The 'guide for patients and users of health care services' was published earlier this month by Spain's data protection authority, Agencia española de protección de datos (AEPD). It reflects the AEPD's desire to ensure patient data are correctly protected and that patients are aware and understand their rights in relation to the processing of their data in the context of health care services.
Useful explanations and examples within the guidance highlight how practices in health care trigger obligations under the General Data Protection Regulation (GDPR).
Control, not ownership
Medical databases include two types of personal data: identifiers and health information. Individuals'' health records are based on both types of data.
Patients are always concerned about the ownership of their health records. The AEPD said, though, that from a data protection perspective, the concept of ownership of data is not contemplated. Instead, the health care professionals or health bodies that process the data are 'data controllers' responsible for ensuring the information is handled in accordance with data protection law and that the rights of patients, including in respect of their access to their health records, are honoured.
In its guidance the AEPD explored the legal bases for processing health data in the context of health care services.
In most cases, organisations need individuals' consent before they can process their sensitive data including health data, but the AEPD said there are some circumstances where the processing of health data is still lawful even without patient consent first being obtained. According to the AEPD, health care services providers may process health data without the patient's consent as it said there is the legal basis to process such data under article 7(1)(b) of the GDPR, which applies where the processing is necessary to fulfil a contract. This legal basis would also apply in the context of health and safety in the employment environment.
The AEPD also explained that consent would not be necessary either to process health data for public interest purposes or to protect a vital interest. However, it said consent would be necessary if a dentist or a physiotherapist wants to send patients commercial communications.
Although health care professionals or health care bodies typically do not need to obtain their patients' consent, the AEPD explained that they are obliged to provide them with information regarding their processing of their data.
The mandatory information requirements are outlined in articles 13 and 14 of the GDPR, which set out different requirements depending on whether the data is collected directly from patients or obtained from other sources.
The information that must be disclosed includes the identity of the data controller, the purposes of and legal basis for the data processing, what categories of personal data are involved, and who the recipients or categories of recipients of the data will be in cases where the data is to be shared with others.
Within the guidance is a particularly useful example of when health researchers can use the data they have gathered with patients' consent in more than one project without having to seek fresh consent to do so.
The AEPD said that, if patients consent to the use of their personal data for a specific clinical investigation, for example in the context of a specific type of cancer such as breast or colon cancer, the researchers can process the same personal data in other cancer projects too.
This is a helpful clarification of the concept of purpose limitation written into data protection law. The concept is designed to ensure that personal data is not processed for a purpose for which it was not originally collected for.
Access to health data
The guide includes a question and answer section that explains, among other things, that health records may not be accessed by everyone but that any third parties accessing the data will be bound by the instructions given by the health care professionals or bodies.
According to the guide, health records can be legitimately assigned to other data controllers, for example to insurance companies that process payments.
The guide also confirms that parents can gain access to clinical records of children aged between 14 and 18 years old.