This post is also available in: Español
The Catalan Data Protection Authority (APDCAT) has recently published the “Patients and Health Service Users Data Protection Guidelines” to offer patients and users clear and simple information on health care data processing. During the current COVID-19 pandemic, health data processing has become a hot topic, so these Guidelines are particularly significant. Health data are special categories of data (article 9 of the GDPR), and patients are considered a vulnerable group in terms of data processing, so safeguarding and information on data subjects’ rights is essential.
The Guidelines comprehensively address the general aspects of data protection in health care. Below are the most relevant issues:
Medical history is a series of documents on the medical care process of patients, which includes information on their past, present, and future health status.
- The medical center, doctor, mutual insurance company and other relevant parties are the controllers of the data recorded in the medical history and must hold, store, and protect the information. However, the personal data owner is always the patient.
- The medical history can be used for the duration of the health care given to the patient. In any case, different periods are set for storing the personal data contained in it (five or fifteen years, or even longer), after which the information and documents will be safely deleted.
- When a center or health care professional ceases its activity, access to the medical histories they hold must be ensured.
Patients’ rights on their personal data:
Patients have the rights that the GDPR grants any data subject on their medical data: right of information, access, rectification, erasure, objection, portability, and restriction on processing. In the Guidelines, the APDCAT highlights certain aspects to take into account in the specific context of the health care sector.
- Patient are entitled to be informed about the processing of their personal data. It will not be necessary to inform the patient on each visit if the corresponding information was given in the first one, and the purpose, data controller or other circumstances relating to the processing have not changed.
- Distinction must be made between informed consent and the right to information envisaged in the data protection regulations. While the former refers to obtaining the patient’s consent to undergo different medical procedures, the latter refers to the right of all patients to be informed of how their personal data are processed. Regardless of the consent given to undergo medical treatment and the legitimate basis justifying the data processing, it must be explained to the patient how their data will be used.
- Patients are entitled to access their medical history at any time and obtain a copy of the data and documents in it. When there is information about our health in another person’s medical history, it is also possible to access this information (for example, information on children in the mother’s medical history).
- Some information may be excluded from the right of access to the medical history in the interest of the patient or third parties. For example, the patient’s access to subjective notes that the doctor has included in the history can be restricted, and restrictions can be applied when there is a therapeutic need.
- Everyone is entitled to request modification of incorrect data and to delete information or a personal datum in certain cases. However, in health care, before deleting or modifying medical or health care data, centers must analyze the circumstances of each case from the perspective of medical criteria and therapeutic interest.
- The data subject is entitled to receive the personal data they hold and to transfer them to another data controller when the processing is based on the consent or performance of an agreement, and when the information is automated (right to portability, article 20 of the GDPR). In any case, this possibility is not envisaged for the data obtained by public health care centers and services in providing health care, as the processing is framed in a public interest activity.
- Patients can exercise their right of opposition and request that their data not be used for certain processes and that only health care professionals in their care center have access to their data. In this case, the data controller will end the processing unless there is proof of the legitimate reasons that must prevail.
Confidentiality of the patient’s data:
The personal data that a patient communicates in the context of health care are confidential and the health care professionals treating them must maintain that confidentiality and not disclose the information to other people or entities. Health care professionals are bound by professional secrecy, an obligation they can only break in specific legal cases (for example, when the duty to report arises).
The regulations allow health data to be communicated to the people linked to the patient and accompanying them in the care process, unless the patient objects.
Legitimate basis for data processing:
The legal basis for obtaining and processing health data can be the patient’s express consent or another legitimate basis included in article 6 of the GDPR. In any case, the care provided in public health centers is a public interest activity, so the data can be processed with no need to obtain consent.
Furthermore, in the case of health data, one of the conditions established in article 9.2 of the GDPR must be met, as it constitutes processing of special categories of personal data.
The purposes of the processing:
The Guidelines list the purposes for which personal data are processed in health care: (i) care; (ii) administration and service management; (iii) epidemiological and public health purposes; (iv) health inspection; (v) health research; and (vi) teaching.
Regarding processing for epidemiological or public health purposes, particularly relevant right now, the APDCAT states that:
- Identifying the affected patients must be avoided unless it is necessary to prevent danger to public health or when patients have agreed.
- When health care professionals detect cases related to notifiable diseases or epidemic outbreaks, there is an obligation to communicate it to the health care authorities. Authorities can also lawfully process people’s health data, even without their consent, when it is necessary for reasons of public interest.
- Using apps or websites to obtain and process people’s data to control pandemics is appropriate, provided these instruments fulfill the data protection regulations and offer sufficient guarantees to safeguard rights.
In the context of data processing for care purposes, the Guidelines mention the use of artificial intelligence (AI) for medical diagnosis, recognizing that using this technology is increasingly normal in health care. Given that AI entails extensive processing of personal data, anonymization and the principle of data minimization (article 5 of the GDPR) are essential.
You can find more information on the APDCAT’s Guidelines here.
Author: Ainhoa Rey
Autora: Ainhoa Rey
This post is also available in: Español