Health data processing is among the top issues in the still continuing global Corona pandemic. The issues have resulted in a number of reactions by regulatos. The European Commission, the EDPB and many national regulators – including the DSK – published guidance early on the use of personal data in the fight against coronavirus. This comes as no surprise. One of the areas with a high regulatory attention from privacy watchdogs has been the healthcare and life sciences space. The GDPR, which has been in force since mid 2018, places more scrutiny on these industries because health data is particularly sensitive and requires comprehensive protection.
EU Regulators and their focus on Life Sciences and Healthcare
EU Regulators have issued many statements and guidance to help with GDPR compliance when processing health data. Data protection laws are also a hot topic of debate in the current global pandemic, especially with regard to mobile device apps that may trace infected persons. This touches on the question of lawful processing of telecommunication data but can have further implications, such as issues concerning employee personal data. We have provided a comprehensive overview of the European regulators’ views on data protection and COVID-19 in an article available here. We want to highlight some further details below.
GDPR compliance in times of the COVID-19 outbreak
Authorities have expressed that it is of particular importance to comply with requirements under all data protection laws. They ask to maintain the high level of protection across the EU, also in the current COVID19 healthcare crisis. Regulators acknowledge the obvious considerable overlap with issues such as the lawful basis for processing, data security and data subject rights. For this reason, various governmental bodies and regulatory authorities in the EU and Germany have published guidelines for compliance with data protection regulations. Some examples:
The recent guidance stresses the importance of all elements necessary for a trustful and accountable use of apps against the coronavirus. This is particularly interesting given recent national and EU agency regulator guidance. So far, regulators have been sceptical and quite conservative in their statements around the use of mobile location and health app data. The European Commission’s guidance addresses in particular the question of national health authorities (or entities carrying out tasks in the public interest in the field of health) as data controllers, the fact that the data subject must at all times remain in control, and discusses the legal basis for processing. The level of detail of the recommendation with regard to the use of location data and other features of mobile device apps is notable.
Apart from this Coronavirus-specific guidance, there is of course plenty of other regulatory input specifically with a focus on healthcare and life sciences.
German regulator guidance on health data
Regulators in Germany have issued over 20 decisions or guidance papers on life sciences and healthcare services but there are still unanswered questions in all areas where medical or other health data is being processed. In particular, digital health services and the use of software based on Big Data and Artificial Intelligence have attracted the most attention. A recurring theme from regulators is that, despite some effort to adapt to the new regime under the GDPR, the level of data protection is lacking in this area.
GDPR compliance for app providers within hospitals and related services
Mobile health services are of particular concern to regulators. The DSK published a white paper dealing with state of the art technical and organisational measures and issued guidance which addresses the use of websites and messaging apps that process personal data. Recently, the Federal Cyber Security Authority (BSI) published guidance for security requirements for health apps.
These documents emphasise the high risk of abuse of personal data, especially when sensitive health information is used for diagnostic purposes, including for psychiatric or physical screening. The DSK recommends obtaining the express consent of patients when transferring health data to third parties and implementing security measures to minimise the risk of breaches.
In another guidance paper aimed at clinics and other hospitals, the DSK pointed out that compliance with the GDPR and additional requirements under national laws apply regardless of the size of the service provider. Doctors, pharmacists and related professions were identified in regulatory statements that addressed the appointment of a data protection officer for small medical practices. There were also numerous statements by State regulators addressing other specific questions. Finally, many regulators are calling for the use of web analytics and other tracking tools used by health app providers to be subject to a prior explicit consent requirement.
Statements and guidelines by German agencies
German governmental agencies addressed the requirements to be met in terms of data protection for health service providers by way of specific guidelines. The Guidelines on the Protection of Health Data issued by the German Federal Ministry for Economic Affairs (BMWi) are particularly interesting. They aim to provide an introduction to the GDPR’s requirements for developers and suppliers of digital health products. They outline the impact of the GDPR on some key issues in specific areas, for example, automated decision-making, big data applications and the development of apps.
Enforcement and fines
In terms of enforcement, the most recent fine in this space issued in Germany was in the context of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital’s patient and privacy management.
Violations of data protection laws in the healthcare and life science sector are also being rigorously pursued in other member states. For example, the Spanish Data Protection Authority of Spain (aepd) has imposed a fine because a data subject’s consent was to be obtained through his inactivity when filling a form containing a checkbox at the time of his admission to hospital. In the Netherlands, the Dutch Supervisory Authority for Data Protection (AP) imposed a fine for no proper internal security of patient records in place at a hospital: dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. Also, the Italian Data Protection Authority (Garante) intervened because of unauthorised persons, namely a trainee and a radiologist, had access to health data in a hospital.
It is not all about fines though. Regulators are increasingly “naming and shaming” as part of their enforcement strategy, realising that the threat of reputational damage can be as much of a compliance incentive as the threat of financial penalties.
What next?
The regulatory landscape is by no means complete. As the market and the technology develop, businesses will look to regulators to provide coherent and comprehensive guidance in what is, by definition, a complex space for data compliance. Beyond the COVID-19 issues lies a world of risks companies must address early on. This is of outmost importance for the successful development, distribution and use of their products and services in the life sciences and healthcare sectors. The GDPR and national laws require tackling compliance as a first step, especially due to principles such as the privacy by design requirement.
Sources:
https://ec.europa.eu/commission/presscorner/detail/en/IP_20_669
https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf
https://globaldatahub.taylorwessing.com/article/european-regulators-views-on-data-protection-and-covid-19
https://www.datenschutzkonferenz-online.de/media/en/Entschlie%C3%9Fung%20Pandemie%2003_04_2020_final.pdf
https://ec.europa.eu/commission/presscorner/detail/en/IP_20_669
https://ec.europa.eu/commission/presscorner/detail/en/ip_20_626
https://eur-lex.europa.eu/eli/reco/2020/518/oj
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020XC0417(08)&from=EN
https://edpb.europa.eu/our-work-tools/our-documents/linee-guida/guidelines-042020-use-location-data-and-contact-tracing_en
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf
https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf
https://www.datenschutzkonferenz-online.de/media/en/Entschlie%C3%9Fung%20Pandemie%2003_04_2020_final.pdf
https://www.datenschutz-bayern.de/corona/arbeitgeber.html
https://www.saechsdsb.de/147-pandemie/612-pandemie-bekaempfung-nicht-ohne-datenschutz
https://www.ldi.nrw.de/mainmenu_Aktuelles/Inhalt/Corona-und-Datenschutz/Corona-und-Datenschutz.html
https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/03/FAQ-Corona.pdf
https://datenschutz-hamburg.de/pages/corona-faq
https://www.datenschutzkonferenz-online.de/media/oh/20191106_whitepaper_messenger_krankenhaus_dsk.pdf
https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2020/TR-Gesundheitsapps_150420.html
https://www.datenschutzkonferenz-online.de/media/en/20191106_entschlie%C3%9Fung_gesundheitseinrichtungen_dsk.pdf
https://www.bmwi.de/Redaktion/EN/Dossier/guidelines-on-the-protection-of-health-data.html
About MED-CANN WORLD:
In November 2019, Medical Cannabiz World opened its doors to the medicinal cannabis industry, supported by the Maltese government’s commitment to legislation for this high growth sector. Save the datesAfter last year’s huge success, the second edition of Medical Cannabiz World will take place virtually on the 20th and 21st October 2020. Don’t miss out. Save the dates!