The use of big data analytics and new technologies in the health sector has considerably changed the way health data is being used, accessed, analysed and shared between health professionals and individuals. Organisations handling health data that embrace these new techniques and practices have to maintain a high standard of security and privacy.
Revamp of the European data protection framework
In May 2016, the European Commission published the General Data Protection Regulation(GDPR) that will replace the current European data protection Directive and will apply from 25 May 2018. It will be directly applicable in all Member States of the European Union although EU Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. An overview of the French data protection regime provides a good example of what "further conditions" Member States would be likely to adopt in relation to health data and its interplay with the GDPR.
The regime applicable to health data in France
The French regime is protective of the processing of sensitive personal data and has put in place a preliminary declaration and authorisation regime for the processing of health data.
The Loi Informatique et Libertés 1978 (LIL) governing the processing of personal data in France does not define what health data means. The French data protection authority (CNIL) considers that information which is capable of identifying the nature of an illness, a handicap or a deficiency should be considered as health data.
The LIL prohibits the processing of health data unless specific exceptions apply. Exceptions include collecting the individual's express consent (e.g. express consent from the patient is required to open a dossier medical personnel which is the French Personal Health Record); processing that is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare or treatment, or for the management of healthcare services carried out by a member of a medical profession; statistical processing carried out by the National Institute of Statistics and Economic Studies (INSEE) or processing necessary for medical research.
The LIL requires data controllers to declare their processing activities to the CNIL although organisations that have a Correspondant Informatique et Libertés (French DPO equivalent) may be exempt from making such declarations for certain types of data. The LIL also requires data controllers to seek an authorisation from the CNIL and/or the Government for data processing activities including health data, genetic data, processing relating to data which contains the NIR (registration number of natural persons in the national register for the identification of individuals, i.e. social security number) or automatic processing comprising biometric data necessary for the verification of an individual’s identity. In the absence of such declarations or authorisation, data controllers cannot process the data.
The CNIL has been particularly active in building what it calls a health-related compliance package. It aims at helping healthcare organisations simplify the formalities for processing health data. The CNIL has issued several authorisations (authorisation unique) related to specific activities performed in the health sector. Organisations that fall under that scope and which are processing health data must use the authorisation unique.
France, traditionally a leader in the field of the protection of health personal data, has also established a very specific set of policies and regulation for organisations which host such data.
Hosting bodies wishing to host health data must apply for official accreditation from the Health Ministry which is effectively issued if a favorable opinion is given by the Comité d’instruction of the ASIP-Santé, the CNIL, and the Hosting System Accreditation Committee.
The application procedure is long and labour intensive. Usually it takes several months to gather and structure the information required in order to start the application process and then it takes an additional six months (at best) in order to obtain the accreditation.
As this accreditation procedure is extremely burdensome, the French Government has recently undertaken to simplify it within the next couple of years. This will be actioned within the framework of the law on the modernisation of the French Healthcare system adopted on 26 January 2016 (NOTRe).
This law will also have several additional impacts on the Health sector. In particular, it adopted the law on the modernisation of the French Healthcare system on 26 January 2016 ("NOTRe"). In particular, it creates a national system of health data that will deal with the treatment of health data and its access by public authorities. The law NOTRe also contains specific provisions relating to the treatment and access of health data, in particular, provisions relating to public research and public statistics dealing with the NIR. It remains to be seen how these measures will interplay with the new GDPR regime.
The regime applicable to health data under the GDPR
Clarification of what constitutes "health data"
The current data protection Directive treats health data as a special category of personal data or sensitive personal data. However, it does not define what "health data" means. The absence of a definition may lead to uncertainties as to the qualification of certain data as health data so that health data could be mistakenly treated as ordinary personal data.
The GDPR helpfully introduces a definition of health data and clarifies that it covers "data concerning health, i.e. data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person's health status. The Regulation considers that health data may include information about the person collected in the course of the registration for, or the provision of, health care services, a number, symbol or particular assigned to a natural person to uniquely identify that person for health purposes, information derived from the testing or examination of a body part including from genetic data and biological samples or any information on, for example, a disease, disease risk (i.e. data concerning the potential the future health status of an individual), disability, medical history or the clinical treatment of the physiological or biomedical state of an individual independent of its source." Because data processors now have a legal obligation to maintain records of their processing activities, they will welcome this clarification as it will help them identify whether the data they collect constitutes health data in order to document their records adequately.
Processing prohibited unless exceptions apply
The GDPR also treats health data as a "special category" of personal data which is considered to be sensitive by its nature. Processing is prohibited unless exceptions apply such as the provision of the individual's explicit consent, where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or where Member States have inserted further conditions or limitations. The collection of the data subject's consent remains the most common exception that organisations processing health data will be able to rely on provided that it has been explicitly provided and the purpose for processing the data has been explicitly defined. Where relying on consent, organisations should ensure that the consent meets the new GDPR.
Purpose limitation and no further processing
The GDPR makes clear that health data should be processed for health-related purposes, only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular, in the context of the management of health or social care services and systems, including processing by the management of such data for the purpose of quality control. This purpose limitation principle is to be linked with the consent provided by the data subject. Where companies use big data and analytics techniques and are manipulating a large amount of data, there are concerns that they may use the data for further different purposes (e.g profiling or marketing activities) which will create risks for the individuals, in particular, where inaccurate conclusions relating to their health are drawn. Organisations should ensure that they define a clear, compatible and legitimate purpose to guard against misuse of the individuals' data.
Adoption of new security techniques
Security of the data is a major concern for both organisations processing personal data and individuals who want that their privacy to be safeguarded. Whether health data is collected, stored or accessed via wearable devices, mobile applications, cloud computing capabilities or databases, their misuse may have irreversible consequences for the individual concerned so it is crucial that the data ecosystem is secure.
Under the GDPR, both the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
What should data processors look out for?
The fact that Members States will be able to adopt "further conditions" for processing health data means that there will be differences across the EU Member States in the way these conditions are applied. Organisations processing health data should consider the following:
- whether they will be subject to further conditions set out by Member States and, where they are likely to operate in several EU jurisdictions, understand the different regimes applicable in the relevant EU Member States;
- whether they can clearly identify health data in accordance with the GDPR definitions and, where applicable, those of the Member States, to adequately document them in their records;
- review the grounds they rely on to process health data to assess whether they meet the GDPR requirements;
- where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, they should carry out a data protection impact assessment to evaluate the origin, nature, particularity and severity of that risk – it is for the controller to complete it although we envisage that data processors who are more experienced in a specific sector may want to complete it with the controller's approval.
Organisations are under pressure to transform in order to achieve improved care outcomes and patient experiences for less cost. The fact that GDPR now places direct legal obligations on data processors means that controllers and/or processors failing to comply with their obligations will be exposed to the high sanctions provided for under the GDPR. The challenge for them is how to limit the security risk while demonstrating compliance with the GDPR.