Health data are subject to the requirements applicable to special categories of data. That fact alone has given rise to questions that have not yet been fully answered. Doctors‘ practices and other healthcare professions now receive information from various data protection supervisory authorities to support them.
The office for data protection and freedom of information in the federal state of Baden-Württemberg (LfDI BW) has released FAQs concerning individual matters from the point of view of the health sector.
The list is expanded in a rough order. The topics include
- the question whether consent is required for medical treatment, and
- the question what the consequences for medical treatment are if a data subject does not consent to processing.
Professional exchange with other doctors
According to the FAQs published by the LfDI BW, doctors may discuss problematic medical cases if professional secrecy is maintained. In addition, they may seek specialist expertise from other colleagues within the scope of treatment.
The treatment contract serves as the legal basis for transfer of personal data (Art. 9 Para. 2 Letter h and Para. 3 in conjunction with Art. 6 Para. 1 Clause 1 Letter b GDPR).
In accordance with Art. 14 Para. 5 Letter d GDPR, the consulted doctor does not have to inform the data subject that he did not gather data directly from him. This is because the transferred personal data are subject to professional secrecy and therefore have to be treated as confidential.
Data protection officer in doctors‘ practice
§ 38 Para. 1 of the German Federal Data Protection Act (BDSG) states that there have to be at least ten people „constantly employed in dealing with the processing of personal data“ in order to appoint a data protection officer.
In its information sheet, the Bavarian office for data protection supervision (BayLDA) states: „constantly“ meant that this is one of the focal points of a person’s activity.
It also provides examples concerning small companies and clubs:
- neither craftspeople that focus primarily on their craft activities
- nor trainers within clubs who normally and primarily focus on their training activities
are to be included in the calculation of the 10-person limit.
This is because they only have minor involvement in the automated processing of the personal data of customers or club members.
Another information sheet on data protection officers in the medical environment explains the factual prerequisites for the appointment obligation set out in § 38 Para. 1 BDSG specifically with regard to healthcare professions.
The BayLDA points out that (as always) the data controller him- or herself has also to be included in the calculation of the number of people. It also highlights that an dental technician or physiotherapist, for example, is generally not constantly involved in the automated processing of personal data.
Generally, a data protection impact assessment does not have to be carried out for a normal doctor’s practice.
As regards the characteristic of „processing on a large scale“, the supervisory authority refers to the resolution of the Data Protection Conference of 26/04/2018. It also commented on the appointment obligation for doctors‘ practices, pharmacies and other members of a healthcare profession.
Accounting via a private accounting centre
Book V of the German Social Code (SGB V) sets out in detail the prerequisites and requirements that apply to accounting via an Association of Statutory Health Insurance Physicians and involvement of the Health Insurers‘ Medical Service (MDK). As such, consent from the affected patients is not needed in order for the data to be passed on.
In terms of assessing involvement of a laboratory from the point of data protection, the BayLDA differentiates between whether the laboratory employs a laboratory physician with whom the patient concludes a contract in accordance with Art. 9 Para. 3 GDPR, or not.
In the first case, consent is not required. If the laboratory does not employ a bearer of professional secrets, consent be necessary in accordance with Art. 9 Para. 1 Letter a GDPR.
Interestingly, the BayLDA rejects classification as data processing on behalf of a controller in both cases.
This is because the BayLDA believes that data processing on behalf of a controller, from a data protection standpoint, only applies if the focus of the assignment is the processing of personal data.
However, it is advisable that doctors and laboratories enquire if their supervisory authority shares this interpretation.
Ultimately, an opinion coordinated within the scope of the Data Protection Conference for the many arrangements in which processing is not at least a (core) component would be desirable.
Protection concept for a survey project involving patient data
The office for data protection and freedom of information in the federal state of Mecklenburg-Western Pomerania (LfDI M-V) has compiled a pseudonymisation concept for the project „handling of patient data in the hospitals of Mecklenburg-Western Pomerania“ (UPDK).
Alongside an access concept with access rights, the data protection concept involves double pseudonymisation and erasure of the assignment tables of surveyed people from the involved hospitals. This is to guarantee the pseudonymisation and anonymisation of the participants in the UPDK project.
In addition, the involved employees of the LfDI M-V are not going to conduct monitoring visits to the involved areas of the hospitals for a period of three years.
The procedure presented here for ensuring anonymisation could be also suitable for other processes outside the medical environment.
Erasure obligations in doctors‘ practices
The data erasure requirements set out in Art. 17 GDPR also apply to the processing of health data.
The BayLDA states that, even after the end of a statutory retention period, the entitled party’s interest in storage outweighs that in erasure, for example in the field of intolerance of certain medication.
The BayLDA also highlights that the retention period for treatments may be regulated by special law, such as § 630f Para. 3 of the German Civil Code (BGB), which prescribes retention of treatment documentation for 10 years as long as there are no other retention periods set out in other regulations.
The aids and information sheets that the various supervisory authorities now offer are helpful sources for pressing practical issues. They give the data controller and the data protection officer a sound basis for evaluating data protection.
It is good that supervisory authorities are taking this opportunity to fulfil their role of providing clarity and raising awareness.
Rudi Kramer is an in-house lawyer in Nuremberg and speaker for the initiative „data protection goes to school“ of the German Association of Data Protection Officers (BvD)