Health Use

 

Processing sensitive data; Pre-GDPR Rules

Higher standards applied under the original Data Protection legislation to the processing of certain categories of data.  “Sensitive data” include those relating to the data subject’s health. The processing of sensitive data was permissible in more limited circumstances under the pre GDPR regime, than applied in relation to personal data generally.

Under the GDPR the processing of

  • genetic data,
  • biometric data for the purpose of uniquely identifying a natural person,
  • data concerning health or
  • data concerning a natural person’s sex life or sexual orientation

is prohibited, subject to limited exceptions.


Permitted Processing

The principal exception applies where the data subject has given explicit consent to the processing of the personal data for one or more specified purposes, except where EU or Member State law provides that the data subject cannot waive consent at all.

The processing of the above sensitive/special category of data is also permitted in the health context where

  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or national law or pursuant to contract with a health professional and subject to the below conditions and the required safeguards.
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or national law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

Health; Processing without Consent

The issue of consent in the sphere of health information is particularly sensitive.  The criteria for processing health data, which is “sensitive personal data” are stricter.

To the extent strictly necessary, processing to protect the health of a person is usually permitted, notwithstanding that there is no consent and that it may be contrary to their wishes.  Processing without consent may be justified by public health considerations where it is an objective necessity.

Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.


Vital Interests

The processing of personal data is permitted where it is necessary to protect the vital interests of the data subject or of another natural person, where the data subject is physically or legally incapable of giving consent. The processing is regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another person.

A case of necessity may arise where the data subject cannot be contacted or for some reason, is not in a position to consent. the Consent is not necessary to processing in relation to health data, where it is necessary to prevent injury or the damage the health of the person concerned, serious loss or damage to property or is otherwise necessary in order to protect his vital interests.

Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.


Processing of sensitive data in health and social sector

Sensitive personal data merit higher protection and may be processed for health-related purposes only where necessary to achieve those purposes for the benefit of persons and society as a whole. This principle applies in particular in the context of the management of health or social care services and systems.

It includes

  • the processing by the management and central national health authorities of such data for the purpose of quality control,
  • management information and the general national and local supervision of the health or social care system,
  • ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,

based on EU or national law.

The law must meet an objective of public interest. It may include studies conducted in the public interest in the area of public health.


GDPR and National Law

The GDPR provides for harmonised conditions for the processing of sensitive personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy.

EU or national law must provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons.  Member States are allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. However, this should not hamper the free flow of personal data within the Union when those conditions apply to the cross-border processing of such data.


Processing of sensitive data in Public Health sector

The processing of sensitive personal data may be necessary for reasons of public interest in the area of public health, without the consent of the data subject. Such processing must be to suitable and specific measures must be taken so as to protect the rights and freedoms of natural persons.

Public health included all elements related to health, including health status, morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.

Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.


Genetic Testing

Genetic testing is subject to special controls under the Disability Act, 2005.  The Act seeks to safeguard access to employment, insurance and mortgage finance for persons suffering from certain genetic conditions.  Genetic testing is allowed only where permissible by law. They require the prior consent of the person concerned.

Data relating to a living individual, derived from genetic testing of the person may not be processed in relation to employment, other than in very limited circumstance. It is not permissible in relation to life assurance, health insurance, occupational pension or mortgage of a property.


Processing of sensitive personal data re medical assessment

Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of sensitive personal data is lawful where it is necessary—

  • for the purposes of preventative or occupational medicine,
  • for the assessment of the working capacity of an employee,
  • for medical diagnosis,
  • for the provision of medical care, treatment or social care,
  • for the management of health or social care systems and services, or
  • pursuant to a contract with a health professional.

Processing is lawful in accordance with the above provision where it is undertaken by or under the responsibility of a health practitioner, or a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner.


Processing of sensitive personal data in the area of public health

Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of sensitive personal data is lawful where it is necessary for public interest reasons in the area of public health including—

  • protecting against serious cross-border threats to health, and
  • ensuring high standards of quality and safety of health care and of medicinal products and medical devices.
  • Processing of sensitive personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, respecting the principle of data minimisation, the processing of sensitive personal data is lawful where such processing is necessary and proportionate for—

  • archiving purposes in the public interest,
  • scientific or historical research purposes, or
  • statistical purposes.

References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008