Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The EU General Data Protection Regulation (“GDPR”) has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
First things first: the GDPR is a regulation under EU law. This means that it will have direct effect in all 28 Member States of the EU. Consequently, there will be no need for EU governments to implement the GDPR locally and existing national data protection law will ultimately need to be repealed to make way for the GDPR. Additionally, the Data Protection Directive 95/46/EC (Directive) will be repealed on the day the GDPR becomes law. However, the GDPR provides a limited ability for Member States to legislate locally on certain discrete matters, including the use of health data.
Existing data protection authorities in each of the Member States will keep their supervisory role but will be given more powers. This includes a power to fine organisations (controllers and processors) up to 4% of total worldwide annual turnover for certain breaches of the GDPR. Additionally, a new European Data Protection Board (an updated version of the current Article 29 Working Party under the Directive) will play a much greater role with wider powers in ensuring the consistent application of the GDPR across the EU.
Another big change under the GDPR is that processors will be subject to direct legal obligations (although not as wide-ranging as the obligations on controllers). Processors are organisations that act as service providers and only process health data because another organisation (a controller) has engaged them to do so. Additionally, organisations that are not established in the EU but offer goods or services to individuals in the EU or monitor their behaviour will also be required to comply with the GDPR.
There is now a specific obligation on a controller or a processor to appoint a data protection officer where its core processing activities require regular and systematic monitoring of individuals on a large scale, or where its core activities consist of the processing of sensitive data on a large scale. This obligation could catch a whole range of participants in or around the healthcare industry including healthcare providers, insurance, pharmaceutical, and biotech companies, as well as technology companies.
The GDPR continues to treat health data (widely defined) as sensitive personal data – the position currently under the Directive. But the GDPR now specifically lists genetic data and biometric data as sensitive personal data and permits Member States to introduce further conditions around the processing of biometric, genetic, or health data.
As under the Directive, organisations collecting and using health data will need to be able to rely on a lawful ground – both for collecting personal data and sensitive personal data. The lawful grounds available broadly reflect the grounds under the Directive.
In many instances, those collecting health data will choose to rely on consent. However, an organisation does not have to rely on consent (as its ground for processing sensitive personal data) and can collect and use health data if the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services, under a contract with a health professional or another person subject to professional secrecy under law (the ‘medical care’ ground). Additionally, consent is not required if the processing is necessary in the public interest for public health reasons (the ‘public health’ ground), or if the organisation can argue that the processing is necessary for scientific research.
If an organisation cannot rely on the medical care, public health, or scientific research grounds (and it is not an employer-employee scenario), it will have to obtain explicit consent from the individual to process health data. The requirement under the GDPR for obtaining valid consent is similar to the requirement under the Directive – consent must be a freely given, specific, informed, and unambiguous indication of an individual’s wishes. But the GDPR places the onus on the controller to demonstrate that consent was given.
Moreover, consent must be obtained in a manner distinguishable from other matters, in an easily accessible form and using clear and plain language, and individuals must be able to withdraw their consent easily. These requirements mean that controllers will need to carefully consider the wording in consent forms and the means by which consent is achieved.
Providing some comfort for those in scientific research, the GDPR recognises that it is unrealistic to require scientists to list all purposes in a consent form at the time the data is collected. Therefore, individuals should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.
Where an organisation can argue that the processing of health data is necessary for scientific research purposes, the GDPR provides a qualified compliance framework so long as safeguards are implemented. The appropriate safeguards include technical and organisational measures to ensure data minimization, i.e. processing the minimal amount of personal data. Pseudonymisation is given as an example of the measures that could be used. An organisation that argues that data processing is for scientific research must therefore implement these safeguards in order to be able to take advantage of the qualified compliance framework.
But what amounts to scientific research? Though there is no definition in the GDPR, the recitals state that processing of personal data for scientific research purposes should be interpreted in a broad manner. This suggests that ‘scientific research’ could include a wide array of activities. Those representing the research interests of the charity, academic, and pharmaceutical communities have welcomed the position in the GDPR on scientific research. However, the GDPR does not expand on whether all health research, including research driven primarily for commercial gain, would be considered to be scientific research. The concept of scientific research is likely to be interpreted by data protection authorities in accordance with local and EU law.
Similarly to the Directive, certain information must be provided to individuals to explain the context for the use of their personal data. However, the GDPR expands the list of what individuals need to be told to include information, such as whether data will be transferred, how long it will be kept for, and information about any profiling individuals will be subject to.
Similar information must be provided to individuals by an organisation where the organisation has not collected the data directly from the individual. However, the obligation to inform individuals in such cases does not apply if providing the notice is likely to render impossible or seriously impair achieving the objectives of the scientific research. But the organisation is still required to take steps to protect the rights and freedoms of individuals.
One of the concerns expressed by the medical research community about the draft GDPR was the potentially stricter rule around further processing of health data. These concerns appear to have been allayed since the GDPR states that further processing of data for scientific research purposes is permitted so long as the framework for safeguards around scientific research is complied with. This is a significant provision and enables those engaged in scientific research to repurpose health data without having to obtain further consents from individuals.
The rules on profiling have been watered down from the stricter approach seen in early drafts of the GDPR. If an organisation decides to use health data for profiling activities then it must give affected individuals the right to opt out. The only exceptions where individuals lose their right to opt out in this case is where the individual originally consented to profiling or where the profiling is necessary for reasons of substantial public interest and, in both instances, suitable measures to safeguard the individuals’ rights and freedoms are implemented.
One of the centrepieces of the GDPR is the strengthening of individuals’ rights. Mostly the provisions reflect existing rights under the Directive although the right to data portability is new. Those organisations that can rely on the scientific research ground may be able to temper the effects of the right to erasure (i.e. the right to be forgotten) and the right to object to data processing in certain circumstances. Member State or EU law may also set out derogations from rights where these rights are likely to render impossible or seriously impair the achievements of scientific research.
Controllers will be under specific obligations to introduce data protection by design and default into their processing systems when building databases and systems. This obligation underlines the need for organisations to consider data protection compliance at the start of a project in order that data protection rules are integrated.
Data protection impact assessments (‘DPIA’) are mandatory where proposed data processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA involves an assessment of the likelihood and severity of the risks involved in the proposed data processing as well as the measures and safeguards to be introduced to mitigate the risk. Large-scale processing operations affecting many people that are likely to result in a high risk will require a DPIA. Processing health data on a large scale requires a DPIA.
But a DPIA is not mandatory where the processing of health data by a doctor or healthcare professional concerns patients. Additionally a data protection authority can publish a list of processing operations that do not require a DPIA. Many organisations using health data will have to get used to carrying out DPIAs where they cannot fall under the exemption.
Both controllers and processors will be under new obligations about the documentation they must retain and the provisions their contracts must include. Controllers will need to implement appropriate data protection policies and both controllers and processors will be required to keep a record of processing activities. The GDPR specifically sets out the provisions which will have to be included in controller-processor contracts whether in the health industry or otherwise.
The GDPR introduces an obligation to report data breaches to data protection authorities and to affected individuals. This is a new comprehensive obligation that is not industry specific but instead is triggered if the personal data breach is likely to result in a risk to individuals. Given that a data breach involving health data is more likely to result in a risk to individuals, organisations processing health data could be more widely affected.
But, it is worth noting that the obligation to notify affected individuals is only triggered where the breach could result in a high risk to individuals. Furthermore, a controller does not need to notify individuals if the health data that is the subject of the breach has been subject to measures, such as encryption, that make it unintelligible to unauthorised recipients, the controller has taken measures to reduce the risk, or if notification would involve a disproportionate effort.
One area that is given greater prominence in the GDPR is adherence to codes of conduct to demonstrate compliance. Data protection authorities shall encourage the development of codes to take account of the specific features of particular industries and sectors. Where a data protection authority approves a code, adherence can be relied upon by organisations to demonstrate compliance with other aspects of the GDPR. Consequently, the health industry (or sectors within it) could explore developing a code tailored for their requirements. A similar means of demonstrating compliance exists if a controller or processor obtains a certification that is recognised under the GDPR.
All those working with health data will need to become well acquainted with data protection rules in the future. The GDPR will unavoidably impose itself on hospitals, pharmaceutical companies, academic institutions, and technology companies using health data. Certainly the final text of the GDPR is not as onerous as it could have been. But all organisations processing health data will need to review their existing policies, procedures, and practices to ensure compliance.
This entry original was published in the January 2016 edition of Ehealth Law & Policy.
Authored by Victoria Hordern