The sensitive nature of health data demands a specific assessment of the impact of the new General Regulation on Data Protection. An analysis of Cláudia Monge, lawyer and partner at BAS – Sociedade de Advogados, recently published on specialised media.
The General Regulation on Data Protection, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of individuals with regard to the processing of personal data and on the free movement of such data, that repeals Directive 95/46/EC (Regulation), presents today, what Directive 95/46/EC of 24 October 1995 did not do, a concept on ‘health data’. It defines ‘health data’ as ‘personal data relating to the physical or mental health of a natural person, including the provision of health services, which disclose information about his or her state of health’.
According to the Regulation, the person responsible for the processing of personal data shall adopt technical and organizational measures appropriate to the nature of the data, the scope, context and purpose of the data processing and the risks to the rights and freedoms of individuals and to the probability and severity of such risks, making it essential and especially important, in view of the sensitive nature of health data, to carry out a thorough risk assessment prior to the treatment.
Being the processing of health data – a special category of data, in accordance with Article 9, no. 1 of the Regulation – it is necessary to refer to the previous impact assessment on data protection provided for in Article 35, no. 1, paragraph b) of the Regulation ‘in the case of: (…) (b) large-scale treatment operations of special categories of data referred to in Article 9, no. 1) (…)’. Large-scale treatment operations, as set out in Recital (91) of the Regulation, should be regarded as those which are intended to deal with a large amount of personal data at regional, national or supranational level, which may affect a considerable number of data holders and are likely to involve a high risk, for example, because of their sensitivity, where a new technology is used in line with the level of technological knowledge achieved, as well as other processing operations which entails a high risk to the rights and freedoms of data subjects, in particular where such operations make it difficult for the owners to exercise their rights’.
It’s recommended that an evaluation be done prior to the processing of health data, even in cases where such assessment is not a legal imperative. The assessment allows the identification of the risks and, in a coherent manner, the appropriate measures to prevent or mitigate them. And the identification of such security measures always constitutes a legal obligation by the person responsible for the processing, in accordance with the Regulation and also under the Personal Data Protection Act (LPDP); Law No. 67/98, of October 26, which transposed into Portuguese law the aforementioned Directive 95/46 /EC.
Article 14 of the LPDP states that ‘the responsible person must implement appropriate technical and organizational measures to protect personal data’ and that ‘these measures must ensure (…) an adequate level of security in relation to the risks the treatment has and the nature of the data to be protected ‘. The determination of the appropriate level of security depends on the evaluation. It’s our understanding that even where the particular situation does not fall within the situations in which the law requires the evaluation to be carried out, that assessment should still be carried out.
In light of Article 15 of the LPDP, concerning health data processing, data processors are required to take appropriate measures to ensure: access control to the premises, data media, data entry, data usage, access, transmission, a posteriori entry and transport.
In terms of health data processing, it is therefore recommended that a case-by-case impact assessment is always done, which will allow, in the specific case of health data processing, to: a) determine the best solution according to the legitimate purpose to be pursued, the nature of the data, the conditions of the internal organization, the means available, the attainable security measures; B) determine what security measures to implement and the terms of their implementation; C) determine the actions to update the measures, audit, inspection and adoption of corrective measures.
The prior evaluation is therefore a good management tool and a safeguard measure to ensure compliance with the regulatory framework for the protection of personal data.
Click here to read the original article in Advogar.
