Secure automated emails with Covid-19 test results, fully compliant with European privacy laws

Customers: Dutch national Health organization GGD-GHOR and Commercial Covid-19 test facilities.

In a few sentences, please tell us why this initiative is important to the privacy world and three big takeaways that you’d like the reader and audience to know.

This initiative is important because it demonstrates that security and privacy can be maintained while processing large volumes of automated e-mails with highly confidential medical information.

For the Dutch national Health organization GGD-GHOR and Commercial Covid-19 test facilities SecuMailer processed almost 75% of all covid-19 test results in the Netherlands in 2021 and 2022, without any data leaks and compliant with stringent government requirements. Test results were send by secure email with SMS code to Dutch citizens. Fully compliant with GDPR and eIDAS regulations.

3 big takeaways:

• Secure Email can be made fully compliant with the GDPR
• Secure Email can be used for medical information if supported by a well thought out standard (eIDAS standard for protecting medical information via registered email)
• Data minimalization leads to better privacy guarantees

Briefly describe any barriers to developing this privacy initiative.

• Secure email with medical information needs to be protected by using 2FA for sender and recipient.
• Automated emails have to be processed without human interaction.
• Personal data of EU citizens cannot be processed without extra security measurements in the USA, due to Schremms II.
• Due to the large volumes (20,000,000 in 2 years’ time) it was not acceptable if the recipients had to make a significant effort to open the email.
• Due to GDPR it is advised to avoid extra copies of emails in portals or cloud (to comply with the data minimalization principle).
• Test results (medical information) should be private and only available for the tested person and the medical specialists.

What is the impact of the initiative on data subject privacy and the proportion of data subjects affected?

The initiative had impact on all citizens and tourists in The Netherlands who wanted to do a Covid-19 test for traveling. This has been approximately 20,000,000 data subjects in 2 years’ time.

The privacy of all data subjects is fully protected during the communication of the test results. No data leaks have been reported.

Provide 2-4 specific examples and metrics demonstrating how this privacy program or initiative has enhanced the organization and its bottom line.

0 data leaks reported ( test results delivered to wrong recipient)

20,000,000 test results processed in 2 years’ time

Less than 0,1% recipients needed assistance with opening the test results

The delivery time of the test results is time critical. Less than 0,1 % of the data subjects has missed the start of their vacation because the test results were not on time.

In a few sentences, please explain what privacy risks are reduced by this initiative.

By securing the automated emails the following privacy risks are reduced:

• No emails are send to the wrong recipient
• No medical information is revealed by email to persons that are not entitled to this information
• No emails were processed on USA located systems, so no dependency on the privacy shield.
• No emails were sent to insecure mail servers
• This all leads to the conclusion: The customer has not suffered any dataleaks due to her secure email program and therefore all fines for the GDPR are avoided

By using secure email technology instead of web based portals to inform the recipient of his/her test results :

• No extra copies of the test results are created
• No data concentration is created

Provide specific examples of how the privacy initiative has been integrated into the organization.

The following process is developed for testing persons for Covid-19 and sending test results and travel documents:

Step1: test person plans appointment (online booking process) for the test

Step 2: email address is verified for correct and secure status

Step 3: test person is authenticated with 2FA on test site during test

Step 4: within 12 till 24 hours the test results and travel documents are send by automated secure email to the verified email address.

Implementation:

Onboarding with SecuMailer is done by the following steps:

• Buy your solution at AWS marketplace
• Follow your implementation instructions ( 30 minutes- 2 hours work)
• Get personal workshop to integrate alle privacy measures also in your organization policy
• Start sending out all your emails secure and fully compliant with GDPR and eIDAS

Background information SecuMailer:

SecuMailer is a private company. We provide our customers with a SaaS solution to send confidential information by secure email.

SecuMailer was started in 2017 by Yvonne Hoogendoorn CIPP/e and Meint Post CISSP / ISSAP

SecuMailer is fully compliant with the GDPR and certified for eIDAS ,  ISO 27001 and has the ECSO-label ( European Cyber Security Organization).

SecuMailer is available in the AWS marketplace.

SecuMailer is one of the founders of the Dutch regulation for secure email with personal medical information. This regulation combines elements of the GDPR, The eIDAS and the Dutch medical laws.