At a glance: data protection and management of health data in Germany

Data protection and management

Definition of `health data'

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

Health data is a legally defined term in Germany. Health, biometric and genetic data are subject to specific protection. According to article 4 No. 15 of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), ‘health data’ means ‘personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status’. This includes information such as numbers or symbols that are assigned to a natural person in order to identify that person for health purposes, all data derived from the testing or examination of a body part of that person, including genetic data and biological samples, as well as all information on, for instance, a disease or the medical history of that person. German data protection authorities have a broad understanding of this and regularly assume that, for example, a photo with prescription glasses qualifies as ‘health data’. This means that personal data collected by a health app, a wearable or smartwatch that relates to the individual's physical or mental health status is also included in the protection of ‘health data’.

There is no specific definition of ‘anonymised’ health data. Rather, the general principle applies. According to Recital 26 of the GDPR, anonymous information is ‘information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable’. Personal data that has been anonymised is not subject to the GDPR.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

Under the EU’s data protection laws, the permissibility of data processing is generally governed by the GDPR, unless the GDPR contains an opening clause according to which EU member states can enact supplementary regulations at member state level. Some national laws contain specific provisions that afford a different level of protection to health data.

GDPR requirements

According to the GDPR, the processing of ‘health data’ is in principle prohibited (article 9(1) GDPR), unless legal justification pursuant to article 9(2) GDPR applies. The processing of health data is permitted, for example, if the data subject has consented to the processing (article 9(2)(a) GDPR).

In addition, article 9(2) GDPR contains specific opening clauses, according to which the EU member states may enact national laws for the processing of health data, such as:

for ‘the provision of health or social care or treatment or the management of health or social care systems and services’ (article 9 (2)(h) GDPR);
‘reasons of public interest in the area of public health’ (article 9(2)(i) GDPR);
‘archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (article 9(2)(j) GDPR); and
to ‘maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health’ (article 9(4) GDPR).

National law requirements

In light of the above, the lawfulness of the processing of health data largely depends on national member states laws. These include various federal laws governing the processing of health data, such as:

the Federal Data Protection Act (eg, sections 22 and 27);
the Infection Protection Act (section 9 ff);
the Medicinal Products Act (section 40);
the Act on Medical Devices (section 20); and
the Social Security Code (eg, section 33a, 139e, 284 ff, section 67a ff, section 93 ff).

In addition, there are also various state laws, such as. state data protection acts and state hospital laws, and special laws such as the Mental Health Act.

In Germany, there are further legislative efforts to drive forward the digitisation of the healthcare system. The recently enacted Digital Healthcare Act, the Digital Health Applications Ordinance and the Patient Data Protection Act will make it easier for doctors to hold online video consultations, reimburse patients for using prescribed digital healthcare applications and ensure that all stakeholders have access to a secure healthcare data network for treatment.

Owing to the large number of national laws governing the processing of health data, the legal situation in Germany is very complex, which is why it is usually necessary to carry out a comprehensive examination of whether the applicable data protection laws are being observed when processing health data.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

Yes, in certain cases German data protection law requires health data processed to be anonymised. For example, health data processed for scientific or historical research purposes or for statistical purposes shall be rendered anonymous as soon as the research or statistical purpose permits so, unless legitimate interests of the data subject prevent this (section 27(3) of the Federal Data Protection Act).

In addition, the general principle of data minimisation according to article 5(1)(c) of the GDPR requires that personal data must be anonymised when it is no longer necessary to identify the natural person.

However, EU and German data protection laws do not specify how true anonymisation can be achieved. Recital 26 of the GDPR explains that the principles of data protection should not apply to anonymous information that ‘does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.’

According to the European data protection authorities, personal data must be cut off from all identifying elements so that the information can no longer be attributed to an identifiable person in order to be considered truly anonymous under the GDPR. All means that may be available for identification (eg, also from third parties) must be taken into account. If identification (eg, with potentially available information from third parties) is still possible, the data is not truly anonymised, but only pseudonymised. This means that the processing of personal data is still subject to EU and German data protection laws. Organisations should therefore exercise caution when attempting to anonymise personal data. Organisations frequently refer to personal data sets as having been anonymised when in fact this is not the case.

Helpful information on how anonymisation of data can be achieved can be found in the Consultation Paper published by the Technology, Methods and Infrastructure for Networked Medical Research, which outlines the requirements for anonymisation, as well as in the Guidelines on the Protection of Health Data published by the German Federal Ministry for Economic Affairs, which provide further information on the procedure for anonymisation of health data.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

In general, the GDPR provides several investigative powers of the data protection authorities (such as carrying out investigations, issuing warnings, imposing a processing limitation or ban) and moreover a system of sanctions consisting of administrative fines and compensation for damages (material and immaterial), as well as the possibility of enforcing infringements by means of injunctions.

Depending on the violation, administrative fines under the GDPR can amount to €20 million or up to 4 per cent of the violator's total worldwide annual turnover, whichever is higher.

With regard to the enforcement of data protection in relation to health data, some notable fines have already been imposed in Germany, such as a fine of €105,000 on a hospital for mixing up patient data owing to technical deficiencies in the hospital's patient and privacy management, and a fine of €1,240,000 on a health insurance company for the inadequate implementation of technical and organisational measures.

In addition, the practice of publicly naming and shaming violators can cause considerable PR and other damage. In particular, the public disclosure of a start-up from the healthcare space that unlawfully transferred health data, including symptoms and the name of the health insurance company, for tracking purposes to an advertising network led to considerable issues. In such cases, there is a risk that not only the users but also other stakeholders such as shareholders, investors or cooperation partners could shy away from using the product or investing in it.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

Early on, German data protection authorities issued guidance for app developers and providers and specifically addressed mobile apps that process sensitive data. In particular, they asked for sandboxing and other means of encryption when processing patient and health data. In addition to that, according to the new Digital Health Applications Ordinance, which applies to qualified ‘digital healthcare applications’ (ie, those subject to reimbursement by the health insurance), the manufacturer must meet the requirements for data security according to the state of the art, taking into account the type of data processed and the level of protection associated with it, as well as the need for protection.

The requirement refers to the protection of the confidentiality, integrity and availability of all data processed via the app. According to the Digital Health Applications Ordinance, a declaration is to be submitted on the basis of a questionnaire to the Federal Institute for Drugs and Medical Devices. If it is an app with a very high need for protection, additional requirements such as penetration tests, sufficient encryption of the stored data or two-factor authentication when accessing health data are necessary.

In general, the requirements are based on the specifications and recommendations of the Federal Office for Information Security, as described in particular in the standards BSI 200-1 (Management Systems for Information Security), BSI 200-2 (IT-Grundschutz Methodology) and BSI 200-3 (Risk Analysis on the Basis of IT-Grundschutz) of the Federal Office for Information Security. These requirements are supplemented by modules of the IT-Grundschutz Compendium. The implementation of a management system for information security that fulfils the requirements of ISO 13485 as well as those of the BSI standards or ISO 27001 is needed for any digital healthcare applications that are to be included in the Digital Healthcare Applications Directory, no later than 1 January 2022. In addition, the guideline BSI TR-03161, which describes security requirements for digital health applications, must be observed.

Without prejudice to the information security requirements for digital health apps, the health sector as such represents critical infrastructure according to section 6 of the BSI-KRITIS Regulation. This means that operators of critical infrastructure are obliged under section 8a(1) of the BSI-KRITIS Regulation to take appropriate organisational and technical precautions to avoid disruption to the availability, integrity, authenticity and confidentiality of the information technology systems, components or processes that are essential for the functionality of the critical infrastructure they operate.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

In practice, it is of great importance to be able to exploit the full potential of health data. This means that the data can be processed through the broadest possible means. This can be achieved, for example, by obtaining the broad consent of the data subject. Such consent can cover as yet unspecified research projects and future data processing, including, where possible, secondary use and transfer of data to third parties, such as other research partners.

In this context, the planned data processing must observe the ‘principle of purpose limitation’ (article 5(1)(b) of the GDPR). This principle stipulates that data may only be processed ‘for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’. This means that the planned purposes of data processing must be already specified at the time of data collection. Until recently, it was controversial in Germany whether future data processing for secondary use could be based on broad consent, which only describes future planned data processing at a very high level. However, the German Data Protection Committee, in its Decision of April 2020, has now considered broad consent in the area of clinical studies to be permissible. It is possible that this view will also prevail in the context of digital health innovations to legitimise data processing for secondary use.

In order not to have to comply with the strict data protection regulations, it is recommended, whenever possible, to make personal data anonymous. In this case, the data protection regulations are no longer applicable. However, high demands are made on the true anonymisation of personal data, which always requires a separate legal basis to do so.

As regards the commercialisation of health data, it is not only necessary to ensure compliance with the above-mentioned data protection regulations if, for example, health data is transferred to third parties. In addition, effective contractual agreements between the data owner and the data recipient are also of crucial importance, since under German law there is no ownership of data. Rather, contractual arrangements are required that, in the context of the commercialisation of raw or anonymised health data, specify the extent to which the data recipient is to be granted rights of use of the data; in other words, which data may be used for which purpose (eg, for further research). In addition, the legal consequences of a violation of these data use rights (such as injunctive relief or contractual penalties) should also be governed in the respective contract. In short, only on a comprehensive contractual basis can an effective commercialisation of health data in Germany be guaranteed.

Law stated date

Correct on

Give the date on which the above content is accurate.

11 December 2020.

Register now for your free, tailored, daily legal newsfeed service.

At a glance: data protection and management of health data in Germany

Filed under

Topics

Popular articles from this firm

IP as key success factor for start-ups and academic spin-offs *

An interview with Taylor Wessing discussing remote working in Germany *

Kein Verwertungsverbot trotz Datenschutzverstoßes - Datenschutz weiterhin kein Tatenschutz *

AI & patents in the life sciences industry - what do I need to know for my business? *

Is 2024 the breakthrough year for digital health across Europe? *

Related practical resources PRO

Related research hubs