This post is also available in: Español
With the health crisis and the COVID-19 pandemic still on the table, on June 2, the Spanish Data Protection Agency (“AEPD”) published an ex officio inspection plan that affects social and health care centers (you can find the AEPD’s press release here).
It must be borne in mind that the ex officio inspections of the AEPD are preventive rather than sanctioning proceedings, since they purport to (i) obtain an overall view of a sector, (ii) detect deficiencies and areas of risk, (iii) draw the main conclusions, and (iv) propose improvements or make recommendations based on their general findings.
The plan is aimed at public bodies, companies and institutions that own social and health care centers. The AEPD has included any “simultaneous, intensive, continuous and synergetic provision of social and health care services” under this concept, such as medium-stay hospitals, care centers or complexes, nursing homes, recovery health care services, hospice care, rehabilitation, care of the elderly with illnesses or dependents, mental health care and long-term health care.
Regular hospitals and health facilities, which are only health care centers, and nursing homes, which are social centers, are excluded. However, many recommendations may also be valid and applicable to them.
The most important recommendations are the following:
- The AEPD reminds us that most of the information processed by these centers falls under special categories for health-related data, and that they must, therefore, adopt specific guarantees, apply appropriate measures to protect rights (e.g., data processing must be carried out by professionals subject to professional secrecy or under their responsibility) and observe the principle of data minimization.
- They discourage the use of “information islands” or fragmenting information in different locations because of the potential risks, namely (i) inconsistency or failure to update, (ii) integrity and availability, and (iii) security. Against this trend, they suggest complete digitalization of all social and health records and reducing the use of paper, which still prevails at many centers. Until all health records are converted to digital format, a procedure should be put in place for managing paper-based documentation that includes access logs, and security measures for storage systems should be implemented (e.g., video surveillance, alarms and locks).
- Provide professionals with information and training to avoid unauthorized access when they have these records, including the establishment of clean desk policies.
- Implement a secure documentation destruction procedure, using closed containers or paper shredders.
- Given that sharing information among professionals is essential for providing this type of service, the AEPD recommends (i) creating a document that establishes general guidelines or rules for data sharing, and (ii) creating more restrictive and differentiated access profiles, clearly documenting these criteria and analyzing what information should and should not be shared.
- Reinforce and supplement the duty of professional secrecy of professionals, with an indefinite confidentiality commitment, written in terms of maximum limits, and including express prohibitions, such as being prohibited from accessing data that are not necessary.
- Place simple, up-to-date and easy-to-read information posters in access areas of the centers, as well as information keys on data collection forms, as a first layer.
- Inform interested parties when the data are being collected and not when they are being admitted or later.
- Ask the interested party to sign the information document and hand out with a copy.
- Identify each legal basis for each processing of personal data.
- Consent should only be used for incidental processing, such as advertising or use of images, or in general to provide information to family members and third parties, e.g., for medical research, meeting different requirements in each case. Consent must therefore be given when providing information on the stay, location or medical condition of a user at the request of family members, except in cases of life-threatening emergency, or if the presence of family members or other related persons could be essential for the proper care of the user, provided the patient has not objected, without indicating any special data categories or the care provided.
- Particular care should be taken in selecting data processors and any data processing agreements that include confidentiality commitments attached to the agreement must be signed. These agreements should avoid general wording and be specific for each type of service.
- Recommendations are also given with regard to security and sending information by email or other communication networks.
In addition to these recommendations, the AEPD has taken this opportunity to include a list of ten best practices in the inspection plan, summarizing the various recommendations and including a section at the end of frequently asked questions on specific matters.
By:Alejandro Negro and Adaya Esteban
This post is also available in: Español