ResMed EasyCare Tx 2 GDPR Software User Guide
- June 12, 2024
- ResMed
Table of Contents
EasyCare Tx 2
GDPR Guide for EasyCare Tx 2
Introduction
On 25 May 2018 the European General Data Protection Regulation (GDPR) came
into effect. To read the complete GDPR, in the language of your choice, go to:
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679
As a user of EasyCare Tx 2, you may process sensitive personal data about
natural persons. Your organization has completed a readiness review for GDPR
and you must always follow the policies and guidance of your organization when
processing sensitive personal data. This GDPR Guide is intended for
informational purposes. You should consult with your own legal and privacy
experts relating to the applicability of GDPR to your particular facts.
A secondary purpose of this document is to clarify privacy topics that may not
be clear when operating EasyCare Tx 2. In an era of connected devices, it’s
important to note that the EasyCare Tx 2 is a standalone desktop product that
only connects to other EasyCare Tx 2 tools and devices.
The EasyCare Tx 2 can be operated as intended without processing any personal
data. The section below titled “Article 11 – Processing which does not require
identification” describes how you can achieve this. You should review the
operations of EasyCare Tx 2 within your organization to ensure your use of
EasyCare Tx 2 is compliant with your organization’s policies.
This Guide is organized by the Articles of the GDPR, selecting only the
Articles that apply or require clarification. If a GDPR Article is not listed
in this Guide, that Article does not apply to the use of EasyCare Tx 2.
By providing EasyCare Tx 2, ResMed is acting as an Independent Software Vendor
(ISV), and is not acting as a Data Controller nor Data Processor in normal
operations.
Article 4 – Definitions
Data concerning health means personal data related to the physical or mental
health of a natural person, including the provision of health care services,
which reveal information about his or her health status.
Data Controller means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data.
Data Processor means a natural or legal person, public authority, agency
or other body, which processes personal data on behalf of the Data Controller.
GDPR is the European General Data Protection Regulation, which came into
effect on 25 May 2018. The exact official title is Regulation (EU) 2016/679
but the term “GDPR” is widely known and understood.
Personal data means any information relating to an identified or
identifiable natural person (“data subject”); an identifiable natural person
is one who can be identified, directly or indirectly.
Pseudonymization means the processing of personal data so that the
personal data can no longer be attributed to a specific data subject without
the use of additional information.
Article 9 – Processing of special categories of personal data EasyCare Tx
2 is assessed to be processing sensitive personal data concerning the health
of a natural person, as declared in paragraph (1) of Article 9.
You are responsible for obtaining consent from the data subject to allow
processing under paragraph (2) a) of Article 9, in order to obtain a legal
basis for processing a special category of personal data.
Article 11 – Processing which does not require identification EasyCare Tx
2 does not process or save any personal data.
Article 12 – Data Subject Request
EasyCare Tx 2 does not store or process any personal data. EasyCare Tx 2 only
displays live data from the titration device.
Article 14 – Information to be provided where personal data was not
obtained from the data subject
Article 14 does not apply to the use of EasyCare Tx 2, as no other Data
Controllers are involved.
EasyCare Tx 2 does not transmit data nor collect data of any nature with
another Data Controller or Data Processor. There are no automated
transmissions of data from EasyCare Tx 2 back to ResMed.
EasyCare Tx 2 is solely within the security domain of your organization’s
Windows domain or desktop profiles.
EasyCare Tx 2 displays titration data from ResMed devices based on the
interaction of that device with a data subject. The ResMed device that
provided the data is under the control of you, acting as the same Data
Controller that obtained the personal data.
Article 17 – Right to erasure (“right to be forgotten”)
Article 17 does not apply to the use of EasyCare Tx 2, as EasyCare Tx 2 does
not store or process any personal data.
Article 20 – Right to data portability
Article 20 does not apply to the use of EasyCare Tx 2, as EasyCare Tx 2 does
not store or process any personal data
Article 22 – Automated individual decision-making, including profiling
The EasyCare Tx 2 software does not perform profiling or automated decision-
making. The EasyCare Tx 2 software is used for decision-making by trained
medical professionals operating the EasyCare Tx 2.
Article 25 – Data protection by design and by default
ResMed has assessed the state of the art, cost of implementation, and the
nature, scope, context and purposes of processing for this upgrade of EasyCare
Tx 2. As a manufacturer of medical devices, ResMed has an existing robust
process for cybersecurity by design in all our devices, desktop products, and
cloud services. As an independent software vendor for the EasyCare Tx 2
desktop suite, privacy by design was added to our cybersecurity by design
protocols.
Specific to the EasyCare Tx 2, this is reflected in the ability to operate the
EasyCare Tx 2 without any personal data. This complies with the data
minimization guidance for privacy by design.
You can learn more about your organization’s obligations under GDPR by
contacting the appropriate department of your organization. You can also
inspect the site of the European Commission Rules for business and
organizations on data protection reform here: https://ec.europa.eu/info/law
/law-topic/data-protection/reform/rules-business-and-organisations_en
You can also search the site of your national
Data Protection or Privacy Commission.
Article 32 – Security of processing
EasyCare Tx 2 maintains audit records of processing activities in the Windows
event logs.
After you deploy EasyCare Tx 2, you must re-boot the personal computing device
to apply the updates tothe Windows Event log configuration. The reboot is
required for Windows to create a new Event log file specific to EasyCare Tx.
The EasyCare Tx 2 log appears under the Event folder “Applications and Service
Logs”. EasyCare Tx 2 will share the same file as the original EasyCare Tx
application.
The EasyCare Tx 2 events are found in a Windows
file located at: %WINDIR%\System32\winevt\Logs\EasyCare Tx.evtx If you have
not re-booted the personal computing device after deploying EasyCare Tx 2,
EasyCare Tx 2, log entries are found in the “Windows Logs\Applications”
location, and you must filter down to select the relevant log entries.
The Event Data source describes the specific actions
performed by the User against specific patient records.
Appendix A (below) displays Event Data and the activity associated with that
Event Data.
Your organization has determined the risk profile for the operations of the
EasyCare Tx 2 software, based on the unique operating conditions within your
organization. Part of that risk assessment includes the use of Windows desktop
encryption capabilities. There are commercial and free desktop encryption
products that provide state-of-the-art encryption services, and the EasyCare
Tx 2 system will operate as intended on encrypted disks.
If your encryption services use folder level encryption, you should check with
your organization’s policies for encrypting this data.
You must encrypt this folder in consultation with your Windows IT
Administrator.
User management, including password requirements for EasyCare Tx 2, is
performed solely via Windows event log folder. If a Windows account can log in
to a personal computing device where EasyCare Tx 2 is deployed, that account
can launch EasyCare Tx 2.
As a best practice for data protection, the device running EasyCare Tx 2 must
implement Windows inactive desktop lockout policy. Contact your Windows IT
Administrator to understand how your organization has implemented this
control.
Article 44 – General principle for transfers
The EasyCare Tx 2 system does not transmit data of any type to ResMed or any
other Controllers or Processors. Any transfer of personal data from EasyCare
Tx 2 can only be performed manually by an authorized member of the Data
Controller operating EasyCare Tx 2.
Article 87 – Processing of the national identification number
The use of a national identification number is not required for the effective
operation of EasyCare Tx 2, and ResMed recommends that the national
identification number not be used within EasyCare Tx 2.
Appendix A – Examples of Windows event log entries
The following screen shots are examples of what the entries in the Windows
event logs will look like:
ACTION: User “Chris” successfully logged in to an EasyCare Tx 2
system.
ACTION: User “Chris” closed EasyCare Tx 2.
References
To read the complete GDPR, in the language of your choice, go to: http://eur- lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679
ResMed Corp
9001 Spectrum Center Blvd San Diego CA 92123
See ResMed.com for other ResMed locations worldwide.
Microsoft and Windows are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
For patent and other intellectual property information,
seewww.resmed.com/ip.
© 2022 ResMed Corp RH-1081034/1 2022-11
ResMed.com
Documents / Resources
|
ResMed EasyCare Tx 2 GDPR
Software
[pdf] User Guide
EasyCare Tx 2 GDPR Software, EasyCare Tx 2, GDPR Software
---|---
References
- Sleep apnea and COPD - learn about symptoms and treatment | ResMed
- Legal disclaimers and intellectual property - ResMed