General Data Protection Regulation and Health Data

Cláudia Monge seeks, in this text, to answer the question “What should be understood by health data?” given that health data is part of a special category of data.


Health data is part of a special category of data in accordance with Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (hereafter General Data Protection Regulation or Regulation).

Paragraph 4 of article 9 of the Regulation allows Member States to maintain or introduce ‘further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’.

In order to identify the specific rules to be observed in the treatment of health data and clinical information and procedures to be adopted in the light of the General Data Protection Regulation, it is first necessary to answer the question: What should be understood by health data?

The Regulation presents, what the Directive 95/46/EC of 24 October 1995, which established the rules for the protection of individuals with regard to the processing of personal data and the free movement of such data, didn’t do, a concept of ‘health data’ as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; (see no. 15 of Article 4 of the Regulation). With this definition, it is in conformity the definition of “health information” according to article 2 of Law no. 12/2005, of January 26.


Processing sensitive data

Health data are sensitive personal data subject to a special protection regime. The need to protect the confidentiality of health data requires the adoption of adequate safety measures.

This need is all the more important when one recognizes the advantages of health data processing. The benefits generated for the data subjects themselves and for the general population for the treatment of health data require that this processing, in order to be able to be performed, is accompanied by measures capable of generating security while respecting the confidentiality of health data.

Organized and up-to-date health information accessible by the individual and those directly assisting him in the provision of health care is essential for his own decision-making regarding his health status and for the protection by health care providers of the individual health of their patients. It may also be an essential vector for the protection of public health, as recognized in the Regulation.

The development of eHealth or online health care corresponds to a policy of promoting access and quality in health care delivery. Information and communication technologies applied to health care and health care systems can increase their efficiency, improve quality of life and stimulate innovation in health care[i]. For this to happen, it is necessary that the data owners have confidence in the systems, and this confidence depends on the adoption by health care providers and their subcontractors of safe practices for the processing of health data and in line with the new Regulation.


Protective measures

The European Union Agency for Network and Information Security (ENISA) has identified particular security challenges in the development of eHealth that should be put in place because of the high privacy and confidentiality requirements that sensitive health information gives rise to. The main challenges identified by ENISA relate to the following issues: system availability, failure of interoperability, access control and authentication, data integrity, network security, security and prevention practices, data loss, standardization, compliance and trust, cross-border incidents, management incidents[1].

Measures should also be taken to safeguard situations where the service is unavailable and the data is violated, as well as to ensure compliance with the rules for the elimination of patient data in a secure manner, and it is incumbent upon those responsible for the databases to comply with the regime protection of personal data, in particular health data.


A matter of trust

Only security in the protection of sensitive personal data will allow the flow of data to operate where necessary with the confidence of the data subjects and, as the European Council acknowledges, “confidence is a necessary precondition for innovative products and services that depend on the processing of personal data’[2].

Public health and public health operators should therefore prepare for the full applicability of the Regulation on 25 May 2018 and ‘adjust to the new rules’[3].

If there are measures that, according to the new Regulation, should be implemented, such as the pseudonymisation of personal data and, when the health data operations as a special category of data are in large-scale, the impact assessment on protection of data and the designation of the person in charge of data protection, others have already been proposed that must be renewed, revised or reinforced, such as the training and qualification of human resources, audits, culture of responsibility and obligation of secrecy, segregation of discrete software and distinct access profiles according to the nature of the personal data (such as administrative identification data) and sensitive personal data (such as health data).

The new Regulation also provides, in relation to health data, an opportunity to ensure greater protection and an opportunity ‘to develop products that respect privacy and data protection and to build a new relationship … based on transparency and trust’[4].



[1] See Security and Resilience in eHealth – Security Challenges and Risks, December 2015, pp. 23 ff., Available in

[2] Cf. Opinion No 3/2015, Europe’s Great Opportunity, EDPS Recommendations on the EU’s options for data protection reform, European Data Protection Supervisor, 28 July 2015, page 11, available here.

[3] Cf. in this connection the recent Communication from the Commission to the European Parliament and the Council, Greater protection, new opportunities – Commission guidelines on the direct application of the General Data Protection Regulation from 25 May 2018, p. 13, available here.

[4] Ibid.

[i] Cf. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of 06.12.2012, e-Health Action Plan 2012-2020 – Innovative health care for the 21st century, available here.

More in Communication