This sixth and final article of our cloud computing and privacy series (links to our previous articles below) discusses the legal issues related to the processing of sensitive data and the hosting of health data in a cloud environment.
Directive 95/46/EC (the “Data Protection Directive”) provides for a special regime applicable to so-called 'sensitive data'. The rationale behind a reinforced legal regime is based on the presumption that the misuse of such category of data “could have more severe consequences on the individual's fundamental rights”. For instance, the misuse of health data “may be irreversible and have long-term consequences for the individual as well as his social environment”(1).
Considering that cloud computing services and infrastructures are increasingly being used to store and process personal data of such sensitive nature, the present article examines how the processing of sensitive data, and in particular health data, is regulated in the EU as well as in certain Key Member States(2). Although this article addresses the issues of electronic health records, it does not examine the specific issues relating to non-privacy requirements such as provided under criminal law, medical ethics or health legislations or on patients' rights.
The concept of sensitive (health) data in the EU
Pursuant to Article 8 of the Data Protection Directive, sensitive data concerns "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and (…) data concerning health or sex life".
As highlighted by the Article 29 Working Party (the “Working Party”) in its Advice Paper on special categories of data (“sensitive data”) of 4 April 2011, Article 8 of the Data Protection Directive has been implemented in similar ways across the EU. However, there are some differences, notably with respect to the categories of sensitive data.
All national data protection legislations in the Key Member States include the data listed under Article 8 of the Data Protection Directive. Some Member States have, however, included additional types of data. For instance, when focusing on health data, we note that the Czech Data Protection Act explicitly includes in the legal definition of sensitive data genetic and biometric data. Similarly, the Polish Data Protection Act includes genetic code, as well as addictions. Also, a few countries explicitly provide for a more detailed list, such as the United Kingdom which refers for instance to "physical and mental health".
The Working Party admits that health data represents the most complex area of sensitive data and that it displays a great deal of legal uncertainty. Consequently, the proposition to create new categories of sensitive data has emerged. This notably includes the idea of adding genetic and biometric data, but also data of minors or on individuals' geo-location. As a result of the problems relating to certain categories of sensitive data, and in particular health data, in the national implementation of the Data Protection Directive, the Working Party has encouraged a revision of the current system.
The processing of sensitive data in the EU
As a matter of rule, the processing of sensitive data is prohibited. However, the Data Protection Directive provides for several strict exceptions allowing for the processing of sensitive data:
- The data subject has given his explicit consent to the processing of those data; or
- The processing is necessary for the purposes of carrying out the obligations of the controller in the field of employment law; or
- The processing is necessary to protect the vital interests of the data subject or of another person; or
- The processing is carried out in the course of legitimate activities by a non-profit-seeking body with a political, philosophical, religious or trade-union aim; or
- The processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
The prohibition also does not apply where processing is required for specific purposes of the health sector(3). Moreover, Article 8(4) of the Data Protection Directive provides for a residual exception for "reasons of substantial public interest (…) either by national law or by decision of the supervisory authority".
The Working Party published a Working Document on 15 February 2007 on the processing of personal data relating to health in electronic health records (“EHR”)(4). It highlights the potential privacy and data protection issues relating to the constitution of so-called EHR and notably examines several exceptions allowing for the processing of sensitive data. Since the publication of the Working Document, the EU has adopted the European eHealth Action Plan 2012-2020 on Innovative healthcare for the 21st century. In this context the EU Commission insisted on the fact that "Data protection issues also need to be addressed in respect to the use of cloud computing infrastructures and services for health and wellbeing data processing"(5).
In the paragraphs below, we examine in more detail some of the grounds allowing for the processing of sensitive (health) data and the implementation of EHR.
First, on the justification of the processing on the basis of the vital interests of the data subject, the Working Party notes the strict conditions: "the processing must relate to essential individual interests of the data subject or of another person and it must – in the medical context – be necessary for a life-saving treatment in a situation where the data subject is not able to express his intentions". Such exception will therefore apply in very limited cases.
Second, with respect to the processing of medical data by health professionals, the Working Document puts forth the following three cumulative conditions:
- It only covers the processing for the specific purpose of providing health-related services of preventive, diagnostic, therapeutic or after-care nature and for the purpose of the management of these healthcare services; and
- The processing must be "required" for the specific purposes mentioned in the first condition; and
- The processing must be performed by medical or other staff subject to professional (medical) secrecy or an equivalent obligation to secrecy(6).
Given the above strict conditions and their restrictive interpretation, the Working Party has casted doubts as to whether such legal ground is appropriate to legitimise EHR.
Also, in its general advice paper relating to sensitive data, the Working Party highlights that such exception may pose difficulties given that in practice (i) health data are processed for various purposes; (ii) it is often not clear who belongs to the category of "health professionals"; and (iii) there are currently no explicit grounds justifying the processing of sensitive personal data in case of injuries, when health data are transmitted by non-medical personnel.
Third, the Data Protection Directive provides a ground allowing for a high degree of Member States' discretion, i.e. the "substantial public interest", aiming at situations such as public health, social protection, scientific research and government statistics(7). Relying on such exception requires striking a balance between the protection of the data subject’s rights and the legitimate interests of data controllers, third parties and the public interest which may exist. Strict conditions however apply, such as in particular: a special legal basis is required, it must be justified by a substantial public interest, and specific and suitable safeguards must be put in place.
Fourth, Article 8(2)(a) of the Data Protection Directive stipulates that the explicit consent may also serve as a basis permitting the processing of sensitive personal data. Such ground will in all likelihood be the most suitable one to legitimise EHR.
It shall be reminded that in order for consent to be valid, it must be (i) unambiguous; (ii) freely given; (iii) specific; and (iv) informed.
With respect to the second condition, the Working Party has had the opportunity in its Opinion 15/2011 on the definition of consent (link) to lay down several scenarios in the context of EHR:
- In case the creation of the summary record is absolutely voluntary, and the patient will still receive treatment whether or not he or she has consented to the creation of a summary record: the consent is deemed to be freely given because the patient will suffer no disadvantage if consent is not given or is withheld;
- In case there is a moderate financial incentive to choose the e-health record: the consent is deemed to be freely given because the patient refusing the e-health record does not suffer disadvantage (the costs do not change);
- In case patients refusing the e-health system have to pay a substantial extra cost compared to the previous tariff system and the processing of their file is considerably delayed: the consent cannot be deemed to be freely given because it creates a clear disadvantage for those not consenting. Consequently, relying on other legitimate grounds to process sensitive data is necessary.
In addition, consent in the context of sensitive data must be explicit. This notably means, as expressed by the Working Party and some Member States (e.g., Denmark), that opt-out solutions will not be sufficient(4).
The Working Party is of the opinion that such explicit consent does not have to be written and that it can therefore also be given orally. The results of our study however nuance such statement. While explicit consent is a requirement across the EU and while it is stricter than "ordinary" consent, we have noted some discrepancies between the Key Member States.
In addition to providing certain grounds where sensitive data may be processed under specific circumstances and for instance in the context of healthcare, data protection law in Finland regards express consent as one ground allowing processing of sensitive data. Although the law does not literally require written consent(8) its preparatory works mention that express consent should usually be given in writing. Further, more specific requirements for processing sensitive data, such as health data, are laid down by special legislation as also described in this article.
In Poland, the consent for sensitive data processing shall be explicit and in written (hard copy) form in order to be valid. Also, consent cannot be alleged or presumed on the basis of a declaration of will or other content, and it is not sufficient to have an e-signature or click-to-accept. Pursuant to a judgment of 4 April 2003 (unpublished), all aspects of the explicit consent should be clear at the moment when the consent is given.
Requirements are similar in France, where courts have considered that explicit consent is necessarily provided in writing in order to be valid. The French Data Protection Authority ("DPA") had thus initially adopted a strict view of consent for sensitive data processing, specifying that consent should be obtained through a separate consent form. Nevertheless, the French DPA may adopt flexible positions; for instance, in the healthcare sector, the French DPA has deemed valid a consent provided through ticking a box at the bottom of a digital form.
Hosting of health data
In addition to examining the particularities under data protection laws related to the processing of sensitive data, our study on cloud computing has also investigated the potential issues related to the hosting of health data. It revealed that the outsourcing of the hosting activity of such category of data is specifically regulated under the national laws of certain Member States, which ought to be taken into account when considering the adoption of cloud computing services.
More specifically, our study has revealed the particular situation in France. In addition to the French Code of Public Health, the hosting of personal health data is regulated under French law by Act n°2002-303 of 4 March 2002, which aims at protecting the confidentiality, integrity and availability of patients’ data. Pursuant to this Act, such hosting activity can only be implemented by a hosting service provider ("HSP") previously approved by the Shared Healthcare Information Systems Agency ("ASIP"), a department within the Ministry of Health, following a strict accreditation procedure(9).
Pursuant to the French Public Health Code, health professionals, healthcare establishments, and data subjects themselves are under the obligation to use the services of an accredited HSP if: (i) health data is not stored on the health professional’s own information systems; and (ii) health data is collected or produced within the framework of prevention, diagnosis or care activities(10). Said Code further requires the conclusion of a contract between the HSP and the healthcare professional(10). However, the law does not prescribe any particular contractual form but lists the mandatory provisions that must be included.
The use of the health professional card (i.e. “Carte de Professionnel de Santé”) or an equivalent, is mandatory in case of access by healthcare professionals to personal health information stored on electronic supports(11).
A high level of interconnection/exchanges security must be guaranteed given the risks involved in the transmission of degraded information or disclosure thereof to third parties. The National Commission on Informatics and Liberty (“CNIL”) considers that the telemedicine devices must guarantee: health professionals' authentication; data confidentiality; encryption of transmitted data; logs traceability; data integrity; and a secured data archiving must be implemented. The technologies used in the context of telemedicine (e.g., software) must comply with interoperability and security frameworks developed by the ASIP. When the processing relies on an authorised hosting service provider, the express consent of the patient to the hosting is required. This can be expressed electronically.
As for the situation in Finland, although there is no law governing the hosting of health data specifically, Finnish national law, such as recent regulation on electronic processing of customer data in healthcare, needs to be complied with by any service provider. Also, certain Finnish accreditation procedures must be considered, as well as the sensitivity of the data and secrecy obligations.
First, processing of personal health data by relevant (usually public) entities is subject to relatively strict regulation. For instance, the Act on the Status and Rights of Patients regulates the processing of patient documents and their confidentiality. In addition, public entities are subject to special regulation providing e.g. certain confidentiality and security obligations. As a rule, entities providing healthcare services are responsible for compliance with such regulation also when they decide to outsource the processing of personal health data. Therefore, obligations related to personal health data apply to processors indirectly as specified in the relevant contract. In practice, when outsourcing services, a healthcare unit such as a hospital or a health centre needs to sign a written agreement with the service provider and define the tasks and responsibilities related to data processing as well as confidentiality and secrecy obligations related to patient documents as further described by law.
Second, processors need to pay attention to the recent regulation on electronic processing of personal health data setting requirements for services (ICT systems) used in public and private healthcare. For example, the Act on the Electronic Processing of Customer Data in Social Care and Healthcare (159/2007) updated in 2014 provides, in brief, that the services used in processing the customer data of healthcare need to fulfil the essential requirements of interoperability, data security, data protection and functionality. Such requirements as further elaborated by law need to be taken into account in the design, production and functions of the service. The service needs to be suitable for its purpose and must fulfil the requirements of law. Its capacity needs to be the same as informed by its producer. The requirements need to be fulfilled both whenever using the service alone and in connection with other systems meant to be connected with it.
Finally, in Poland, there are also no specific regulations on cloud hosting in relation to health data(12). However, the Regulation of the Minister of Health on Types and Scope of Medical Data and Means of its Processing of 21 December 2010, as well as other provisions, in particular regulations as to medical documentation, contain inter alia provisions on taking the medical documentation outside of health professional's premises (but not that they can be processed by different entity than health professional) (link). The above provisions are the basis for outsourcing medical data.
In addition to the above rules, general rules on professional secrecy apply. Health data protected by professional medical secrecy can be disclosed to a third party for IT purposes by entities which provide medical services in two situations only:
- the data subject has consented to the disclosure of its professional medical secrecy; or
- the statutory provision expressly allows for such disclosure(13).
Currently there is no such statutory provision.
The Inspector General for the Protection of Personal Data (“GIODO”) does not provide any particular official guidelines regarding outsourcing of personal health data. Generally, since 2011, GIODO has been underlining that IT outsourcing in the medical sector is not allowed due to lack of clear legal provisions with regard to disclosure of medical secrecy (link). According to GIODO, entities/persons that provide medical services can outsource services only in limited circumstances (not defined) and only as an exception(14).
The draft "Guidelines on Electronic Medical Records" state that in case of outsourcing medical data it is not sufficient for the IT provider to fulfil the requirements set forth in different medical data security regulations. It is necessary to prevent the IT provider from having access to the data by using the Public Key Infrastructure, and the data should be encrypted by the use of Hardware Security Module.
The above uncertainty may change as the Ministry of Health is conducting a public consultation on proposed amendments to several acts, introducing specific exclusions from the professional secrecy.
The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.
This series of articles has been made possible thanks to the CoCo Cloud project (www.coco-cloud.eu) funded under the European Union’s Seventh Framework Programme, and of which Bird & Bird LLP is a partner. Said project aims to establish a platform allowing cloud users to securely and privately share their data in the cloud.
Read our first article entitled "Cloud computing and privacy series: the general legal framework (part 1 of 6)".
Read our second article entitled "Cloud computing and privacy series: the data protection legal framework (part 2 of 6)".
Read our third article entitled "Cloud computing and privacy series: security requirements and guidance (part 3 of 6)".
Read our fourth article entitled "Cloud computing and privacy series: a legal perspective on data anonymisation (part 4 of 6)".
Read our fifth article entitled "Cloud computing and privacy series: security and data breach legal requirements (part 5 of 6)".
(1) Article 29 Working Party Advice Paper on special categories of data (“sensitive data”) of 4 April 2011. (link)
(2) The Multi-Jurisdictional study carried out in the framework of the CoCo Cloud project examined the particularities of national laws on key specific issues in ten selected EU Member States, i.e., Belgium, Czech Republic, Denmark, Finland, France, Germany, Italy, Poland, Spain and the United Kingdom (“Key Member States”).
(3) Article 8(3) Data Protection Directive.
(4) Article 29 Working Party Working Document on the processing of personal data relating to health in electronic health records (EHR) of 15 February 2007. (link)
(5) In a communication of 6 December 2012, the EU Commission outlines the action plan, highlighting some important privacy and data protection aspects. For instance, it recommends that "eHealth and wellbeing ICT initiatives should integrate the principle of privacy by design and by default as well as make use of Privacy Enhancing Technologies (PET's), as foreseen in the proposed Data Protection Regulation".
(6) It shall be noted that the terms "health professional" may be diverging across the EU.
(7) Recital 34 of the Preamble of the Data Protection Directive.
(8) The Finnish Data Protection Authority issued in July 2010 guidance on consent, available in Finnish and Swedish. (link)
(9) Read our brochure here to learn more about the accreditation procedure.
(10) Article L.1111-8 of the French Public Health Code.
(11) Article R.1110-3 of the French Public Health Code.
(12) It shall be noted that the Minister of Health is working on a final version "Guidelines, rules and recommendations for service providers in the subject of construction and application of safe processing of electronic medical records" issued by the Minister of Health ("Guidelines on electronic medical records"). The Guidelines recognise three models (IaaS, SaaS and PaaS) with a very detailed description as to what the service provider and medical institution should implement, and how to implement those models in compliance with law. (link)
(13) Act on Patients’ Rights and the Commissioner for Patients’ Rights of 6 November 2008, the Act on Doctor and Dentist Professions of 5 December 1996 and Act on of Nurse and Midwife Professions of 15 July 2011.
(14) Presented in one of the articles and not in the form of formal guidelines, and not supported with any legal provisions.