Public Administration At (Chap. 595) and the National Archives (Chap. 477). There are no charges in these processes;
		11 Authorised personnel to carry out these processing operations: your personal data shall be processed exclusively by officials who have been specifically authorised and trained by the Data Controller for the purposes provided for in this information notice pursuant to Article 28 of EU Regulation 679/2016;
		12 Request response times: The National Contact Point and the Cross-border Healthcare office shall reply within 7days. Should the deadline be extended, you will be informed accordingly.
		13 Data transmission: within the time limits set out in point 12) the National Contact Point (NCP) will provide the person who sent the request with a response to enable him/her to understand the safety and quality of care standards applied in the country where cross-border healthcare is being requested.
		14 Data retention: the data you provide will be stored in the database of the National Contact Point (NCP) for a maximum of five years from the moment you receive the information on access to cross-border healthcare, without prejudice to possible exceptions due to the requirements of the specific case in question, which will be made known to the data subject;
		15 Data subject rights: at any time, pursuant to Articles 15 to 22 and 77 of EU Regulation No. 2016/679, you may exercise the right to:
		a) request verification as to whether or not personal data concerning you exist;
		b) obtain information about the purposes of the processing, the categories of personal data, the recipients, or categories of recipients to whom the personal data have been or will be disclosed and, where possible, the storage period;
		c) have data erased if it is deemed that said information is not relevant;
		d) ask the Ministry for Health of Malta for access to and rectification of your personal data, if you consider that this information is inaccurate;
		e) withdraw the initial consent given when providing the data;
		f) lodge a complaint with the Maltese Data Commissioner by writing to the following address: idpc.info@gov.mt.
		Requests for access to personal information by data subjects are to be made in writing using the Request to Access that is the Personal Data Form available on the Data Protection webpage of health.gov.mt [Data Protection (gov.mt)]and sent to the Data Protection Officer within the office of the Chief Medical Officer on cmo.doh@gov.mt.
		I authorize the Ministry of Health to process my personal data for institutional purposes. I declare that I have read the above information (Disclosure for the protection of personal data) relating to the EU Regulation 679/2016 (General Data Protection Regulation) and the Public Administration At (Chap. 595) and the National Archives (Chap. 477).