One of the key components in the new General Data Protection Regulation (GDPR), as we have already mentioned, is the consent of the persons concerned as a way to legitimise how their personal data is processed.
One area in which informed consent takes special importance is health as they work not only with standard personal data, but also with what is known as sensitive information.
In the following post we will address data protection in the health sector and how health professionals can comply with the GDPR.
This post is also available in Spanish.
Table of contents
The GDPR affects all professionals working in the health sector and its proper application is even more important than in other areas as the type of data processed is especially sensitive, health data.
The Regulation defines personal data related to health as data “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (article 4.15)
The new aspect of this definition is that now information and data related to the provision of health care services which reveals information on the person’s health status is also included as health data.
Due to the importance that this type of data may have for the privacy of the person concerned, the GDPR grants greater protection to this type of data. This means that a series of additional conditions needs to be met when processing this data.
The legal requirements that data controllers should formalise in order to comply with this regulation would be:
Centres that have not yet modified their consent clauses to the requirements that are now required should rethink their protocol for obtaining patient consent.
Aside from consent, the legislation only allows to process data under this special category when it applies to some of the following circumstances:
- When the processing is needed to protect the vital interests of the person concerned or another physical person in case the person concerned is not able to give their consent.
- When the processing is needed for preventative medicine or work purposes, work capacity assessment of the worker, medical diagnosis, provision of health or social care or treatment, or managing the health and social care systems and services under a contract with a health professional.
- When the treatment is needed for reasons of public interest in the area of public health.
With the GDPR the level of information that all users should receive from those responsible for processing their data increases. In this respect, the information provided should contain the following details as a minimum:
• The contact details of the Data Protection Officer when they are appointed.
• The legal base or legitimacy for processing.
• The period or criteria for storing information.
• The existence of automated decisions or profiling.
• The expected transfers to third countries.
• The right to file a complaint to the Control Authority.
We recommend that the information required by the new regulation is incorporated as soon as possible to what is currently provided, adding it progressively.
The incorporation of a Data Protection Officer is obligatory for those responsible or in charge that have, among their main activities, to process a large amount of sensitive data, as well as for public administrations, among others, which is why public hospitals should appoint this officer from May 2018 onwards.
The Data Protection Officer should have autonomy in carrying out their duties, which can be done full or part time, and as long as there is no conflict of interest in the latter case.
The new regulation no longer establishes security measures by levels but applies measures according to the risk that may occur when processing the data.
On this basis, the level of risk is enormous in the case of processing health data. Therefore, organisational and security measures must be designed according to this risk.
Within the active responsibility measures required by the GDPR is the Impact Assessment, whose concept is detailed in article 35. It is obligatory for high risk processing, which includes health data.
The hospital centre responsible for processing data should complete the Impact Assessment, which is therefore responsible for the assessment before processing, although it must be assessed by the Data Protection Officer.
The Impact Assessment analyses the risk and aims to allow those responsible for processing the data to take the correct measures to reduce these risks (minimise the probability of their materialisation and negative consequences for the persons concerned).
Those responsible and in charge are obligated (always in the cases of processing health, genetic or biometric data) to keep a register of the processing activities made.
This register must contain at least the following:
- Identification and contact details of the person responsible, the co-responsible, the representative and data protection officer.
- Purposes of the processing.
- Description of categories of the persons concerned and data.
- Categories of existing or expected recipients (including in third countries or international organisations).
- International data transfers and guarantee documentation for international data transfers except on the basis of compelling legitimate interests.
Often data is communicated between entities in order for the best treatment for the patient. In these cases, the person concerned should be aware of this, as it will be them who allows this transmission.
The data controller must comply with certain requirements:
- In a written contract define the data processing regulation on behalf of a third party.
- Establish that this third party, the data will only be processed according to their instructions.
- Check that the data will not be used for purposes different to those established in the contract or communicated to other people.
- The third party must comply with the same security measures that the data controller complies with.
The only exception to this consent is established in the case in which the communication of the data is aimed at prevention, diagnosis and health care of those affected to which they refer.
In the specific and exceptional case of mutual insurers and insurance companies, medical data can be communicated according to the principle of quality and only in order to produce the invoice for healthcare spending.
That is, only those that are adequate, relevant and not excessive to determine the amount of the health care and meeting article 24 of GDPR, there will have to be a data recipient contract between the Insurer and the Health Centre or Private Professional.
Although the GDPR introduces some important new additions, some analysts believe that its impact will not be as burdensome as you first may think. Even so, organisations that process health data will have to review their current policies, procedures and practices at length in order to comply.
If you have any questions concerning how to obtain your clients’ consent for collecting and processing their data, you can download the guide which you will find below where we explain, in greater detail, our specifically designed technological solutions in order to comply with this Regulation. If you prefer you can get in touch with us by email firstname.lastname@example.org or by calling us on 93 551 14 80.
This post is also available in Spanish.