Obligations for sensitive data

You have seen that Anna required medical attention and we followed her to her General Practitioner (GP) and to the hospital. We also saw Anna using a lot of apps. The GP and the hospital process Anna’s health data and certain apps might also process Anna’s health and fitness data. This data can reveal a lot about Anna and therefore needs to be protected. Moreover, health data is a special category of data also referred to as sensitive data which requires additional protection.

Processing health data

The GDPR determines that processing data concerning health is prohibited, unless processing is carried out for the provision of healthcare by or under the responsibility of a healthcare professional who is subject to professional secrecy, if it is necessary to protect the data subjects’ vital interest or if the data subject has given explicit consent. This means that Anna’s GP and gynaecologist may process her data because they provide her with healthcare and both took an oath of confidentiality not to reveal any information about her as a patient. If her GP stores his medical files in a cloud, the company hosting the cloud becomes the processor. The GP needs to conclude a contract with this company in which they establish the instructions for the processor, matters of confidentiality, security measures, appropriate technical and organisational measures and any other matters which demonstrate compliance to the GDPR (see Article 28). Any other organisation or company who wants to process Anna’s health data needs to have her explicit consent. Meaning that if an app company wants to process Anna’s health data, they need to ask Anna for permission to do so.

When processing personal data, controllers and processors need to abide by a number of principles, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, integrity and confidentiality. This means that Anna’s healthcare providers for example need to keep the information in her patient file accurate and up to date and rectify any information if necessary. The app company should for example process only the information that is necessary to make the app functional. A running app can keep track of her running data, but does not need to know that she is pregnant and is receiving medical attention. Both the healthcare providers and the app company need to make sure that the processing is lawful. The legal basis for healthcare providers can be a contract with Anna. This contract can be explicit (signing a legal document) or implicit (the very fact that she goes her doctor already implies that she agrees to a contract). Healthcare provider are then allowed to process her data based on the exemption in Article 9 (2, h and 3). The app company needs Anna’s explicit consent based on Articles 6, 7 and 9(2, a) to process her health data.

Responsibilities and obligations

Both controllers and processors have responsibilities and obligations. They need to think through their processing activities, take appropriate technical and organisational measures as well as security measures to demonstrate compliance with the GDPR. This includes for example privacy policies and protocols, privacy by design and by default, pseudonymisation and encryption, access control and any other measures and safeguards to protect the data as relevant to that particular organisation or company. In certain cases an organisation or company needs to carry out a Data Protection Impact Assessment (DPIA) based on Article 35 GDPR and appoint a Data Protection Officer (DPO) based on Article 37. A DPIA needs to be carried out in particular when using new technologies. If the core activities of the controller or processor consists of processing health data on a large scale (such as hospitals), a DPO needs to be appointed. The controller furthermore needs to keep records of processing activities, which include information about the controller, the purpose of processing, description of categories of data subjects and categories of personal data, information about sharing or transferring data, etc. (Article 30). Health data is often shared and transferred between healthcare providers. Safeguards need to be put in place in order to protect the security of data (this will be further discussed in more detail in the next activity). The national supervisory authority monitors whether an organisation or company complies with the rules of the GDPR. When asked to do so, an organisation or company needs to demonstrate compliance to the supervisory authority.

If, in spite of all the measures taken, it turns out that there is a data breach, the controller needs to notify the supervisory authority of that breach within 72 hours after having become aware of it (Article 33). A data breach is an intentional or unintentional release of confidential information, for example a member of staff who accidentally leaves a USB-stick with confidential information behind in a public place or a hacker who penetrates a system to gain access to confidential information. Under certain circumstance the data subjects also need to be notified of the data breach (Article 34).

Checklist for processing health data:

1. Determine whether health data is being processed;
2. Determine whether there is a legal basis for processing health data (i.e. provision of healthcare by or under the responsibility of a healthcare professional who is subject to professional secrecy, a (explicit or implicit) contract or explicit consent by the data subject);
3. Determine whether the data is processed by a processor on behalf of the controller and determine whether a contract has been closed between these parties;
4. Consider the processing activities and take into account the principles for data processing;
5. Take appropriate technical and organisational measures;
6. Take security measures;
7. Demonstrate compliance upon request (by showing privacy policies and protocols, contracts, records, etc.);
8. Determine whether a DPIA needs to be carried out;
9. Determine whether a DPO needs to be appointed;
10. Consider whether and how data is shared and transferred and if safeguards are put in place;
11. Notify the supervisory authority and data subjects (if applicable) in case of a data breach.

Other duties of organisations and companies may include to adhere to codes of conduct and certification mechanisms if these have been approved for the specific sector (Articles 40, 41, 42 and 43) and binding corporate rules (Article 47).