Sensitive data and medical confidentiality

Processing sensitive data
In principle, processing of sensitive data is prohibited, unless one of the exemptions mentioned in Article 9 GDPR applies and suitable safeguards, so as to protect the data, are put in place. Suitable safeguards include for example pseudonymisation (replacing the most identifying fields in a data record) and encryption (encoding the data in such a way that only authorised parties can access it) (see Article 32 GDPR). Derogating from the prohibition to process special categories of personal data including health data is allowed when for example:- explicit consent was given by the data subject;
- processing is necessary to protect the vital interests of a person if this person is (physically or legally) incapable to give consent (for example in emergency situations or with minors);
- processing is necessary in order to provide healthcare if the data is processed by or under the responsibility of a professional subject to the obligation of professional secrecy.
Ethical and legal obligations
While the obligation has been around for ages, the duty of confidentiality was put in writing by the World Medical Association (WMA) only in 1948 in the WMA Declaration of Geneva. The Declaration is part of the internationally recognised ethical codes of conduct or guidelines and duties for medical professionals. In this Declaration all members to the medical profession promise to respect the secrets confided in them, even after a patient’s death. Confidentiality and privacy are related principles, both protecting the patient from disclosure of medical records. While confidentiality is generally considered as an ethical rule for medical professionals and privacy as a legal issue, many countries have also codified medical confidentiality within national laws or common law principles, meaning that medical information may not be disclosed without the consent of the patient. Healthcare providers are thus generally bound by law to the duty of confidentiality and privacy.You will find out more about the obligations for healthcare providers in the next video.Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.
Learn more about how FutureLearn is transforming access to education