The Importance of Protecting Data in the Health Sector

The Importance of Protecting Data in the Health Sector

Digital transformation is a reality in all areas. Technologies leverage a broad set of opportunities to satisfy diverse needs, optimizing available resources and reducing the risks associated with the use of technologies. The health sector is one of the sectors that most care must have in the processing of personal data, ensuring the privacy of patient data. With the entry into force of the new GDPR, the importance of protecting data in the health sector is even more evident. We discuss in this article the main implications of the treatment of personal data in the health sector.

What are health-related data?

Health data are personal data relating to the physical or mental health of a natural person, including the provision of health services, which disclose information about his or her health status. Health information covers all types of data directly or indirectly linked to present or future health, including clinical data recorded at health facilities (eg clinical process or any clinical records), clinical and family history, analyzes and other examinations, interventions, diagnoses and treatments. Health information belongs to the person to whom it relates.

Can the user consult their health data?

Yes. All users have the right to become aware of all health information that concerns them, except in exceptional circumstances where it is unequivocally demonstrated that access to such information could seriously impair their health. In these situations, each case is evaluated individually.

Can other people consult my health data?

A third person may have access to a client’s health information in the following cases:

• with your written authorization; or
• if it demonstrates, reasonably, that it has a direct, personal and legitimate interest justifying access to information, in accordance with the law.

In what way is the data owner’s consent to the processing of data?

Consent for the processing of personal data must be given in a free, specific, informed, explicit and unambiguous way, by which the data subject (user, citizen, collaborator, among others) allows personal data concerning him or her to be object of treatment. The Regulation creates additional barriers to current data collection and processing practices in Portugal and the European Union by introducing stricter rules for companies with regard to consent for the collection and processing of personal data. Companies have to consider creating a contract with the data subject, complying with legal obligations and defending vital interests of the data subject. With the new regulation a contact of a business card, for example, can not be included in any database without the explicit consent of its owner. In practical terms, the use of previously selected boxes, the absence of responses, inactivity and consent through terms and conditions will no longer be allowed, as none of the means presented is considered a means of demonstrating compliance with the consent requirements of the new Regulation.

When is the Data Protection Officer mandatory in the health sector?

This figure (also known as DPO, Data Protection Officer) plays an essential role in the transition period from the old law to the new legislation. The appointment of a DPO is mandatory in the following cases: (1) whenever the processing of the data takes place in a public entity; (2) where there is constant monitoring of people on a large scale; (3) whenever there is large-scale sensitive data processing. That is, the DPO is an obligatory figure in public health institutions.