The Council of Europe (CoE) recently issued its recommendation to member states on the protection of health-related data (Recommendation). The Recommendation guides member states to ensure that their law and practice reflect the principles of processing health-related data.
The recommendations stem from Convention 108 which was the first international treaty in the field of data protection. Like the General Data Protection Regulation 2016/679 (GDPR), Convention 108 sets out principles for processing health data, but contains fewer options than GDPR. The Recommendation’s principles related to health data align with GDPR, but in some cases provide more guidance about processing health-related data.
Some of the key recommendations on processing certain health-related data are below.
- Bases for processing: Processing of health-related data should be “necessary and proportionate”. The CoE has brought the approach of Convention 108 in line with GDPR. Convention 108 requires that health-related data may only be processed based on consent or one of the legitimate purposes set out in Chapter II of the appendix to the Recommendation.
- Data of unborn children: Health-related data of unborn children should be appropriately protected. This is in line with the European Data Protection Board’s recommendations.
- Genetic Data: Genetic data can only be processed when there are appropriate safeguards in place. The Recommendation identifies some instances where the processing of genetic data is limited. These instances include in the employment context; for the purpose of judicial procedure or investigation; and for insurance purposes.
- Sharing health-related data: Where health-related data is shared for the purposes of providing and administering health care, the approach to informing the individual is in line with GDPR. This includes the possibility for the individual to withdraw consent, where consent is the basis for processing. Recipients of this shared data should be subject to the same standards of confidentiality as health-care professionals. Health-related data that is shared for a secondary purpose, other than for providing and administering health care, should be shared with recipients who are authorised by law to access that data. The CoE has adopted a more rigorous position for health-related data here than for personal data under the GDPR. Under GDPR, third parties may receive personal data where the subject has consented to such transfer of their personal data. The Recommendation also requires that recipients of health-related data should be subject to the same standards of confidentiality as health-care professionals.
- Security: The CoE introduces the concept of auditability. The Recommendation also sets out how security measures should be regularly reviewed in line with technical developments. Interestingly, it expressly refers to mobile devices. Health-related data collected on a mobile device should have the same legal protection as other health-related data in terms of information to be provided to the individual and the security of that data. The Recommendation requires that mobile devices must provide for “authentication of the person and encryption of the transmission of data”.
- Rights of the individual: Some, but not all, of the GDPR’s provisions on the rights of the individual are incorporated in Convention 108. The Recommendation sets out a more limited list of information to be provided to individuals and allows for that information to be provided after the point of collection. Individuals should have the right not to be informed of any results of the processing of their health-related data. Individuals, on their withdrawal from a scientific research project, should be informed that their data will be destroyed or anonymised in order to retain the scientific validity of the research. Individuals have the right to be informed of the reasoning that underlies the processing of their data. This is particularly important if profiling is involved.
Although not binding, the Recommendation offers a useful insight into the approach member states may take when implementing their national laws on health-related data and may set the standard for processing health-related data. We will be keeping a close eye on these developments.