Processing Personal Data: Legal Principles

According to Article 8 of the Charter of Fundamental Rights of the European Union (the Charter), everyone has the right to data protection. This means that personal data has to be processed fairly for a specific purpose and based on consent or on a legal basis. The right to data protection was further developed by the EU in Directive 95/46/EC which will be replaced on 25 May 2018 by the General Data Protection Regulation (GDPR).

The right to data protection as such is thus a fundamental right, which is why Article 1 of the GDPR determines that the GDPR protects fundamental rights and freedoms of persons, in particular their right to data protection. According to Article 2, the GDPR applies to all processing of personal data, be it automated (for example via computers) or non-automated (for example via offline filing systems) and regardless of whether processing takes place within the EU (Article 3 GDPR).

Processing personal data

But what exactly is processing of personal data? The definitions provided by Article 4 GDPR are very broad, meaning that basically any action performed on any information which can identify a person is processing of personal data. This means that if a healthcare provider consults with a patient and enters the patient’s information in a patient file, this is processing of personal data. The data which can identify the patient, such as address, date of birth, medical history and insurance information are all personal data. The patient in this case is the identifiable person, also referred to as the data subject, the person the GDPR protects from processing by a controller and processor. The controller is the party who determines what data is collected, how this data is collected and for which purpose. This can be a General Practitioner (GP), a hospital, a pharmacy or any other party who collects data.

If data is collected by a GP or a hospital, the purpose of data processing is to provide healthcare. The way in which data is collected, for example a consultation with a patient or filling out an (online) form, is the means of data processing. Sometimes data is processed on behalf of a controller, by a processor. The processor never determines the purpose and means of data processing, it is the party who processes the data collected by the controller on behalf of the and under the instructions of the controller. This can be for example a cloud service provider who hosts the medical files for a GP. Processing by a processor needs to be governed by a contract.

Principles of data processing

Controllers and processors really need to think about their processing activities and take into account the risks to the rights and freedoms of persons. When processing personal data, controllers and processors need to abide by 6 principles (Article 5 GDPR):

1. Lawfulness, fairness and transparency of processing;
2. Purpose limitation, meaning that personal data needs to be collected for a specified, explicit and legitimate purpose (a doctor for example does not need to know a patients’ bank account number);
3. The collected data needs to be adequate, relevant and limited to what is necessary in relation to the purpose of processing (if the purpose is for example providing healthcare, then only the data necessary for providing healthcare may be processed). This is also referred to as data minimisation;
4. Accuracy means that the data needs to be accurate and kept up to date, which is especially relevant as regards health data considering that a patients’ medical treatment may require constant adjustments depending on how the patient responds to the treatment. This means that the information in a patient’s file needs to be accurate and up to date;
5. Personal data may not be kept longer than necessary for the purpose of processing, also referred to as storage limitation. Thus, in principle you would say that, when the medical treatment has ended, so must the data processing. However, in healthcare a patients’ medical history is generally also very important for (future) treatment purposes. This means that a patient file may be stored for a longer amount of time, as long as the healthcare provider has taken appropriate technical and organisational measures to protect the data;
6. Integrity and confidentiality of processing means that an organisation needs to ensure security of the data by taking appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction or damage. Hospitals for example often have Information Security Officers on staff who think about these issues and take the appropriate measures. For example, not all hospital staff need access to patient treatment information. Administrative personnel may need a patients’ address to send them information about an appointment, but for this they don’t need access to the actual medical file. This would be unauthorised access. The Information Security Officer will make sure that technical measures are put in place to prevent this from happening.

Legal grounds for processing

As regards lawfulness of processing, the GDPR determines that there are 6 legal grounds for processing:

1. Consent given by the data subject;
2. Processing is necessary for the performance of a contract (this also includes implicit or explicit contracts for medical treatment);
3. Processing is necessary for compliance with a legal obligation;
4. Processing is necessary to protect the vital interests of persons (for example in emergency situations);
5. Processing is necessary for the performance of a task of public interest or in exercise of official authority;
6. Processing is necessary for a legitimate interest.

Processing is considered to be unlawful if one of these grounds do not apply. In particular consent, performance of a contract and vital interests apply to processing health data.

If there is a legal ground for data processing and the principles have been taken into account, the controller and processor can process the data. But there are still many rights and obligations for controllers and processors which need to be taken into account. Controllers and processors need to think of their processing operations and how best to implement appropriate technical and organisational measures (Article 24 GDPR), including data protection by design and by default (Article 25 GDPR), and how best to demonstrate compliance, i.e. demonstrate that they have taken such measures in order to comply with the GDPR.

These legal aspects will be discussed in more detail throughout this course. If you want to know more about the GDPR in general you can also follow the University of Groningen’s MOOC “Understanding the GDPR”.