Regulation of the use of sensitive health data by public and private actors became a hot topic in Serbia following media coverage of a recent request made by a local police authority to a local hospital.

The local hospital informed the Serbian DPA about the request made by the local police authority for sensitive health data about persons being treated with certain medical diagnoses including mental health issues.

The reason given by the local police authority was to “update relevant dossiers”. The Serbian DPA initiated the supervisory control over the implementation of the Law on protection of personal data (Official Gazette of the Republic of Serbia, nos. 97/2008, 104/2009, 68/2012, 107/2012) (the "LDP") by the Ministry of internal affairs.

The case puts into the spotlight general and professional public issues such as: (i) adequacy of current legal framework for collecting and processing sensitive health data; and (ii) practices of private and public actors when dealing with collection and processing of sensitive health data. It also gives useful insight into the approach of the Serbian DPA to potential breaches of the Law on data protection.

When dealing with potential breaches of the LDP, the Serbian DPA developed a three-pronged test. The first step covers the legal basis for collecting and/or processing personal data i.e. whether the collection of personal data is statutory based or based on the prior informed consent of the data subject.

As a general rule the LDP prescribed that, due to its nature and importance for the data subject, sensitive data can be collected and processed only with the prior informed consent of the data subject. However there are exceptions for certain categories of sensitive data and the LDP prescribes that collection and processing of health data can be statutory based also.

However, there is no statutory legal basis for processing sensitive health data by the police authority. The Serbian DPA in fact stated that such processing is in clear violation of several laws.

The second step covers the purpose of the processing. The Serbian DPA looked at whether the processing was done for purposes other than those specified, regardless whether it was based on a person’s consent or on statutory powers for data processing without consent. It also looked at whether the purpose of processing is vaguely defined, modified, inadmissible or already achieved.

The third step covers the issue of proportionality. The Serbian DPA looked at whether the processing method was admissible, whether the processed data was necessary or suitable for the purpose of processing and finally whether the number or type of data processed is proportionate taking into account the purpose of processing.

In this instance, where there was processing of sensitive health data the request failed the first step of the test. However the Serbian DPA also stated that, even if the legal basis existed for such processing, the purpose and proportionally of such processing would be “extremely problematic”.

Although the three-pronged test is developed from the practice of the Serbian DPA and it is not explicitly prescribed, it can be a useful tool for organisations to assess whether collection and/or processing is done in line with the applicable data protection regulations in Serbia.

Submitted by Aleksa V. Anđelković LL.M of WALK Attorneys at Law – Belgrade, Serbia in partnership with DAC Beachcroft LLP