“With the development of new technological tools in the health sector the volume of health-related data processed has grown exponentially showing the need for guidance for health administrations and professionals”. This is the sentence with which the Council of Europe presented the guidelines with which it calls on Member States to ensure the processing of health-related data while respecting human rights and, in particular, the right to privacy.
The need for particular recommendations stems from the consideration that health-related data belong to a special category, for which the highest level of protection is essential, given the risk of discrimination that may occur during their processing.
The document, which contains a series of principles useful for protecting personal health data and incorporates the innovations introduced by the Convention 108+, must be transmitted by governments to health care systems and players dealing with health-related data, in particular to health professionals and data protection officers.
The principles which must guide the processing of health data
The first principle refers to the words transparency, legality, equity, explained through the subsequent points which speak of collection for explicit, specific and legitimate purposes. Data processing must be necessary and proportionate to the purpose and must be pursued and carried out “only based on consent given by the data subject”.
Explicit reference is made to the need to adopt appropriate security measures, “taking into account the latest technological developments, the sensitive nature of health data and the assessment of potential risks such as accidental or unauthorized access to personal data or the destruction, loss, use, unavailability, inaccessibility, modification or disclosure”.
Every principle of the guidelines clearly shows the parallelism with the GDPR: protection by design as the guiding principle and then the principles of lawfulness, minimization, proportionality and adequacy which all public or private subjects who deal with health-related data must comply with.
Recommendations for device-collected data
Given their growing circulation, a particular section of the guidelines deals with devices which collect data concerning the health and well-being of the wearer. Health-related data are defined as all those which “can disclose information on the physical or mental status of an individual in relation to his/her health and well-being or which relate to any information concerning his/her health care and social assistance”. For this reason, one of the items of the document states that users of these mobile devices, which involve the processing of their personal data, must have been previously informed about the nature and functioning of the system in order to control their use.
The recommendations also envisage that “the use of mobile devices must be accompanied by specific, customized and cutting-edge security measures which include authentication of the data subject and the encryption of data transmission”. Obviously, those who process data transmitted by mobile devices must comply with the security rules that provide for the confidentiality, integrity and return of data at the request of the data subject.