At a glance: data protection and management of health data in Spain

Data protection and management

Definition of ‘health data’

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

Health data

The EU General Data Protection Regulation (GDPR) provides the definition of health data. In particular, section 4.15 of the GDPR defines ‘health data’ as ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’.

The Spanish Data Protection Act reaffirms this definition and the Spanish Data Protection Authority (SDPA) includes ‘genetic data’ as health data, which refers to personal data relating to the inherited or acquired genetic characteristics of an individual that provide unique information about that person’s physiology or health, and that is obtained in particular from the analysis of a biological sample of that person.

Therefore, health data in Spain will mainly include:

• the personal information collected during the registration for, or the provision of, healthcare services;
• numbers or symbols assigned to a natural person to identify that person for health purposes;
• information derived from testing or examination of body parts or bodily substances; and
• any information of a natural person contained in any sources regarding diseases, disabilities or clinical treatments.

 

Anonymised health data

Neither the GDPR nor the applicable Spanish data protection regulations apply to anonymous information (namely, information that does not relate to an identified or identifiable individual, nor to data rendered anonymous in such a way that the data subject is not, or is no longer, identifiable). Consequently, data protection regulations do not affect the processing of anonymous information (eg, anonymised health data), including for statistical or research purposes. However, data protection rules apply to personal data before its anonymisation and during the anonymisation processes (eg, anonymisation must rely on a valid legal ground in line with data protection rules and must be informed to data subjects).

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

EU regulation

Under the GDPR, health data is included among the ‘special categories of personal data’. In that respect, section 9.1 of the GDPR establishes as a general principle that the processing of special categories of personal data (and thus, health data) is prohibited. However, section 9.2 sets a list of scenarios where such prohibition does not apply.

In particular, health data may be processed relying on the individual’s consent, and also under certain circumstances, including:

• for reasons of substantial public interest;
• for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
• for reasons of public interest in the area of public health; and
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

 

In addition, section 9.4 of the GDPR allows member states to introduce further conditions or limitations regarding the processing of health data.

 

Spanish regulation

In addition, the Spanish Data Protection Act establishes in its Seventeenth Additional Provision a list of principles governing the processing of health data in the context of health research. Moreover, certain sector regulations may have an impact on how companies may process health-related data. In this context, Law No. 41/2002 on patient autonomy and the rights and obligations regarding clinical information and documentation (the Law on Patient Autonomy) regulates patients’ medical records and includes relevant provisions in relation to the permitted use, conservation of the documentation, rights of access and custody of said records. As a general principle, section 14.2 establishes that ‘the security, proper preservation and retrieval of information’ of medical records must be ensured.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

The Spanish Law on Patient Autonomy establishes as a general principle that personal identification data (namely, ID card, social security number) and health data contained in medical records must be separated to safeguard anonymity of patients. This obligation shall only be exempted when patients give their consent or when needed in the context of scientific research, judicial inquiries or relevant public health risk.

According to data protection authorities, anonymisation is the irreversible process whereby data is stripped from all the elements that may reasonably be used by either controllers or third parties to allow the identification of a natural person.

EU and Spanish regulations do not specify how this anonymisation must be conducted. However, the relevant EU and Spanish data protection authorities have issued different reference guides over time that provide data controllers and processors performing anonymisation processes with a number of recommendations and techniques (eg, EU Opinion 05/2014 on Anonymisation Techniques , the SDPA’s Orientations and Guarantees regarding personal data anonymisation procedures and the joint paper from the SDPA and the European Data Protection Supervisor on 10 misunderstandings related to anonymisation).

According to Recital 26 of the GDPR, only anonymous data is not subject to data protection requirements. However, the anonymisation itself is a processing of data and therefore, data controllers shall comply with all the requirements set forth by law when anonymising personal data. In line with this, companies should dedicate special attention to its data anonymisation processes and address risks of re-identification (namely, the use of different sources of information to revert anonymisation of data). Regarding risks of re-identification, the SDPA has issued the document K-Anonymity as a privacy measure.

In particular regarding health data, the European Data Protection Board (EDPB) recently issued a set of guidelines regarding the processing of personal data for health research purposes under the GDPR (EDPB Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research). It addresses certain anonymisation matters specific to the health research sector, such as the line to be drawn between anonymisation and pseudonymisation, the anonymisation (if possible) of genetic data or the appropriate safeguards for the processing of anonymised or pseudonymised health data with scientific research purposes.

The Spanish Law on Patient Autonomy establishes as a general principle that personal identification data (namely, ID card and social security number) and health data contained in medical records must be separated to ensure that patients are not directly identifiable. This obligation shall only be exempted when patients give their consent or when needed in the context of scientific research, judicial inquiries or relevant public health risk. This obligation leads to a pseudonymisation (reversible) rather than an anonymisation (irreversible).

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

Enforcement of data protection laws

Under section 58 of the GDPR, national data protection authorities are given wide investigative and corrective powers. By way of example, these authorities are entitled to carry out data protection audits, request any type of information required for the performance of their tasks, obtain access to any premises, issue warnings and reprimands or impose temporary or definitive data processing limitations or bans.

National data protection authorities are also entitled to impose administrative fines on GDPR provisions’ offenders. In that respect, the GDPR establishes two types of fines:

• high fines: apply to infringements of basic principles for processing, data subjects’ rights, international transfers of data, obligations pursuant to national laws and non-compliance with specific orders by the supervisory authority. Said fines can amount up to €20 million or 4 per cent of the total worldwide annual turnover of the offender.
• low fines: apply to infringements of specific obligations of controllers, processors, certification bodies and monitoring bodies. Said fines can amount up to €10 million or 2 per cent of the total worldwide annual turnover of the offender.

 

In addition, individuals also have the right to bring claims against controllers and processors or to mandate consumer protection bodies to bring claims on their behalf.

Irregular processing of health data may also trigger criminal liability. The Supreme Court has ruled on several occasions that irregular access to medical records (and thus to health data) constitutes a criminal offence of discovery and revelation of secrets, which is punishable by a prison sentence of one to four years and fines of 12 to 24 months.

 

Spanish enforcement actions

Since the issuance of the GDPR, the SDPA has imposed various fines due to infringements regarding the processing of health data. The highest fines imposed relate to irregular access to medical records and the keeping of records containing health data without sufficient security conditions, and amount to €40,000.

However, for reasons other than the processing of health data (eg, lack of transparency or failure to comply with the information obligation) the SDPA has imposed fines of up to €8 million.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

From a data protection perspective, the GDPR establishes in its section 32 that the processing of data must be conducted ‘under appropriate technical and organisational measures that ensure a level of security appropriate to the risk of the relevant data’, and provides a list of reasonable measures (pseudonymisation and encryption of data; implementation of systems and services that ensure confidentiality, integrity, availability and resilience). In turn, the Spanish Data Protection Act regulates the imposition of sanctions for failure to establish adequate security measures, as regulated by the GDPR. In this regard, neither the GDPR nor the applicable Spanish data protection legislation provide further detail of the measures that data controllers shall adopt to ensure the proper preservation and security of personal data. However, following the generic guidelines on security measures set forth in the GDPR, data controllers, when processing health data, will have to implement appropriate robust measures, while health data are special categories of data.

Notwithstanding the above, there are cybersecurity regulations that are independent from the processing of personal data, and that will be applicable depending on the sector and activities companies carry out.

Digital health offerings by public administrations shall be subject to the Spanish National Security Scheme, which implements a security policy for the use of digital means in the public administrations. Therefore, the report Security requirements of e-Health apps in the context of the National Security Scheme issued by the Spanish Cryptological Centre will be of relevance for companies collaborating with public administrations. This report establishes a set of security objectives and requirements regarding health apps offered by public administrations (obligations to draft a policy on information security, elaborate and periodically update a risk assessment).

Depending on the activity of the company, both Law No. 8/2011 establishing measures for the Protection of Critical Infrastructures and the Royal Decree 43/2021, of 26 January, implementing Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems, shall be applicable.

In addition, in January 2021, the European Union Agency for Cybersecurity published in its report Cloud Security for Health Services a set of guidelines and practices directed at professionals in the health sector that focuses on electronic medical records, telemedicine services and medical devices and includes some case studies to provide a practical approach.

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

Rules and restrictions applicable to raw and anonymised data are significantly different. Consequently, recommendations vary depending on this classification:

• raw data: as regards health data, the use of an adequate legal basis will be a key concern. From a general perspective, companies must comply with all the requirements set forth by the applicable legislation to confirm that all the intended uses and sharing of personal data are legitimised under data protection regulations; and
• anonymised data: as a first step, companies must ensure that anonymisation is conducted following the guidelines provided by data protection authorities, to avoid potential reidentification and ensure that said data is no longer regulated under data protection regulations. Then, companies should analyse which measures they must adopt to protect this data under a transferable economic right (trade secrets, sui generis right over databases).

 

From a contractual standpoint, agreements concluded with providers of technological services shall include clear provisions regulating any matters regarding the ownership, analysis and exploitation of the data.