Sensitive data, as a specific group of personal data, is understandably subject to a stricter regulation than other types of data/information; this regulation is clearly defining what data is precisely understood as sensitive one, demands specific forms of consent with processing as well as the qualifying few statutory exemptions when such data can be processed without consent; regulation also defines requirements for maintaining this data secure and confidential at all times. Health data is defined as specific information about physical or mental health of an individual/data subject.
The few statutory exemptions allowing general processing of health data include activities regulated by special legislation governing healthcare and healthcare services in general, protection of public health and services relating to health, sickness and social protection system as well as some instances relating to labour-related law and employment law. Some sensitive data, including health data, is also being processed during employment (subject to specific supplemental regulation by the Labour Code and the Employment Act). However, in these instances, the person processing sensitive health data of employees or applicants is the physician, not the actual employer. Some exceptions are made in case of employment of persons with altered working capacity.
In today’s world, a far greater use is made of new screening methods, equipment and technologies, which are developing ever faster. These developments often result in more advanced and broader use of handheld healthcare-related equipment (which is often both mobile and connected online to various health applications) for use on persons outside healthcare facilities; these devices monitor and assess health of persons, whether purely in ‘information’ mode (providing real-time data) or providing some specific recommendations or triggering specific warnings. This so-called mobile healthcare brings about new challenges in terms of protecting the generated sensitive information and its subsequent collection and use and also in terms of finding methods how to establish that these new health-care products and devices constitute healthcare equipment subject to this strict and specific regulation.
Opinions issued by Article 29 Working Party that address these issues relating to sensitive data, including health data, especially with respect to its security, use of devices and applications and forms of consent include: Opinion 02/2013 on apps on smart device / February 2013; Opinion 8/2014 on the on Recent Developments on the Internet of Things / September 2014; Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting / November 2014 and the Letter to the EC/ February 2015 clarifying definition of health data in apps and device.
The European Commissions’ Digital Agenda for Europe includes action plans for Information and Communication Technology for health and wellbeing (eHealth), which also addresses Mobile Health (mHealth). A Green Paper on mHealth was published in 2014 for public consultations. Results and proposals for further action should be published in 2015.
The current draft of the General Data Protection Regulation, dealing with collection, processing and movement of personal data, which is debated in the European Council and the Parliament is slated to replace Directive from 1995 and contains a more detailed regulation of sensitive health data. The December 2014 text has been changed significantly since the original 2012 proposal, and we may expect further changes before it is finally adopted.
This draft regulation generally prohibits processing of health data; processing will be allowed only in terms of a closed group of activities (the data subject’s consent will be still applicable); in comparison with existing regulation, , this will include scientific research, whether basic, applied and research supported by public and/or private funding, but apparently not including experimental development.
Processing will be also allowed when such would be necessary to fulfil tasks that are in the public interest under applicable EU or Member State regulation, and which provides appropriate guarantees protecting legitimate interests of the data subjects. Member States will be allowed to define further limits, for instance with respect to who will not have access to health data, respectively who cannot be provided with such data, or limitations of certain rights of individuals/natural persons. The draft expressly stipulates that maintenance of health data (health status) is required for reasons elated to protection of public interest and health or for scientific purposes, and for these reasons these data cannot be subject to deletions based on the right to be forgotten and the right to have data deleted.
Profiling will be also limited (in terms of measures adopted only on the basis of automated data processing for the purposes of assessing certain properties of character of individuals or for purposes of health condition analyses), under which all individuals will have the right not to be subject to any such measure, which would have legal effect or which would significantly affect such person.
New definition will be also provided for ‘pseudonymization’ of personal (sensitive) data, which may help in clearing up the existing ambiguities and often diverse approach to these issues.
The draft regulation also expressly stipulates that Member States will be free to determined specific conditions for processing of personal data for certain sectors and for processing of specific categories of data (including sensitive data).
With regard to the current progress in the debate on this draft Directive we can safely assume that the final version will contain additional modifications and that it will, more importantly, further reflect the rapid development and impact of new technologies and devices on the health data collection and processing.