General Data Protection Regulation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
The General Data Protection Regulation (‘GDPR’) regulates the main rights and principles in relation to the processing of personal data. The ‘processing’ of personal data can be interpreted in a very broad sense. In a situation where someone keeps a list of postal addresses on their laptop, the person processes personal data. If, however, one does not only keep personal data such as a name or an address, but also records data that demonstrate someone’s health, then we are also talking about health data. Within the GDPR, health data is being defined as both the physical and mental health data of a person, including health care services. Such data shall be considered as sensitive data in the context of the GDPR. Therefore, since the health sector processes personal data on a large scale, which are often also very sensitive to privacy (cf. data on a person’s health), the provisions of the GDPR are of great importance.
Legitimate grounds for processing data
In order to process this privacy-sensitive data, one must invoke a legitimate ground to carry out this processing. In the context of health data, the processing of such data can rely on the lawful basis laid down in Article 9(2)(h) GDPR in the context where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law. However, processing is only allowed if it is carried out by a healthcare professional covered by professional secrecy or by another person covered by an equivalent obligation. Moreover, if the health service is discontinued, a different legal basis should be invoked in order to continue the lawful processing of health data. In such case, explicit consent can be asked from the patient. Those who want to rely on consent to keep track of health data will therefore have to ensure that the consent is freely given, specific, informed and unambiguous.
Obligations resulting from the GDPR
Overall, the GDPR leaves most regulations in the medical sector, such as professional secrecy, unaffected. Still, the GDPR also entails the following obligations that should be complied with in the health sector. Firstly, according to Article 12 GDPR the patient should be informed regarding which data is processed and for which the specific purpose(s). Secondly, the processor of health data should keep a register of processing activities (Art. 30 GDPR). Considering the sensitive nature of the data processed, the processor of health data should also carry out a data protection impact assessment as described in Article 35 GDPR. Lastly, a data protection officer (‘DPO’) should be appointed.
European Union, European Parliament and the Council. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
ARMSTRONG, J.P. & BYWATER, A. (2017). What Healthcare Organizations Should Know about the GDPR. Retrieved from https://whitepapers.em360tech.com/wp-content/uploads/GDPR-Implications-of-the-GDPR-in-Healthcare-042717-d1.pdf.
Article 29 Data Protection Working Party. (2017, November 28). Guidelines on consent under Regulation 2016/679. Retrieved from file:///C:/Users/User01/Downloads/20180416_Article29WPGuidelinesonConsent_publishpdf.pdf.
Data Protection Commissioner. (2018, May). Data Protection Investigation in the Hospitals Sector. Retrieved from: https://www.dataprotection.ie/sites/default/files/uploads/2018-12/DPC%20-%20Hospitals%20Sector%20Overall%20Report%20_0.pdf.
Information Commissioner’s Office. (n.d.). General Data Protection Regulation (GDPR) FAQs for small health sector bodies. Retrieved from https://ico.org.uk/for-organisations/in-your-sector/health/health-gdpr-faqs/.
Koninklijke Nederlandsche Maatschappij tot bevordering der Geneeskunst. (2018). Antwoord op uw vragen over de nieuwe privacyregels AVG. Retrieved from https://www.knmg.nl/actualiteit-opinie/nieuws/nieuwsbericht/antwoord-op-uw-vragen-over-de-nieuwe-privacyregels-avg.htm.
Royal college of physicians of Ireland. (2019). General Data Protection Regulation and Medical Practice. Retrieved from https://rcpi-live-cdn.s3.amazonaws.com/wp-content/uploads/2019/03/GDPR-Guidance-Document-March-2019.pdf.