Health data: new Council of Europe guidelines

Lawyer Vincenzo Colarocco

The Council of Europe, with a recommendation adopted on last 27 March (hereinafter referred to as the “Recommendation”), has provided a set of guidelines for the Member States with the aim of guiding them in the proper processing of health data.

The clear intention of the above European body is to ensure, in law and in practice, that the processing of such special categories of data under Article 9 of EU Regulation 679/2016 (“GDPR” or “Regulation”) will be implemented in full respect of human rights, at a particular historical time when the use of new technologies is quickly increasing[1]. This assumption implies the need to set up the treatment considering the cornerstones set at the basis of the Regulation:  privacy by design and privacy by default as regulated by art. 32 of the GDPR. Therefore, the technical and organisational measures to be implemented should be incorporated from the design phase of any system that processes health data. In addition, in order to further implement these principles, the Recommendation specifies that compliance with these provisions should be regularly reviewed throughout the entire life cycle of the processing and that the Controller must carry out, before starting the processing and at regular intervals, an assessment of the potential impact in terms of data protection and respect for privacy, including an evaluation  about measures to mitigate the risk.

The Recommendation also sets out some interesting clarifications on the legal basis that could legitimize the processing of health data. Established that the basis of said treatment consists in the informed consent of the data subject (according to Art. 9 of the GDPR), Recommendation also provides, alternatively, two further circumstances which would seem to exclude the prior collection of a consent:

  1. when the processing is necessary for the execution of a contract concluded by the data subject with a health care worker submitted to conditions defined by law, including the obligation of secrecy;
  2. when such data have been made public by the data subject himself.

With reference to the timing of storage (“retention”) to be applied to the category of health data, the Recommendation provides that, if adequate security measures are in place, the retention may be extended[2] when processing is envisaged for purposes of storage in the public interest or for scientific or historical purposes or, again, for research and statistics. In this latter case, the data should, in principle, be rendered anonymous as soon as research, archiving or statistical studies allow; if this is not possible, pseudonymisation could be used to safeguard the fundamental rights and freedoms of the data subjects.

In conclusion, it is clear that the Recommendation follows almost blindly the requirements of the GDPR, but in any case it must be pointed the importance and relevance of these provisions in light of the increasing digitization, that, necessarily, also involves the processing of personal data. This phenomenon evidently leads to an improvement in medical care and patient care, but inevitably causes an exponential increase in the amount of health data submitted to processing operations and, as a result, it determines the necessity to apply legal and technical measures that allow effective protection of each individual.

 

 

[1] The Recommendation also outlines indications regarding the processing of health data collected through mobile devices which, whether implanted in the individual or not, may reveal information about his physical or mental state, or which have, as their object, any information concerning health care and social care benefits.

[2] Therefore, by exceeding the storage periods strictly necessary for the purpose of patient’s caring.