The European Data Protection Board (hereinafter the 'EDPB') adopted guidelines on the processing of health data for research purposes in the context of the Covid-19 outbreak as well as Guidelines on geolocation and other tracing tools in the context of the Covid-19 outbreak on the 21st April 2020. The latter guidelines shall be the subject of a second article to be published on the 23rd April 2020. This first article discusses the main points put forward by the EDPB in the guidelines on the processing of health data for research purposes.
Guidelines 03/2020 on the processing of health data for research purposes in the context of Covid-19 outbreak
The EDPB provided clarification as to the sources from which data concerning health can originate, giving this term a more practical feel, including therein data that is cross referenced with other data thus revealing state of health, as well as data because of its usage in a specific context (such as information relating to a presence in a region affected with Covid-19 processed by a medical professional to make a diagnosis).
The EDPB also expanded on the distinction between scientific research based on primary or secondary usage of health data (further processing), highlighting how the difference between the two instances causes variations in the relevant legal basis on which the processing is based as well as which other obligations apply to the controller, depending on the instance. The authority noted that "there is no ranking between the legal bases stipulated in the GDPR", however it provided clarification on the consequences of relying on consent as the relevant legal basis, particularly on the conditions of explicit consent as well as the existence of the data subject's right of withdrawal of consent, the occurrence of which halts processing operations and could also lead to complete deletion of data.
The Guidelines also shed light on how the processing of health data for scientific purposes relates to the data controller's information obligations, with specific emphasis being made in relation to the exemptions contained within Article 14 of the GDPR, particularly where informing the data subject proves impossible or would involve a disproportionate effort.
Reference was also made to national legislations and how the conditions and the extent for such processing vary depending on the enacted laws of the Member State. In this regard, it is noteworthy to mention the Article 7 of the Chapter 586 of the Laws of Malta, which sets out the required consultation and prior authorisations that a data controller who intends to process data relating to health in the public interest and for research purposes, must obtain from the Information and Data Protection Commissioner of Malta. The article continues to stipulate that the latter Commissioner shall consult a research ethics committee or of any institution recognised by the Commissioner where the health data is required to be processed for research purposes. Read in conjunction with the preceding Article 6, in such a case, the data controller may also derogate from certain provisions of the GDPR relating specifically to the exercise of data subject rights in certain situations.
The EDPB stipulated that that besides compliance with the purpose limitation and the data minimisation principles, it is of utmost importance that the principle of integrity and confidentiality is complied with, especially in light of the fact that the covid-19 outbreak increases the number and type of entities that process health data, especially in secondary usage. Implementing appropriate technical and organizational measures, such as pseudonymisation and appointing data protection officers, is therefore crucial and any measures which are adopted must be properly documented.
The Guidelines also consider international data transfers for scientific research, with the EDPB stating that "[t]he COVID-19 pandemic causes an exceptional sanitary crisis of an unprecedented nature and sale. In this context, the EDPB considers that the fight against COVID-19 has been recognised by the EU and most of its Member States as an important public interest, which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and may also involve transfers to third countries or international organisations". This unprecedented situation has thus led to a situation where the EDPB also recognizes the possibility of private entities relying on the derogation to the rules on data transfer, wherein the transfer is necessary for important reasons of public interest (Article 49 of the GDPR). Emphasis is however made on the exceptional character of such derogations.
The full text of Guidelines 03/2020 can be found here: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032020-processing-data-concerning-health-purpose_en
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.