Data retention

Apart from anonymisation, another important safeguard is data retention. Data retention means that personal data cannot be kept longer than necessary for the purpose for which it was processed. It is one of the main principles relating to the processing of personal data (Article 5 (1, e GDPR). Considering that data retention is a general principle, it applies to both data controllers and data processors.

In Anna’s case there are two situations in which data retention comes into play. First, she uses different apps and websites to monitor her health. For example, we saw her using a running app and we saw her searching for information online on what to expect when you’re expecting. These data controllers work with privacy policies, which Anna has to agree with before she can use the apps. In the first week, we saw that these policies are sometimes hard to understand and not always easy to read. The duration of data retention depends on the purpose for which the personal data was originally collected, meaning that it is important that this purpose is clear to the data subject.

The second situation in which data retention becomes relevant, is when Anna’s personal data is used by her GP and gynaecologists to develop a treatment plan. We heard the information security officer of Anna’s hospital explain that in the Netherland there is a legal obligation to keep the data safe for 15 years. However, if it is necessary for treatment purposes, health data can be stored for longer than 15 years. For example, if it turns out that Anna has a genetic deviation or a chronic illness, this could be a reason to store her health data for a longer period of time.

As regards research, it might also be important to store data for a longer period of time. Practical issues such as valorisation of data and continuation of medical research, might make it important that health data used for medical research is stored for a longer period of time. If data is stored for scientific research purposes, the GDPR allows this as long as appropriate technical and organisational measures are taken to safeguard the rights and freedoms of data subjects like Anna (Article 5 and 89 GDPR).

Another important safeguard the GDPR offers to data subject is the designation of a Data Protection Officer (DPO) (Article 37 GDPR). The GDPR requires that in certain cases, including when sensitive data is processed on a large scale, a DPO needs to be designated. Large healthcare institutions, such as Anna’s hospital thus need to appoint a DPO considering that they process health data on a large scale. In the next step you will hear from the DPO of Anna’s hospital to find out what her tasks are.