Apr 18, 2020

A GDPR perspective: Health data in light of COVID-19

The severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) causing the coronavirus 2019 (COVID-19) is quickly changing the world, including how health data relating to a data subject is controlled and processed by governments and enterprises. With the number of COVID-19 cases well above 1 million, the well-being and economic future of most countries is uncertain. Therefore, the need to find solutions to contain the spread of COVID-19 is cardinal. Some of these solutions ride on our ability to collect, process and analyse data. However, it is imperative to remember that this exercise can have long lasting data privacy implications, which we would be well-advised to consider and address now before it is too late. Now more than ever, we need to display a commitment to data protection and not sacrifice it for the sake of efficiency.

Health data constitutes all data pertaining to the health status of a data subject which reveal information relating to the physical or mental health status of the individual, as well as genetic and biometric data. This data is categorised as sensitive personal data, and therefore in Europe enjoys special protection under Article 9(1) of the General Data Protection Regulation (GDPR) and Article 6 of the Council of Europe (CoE) Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data as amended by Protocol (CETS No. 223) (Modernised Convention 108).

The CoE, Committee of Ministers (1997), Recommendation Rec(97)5 to Member States on the Protection of Medical Data, 13 February 1997 (CoE Medical Data Recommendation of 1997) – which is in the process of being revised – applies the principles of Modernised Convention 108 in health data in more detail. The CoE Medical Data Recommendation of 1997 reiterates what is provided in the GDPR and further indicates that health data lawfully processed by healthcare professionals must not be transferred unless there is provision of sufficient safeguards to prevent disclosure inconsistent with the respect for private life guaranteed under Article 8 of the European Convention on Human Rights. The Medical Data Recommendation of 1997 also proposes detailed regulations for situations where researchers need health data. In such instances, the health data is required to be anonymised or pseudonymised, whichever is most appropriate.

Under ordinary circumstances, health data should be kept private. However, Article 9(2)(h) of the GDPR allows health data to be processed where it is required for the purposes of preventative medicine, medical diagnosis, the provision of care or treatment, or the management of healthcare services. Article 9(2)(i) of the GDPR further considers the necessity in processing of health data for reasons of public interest in the area of public health. This is the case where protection against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices is a priority. This is also highlighted in the ‘Handbook of European Data Protection Law, 2018 Edition’ by the European Union Agency for Fundamental Rights, the European Court of Human Rights, the Council of Europe and the European Data Protection Supervisor which highlights Article 9(2)(h) and (i) as the guiding provisions of the GDPR in respect to permissible processing of health data.

Additionally, this processing is only permissible where it is performed by a healthcare professional subject to an obligation of professional secrecy, or by another person subject to an equivalent obligation as espoused by the European Court of Human Rights (the Court) in the Biriuk v Lithuania decision where it was held that there had been no legitimate interference with Gitana Biriuk’s right to private life when her HIV status was revealed by medical professionals and later published on the front page of Lietuvos Rytas, Lithuania’s biggest daily newspaper, revealing her identity. The reason for the decision was pegged on the value attached to the confidentiality of health data. The disclosure of health data was considered to dramatically affect a person’s private and family life, his or her employment and inclusion in society. The Court further highlighted that the report in Lietuvos Rytas by the hospital’s medical staff providing information about Gitana Biriuk’s HIV status was also in breach of their obligation to professional secrecy.

Despite the above narrow scope for the use of health data, health data has become accessible to private enterprises during the COVID-19 pandemic based on the increase in GNSS (global navigation satellite system) applications in Europe.  These applications process personal data about persons who have tested positive for COVID-19, sharing their location to track potential COVID-19 cases and thus minimising exposure of more people to COVID-19. Such applications include by, a.s (in the Czech Republic), StopCovid19 by Webtek, and DiAry by Universita' di Urbino (both in Italy).

While these services offer obvious advantages in the current situation, they are also a source of concern because they open the door for the exploitation of sensitive personal data for commercial means if the information collected is used for illegitimate purposes if not pseudonymised or anonymised. For example, advertising agencies coming across this sensitive personal data may use this data to target specific individuals for healthcare and pharmaceutical advertising. Health insurers may similarly exploit this data when processing new policies and claims. However, at least in Europe, there are some regulatory protections. The CoE, Committee of Ministers (2016), Recommendation Rec(2016)8 to Member States on the Processing of Personal Health-related Data for Insurance Purposes, including Data resulting from Genetic Tests, 26 October 2016 (2016 CoE Recommendation on Data Resulting from Genetic Tests) requires insurers to justify the processing of health-related data and to ensure that such use is proportionate to the nature and importance of the risk being considered. Furthermore, the processing of this kind of data is dependent on the data subject’s consent. Insurers are also required to have safeguards in place for the storage of health-related data. The question is how the same type of data will be treated in other places that may not have such robust safeguards.

On 10 April 2014, the European Commission published a Green Paper on Mobile Health (mHealth), an emerging and rapidly growing field that has the potential to transform healthcare and increase its efficiency and quality. The Green Paper on mHealth adopts the definition given by the World Health Organisation (WHO) which defines mHealth to include medical and public health practice supported by mobile devices, personal digital assistants and other wireless devices, as well as applications that may connect to medical devices or sensors. Additionally, the Green Paper on mHealth outlines the risks to personal data privacy and suggests that, given the sensitive nature of health data, the development should contain specific and suitable security safeguards for patient data, such as encryption, and appropriate patient authentication mechanisms to mitigate security risks. Furthermore, the Green Paper on mHealth emphasises that compliance with personal data protection rules, including the obligation to provide information to the data subject, data security and the principle of lawful processing of personal data is vital for building trust in mHealth solutions. This is particularly important in the wake of COVID-19 where such solutions are in great demand.

COVID-19 is an extraordinary crisis. It is therefore not surprising that governments want to take every measure possible to contain it. Keeping close surveillance on health data is arguably an effective tool for containment.  For example, it allows for the collection of real-time data about the geographic distribution and health status of both the quarantined and infected patients. This may reveal critical insights about the effectiveness of preventive health measures. However, this surveillance has significant data privacy implications. The sensitive personal data being collected is not exclusive to public health organisations and governments. Some of this sensitive personal data is being accessed by surveillance technology enterprises and mobile application developers. For example, the Corona 100m application enables one to access data relating to the date when a COVID-19 patient was infected, his or her nationality, gender, age and the locations they visited. Others are providing governments with advanced tracking capabilities to help authorities enforce quarantines. Furthermore, there have been developments in facial recognition technology linked with biometric databases, being integrated with digital thermometers to help capture the identity of individuals with a fever. These are all obvious tools in the fight to contain COVID-19, but at what cost?

Additionally, as scientists around the world labour tirelessly to develop a viable vaccine, coordinated data-sharing has become an essential tool in the ongoing fight against COVID-19. This has led to the rise in the use of open-source applications, whose source code is accessible to everyone, like Nextstrain and using Gisaid, a platform for sharing genomic data, to help researchers track and study the evolution of COVID-19. Open-source applications like Nextstrain are useful as they make it easy for information to flow between governments and enterprises who can then replicate the same information thus enhancing collaboration. As a result of their ease of use and access to everyone, open-source applications may fall short in respect of data protection as they become easy targets for malicious cyber-attacks which may result in the retrieval of sensitive personal data from vulnerable systems.

The government’s or enterprise’s duty to ensure data security is provided in Article 32(1) and (2) of the GDPR which requires that processing systems ensure confidentiality as well as obtain the appropriate level of security depending on the risks presented by unauthorised access to personal data transmitted, stored or otherwise processed on the respective systems. In the infamous Equifax breach of 2017, the importance of data security when it comes to open-source applications came into play. The Federal Trade Commission of the United States of America (FTC) revealed that the personal information of 147 million people (including personal information relating to Europeans) was exposed because of the vulnerabilities of the Equifax open-source application.

Furthermore, clinical trials will in the coming months be on the rise. These trials will involve assessing the effects of potential vaccines on persons in documented research environments and will also have considerable data protection implications. These clinical trials are regulated by Regulation (EU) No.536/2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use, repealing Directive 2001/20/EC (Clinical Trials Regulation). The GDPR specifies that for the purposes of consenting to participation in scientific research activities in clinical trials, the Clinical Trials Regulation is applicable. The Clinical Trials Regulation provides in its recital that in respect to a clinical trial, “… the rights, safety, dignity and well-being of subjects should be protected and the data generated should be reliable and robust. The interests of the subjects should always take priority over all other interests”. The clinical trial subject therefore remains at the centre of the clinical trial and this should hold true even during pandemics.

The Clinical Trials Regulation also provides that in order to avoid administrative delays when it comes to starting clinical trials, given the importance of speed as with COVID-19, the procedure to be used should be flexible and efficient, without compromising patient safety or public health. Having an appropriately qualified medical doctor responsible for the medical care of the subject should also not be compromised as is required by the Clinical Trials Regulation and this should also hold true for COVID-19. In respect to the requirement of consent by the clinical trial subject, the Clinical Trials Regulation requires that consent be granted in writing, and when this is not possible, an audio or video recording granting consent. With the need to expedite clinical trials for COVID-19, it is important that the rights of clinical trial subjects remain important to governments and privately-owned research agencies and that the necessary steps be taken to ensure that their rights are upheld.

Companies seeking to control and process sensitive data of any kind, and perhaps leverage it for future commercial gain, will be restricted by data privacy regulations such as the GDPR. However, as an anticipatory measure, innovations in Privacy-Enhancing Technology (PET), making use of advanced cryptographic, pseudonymising and anonymising techniques, will be most valuable. If implemented properly, PET can empower, rather than constrain, governments and enterprises. It can help them safely leverage third-party data and stay competitive without putting user sensitive personal data at risk. This new category of privacy technology, as highlighted by the World Economic Forum, enables businesses to leverage insights derived from third-party private data without revealing confidential information that cannot and should not be shared for ethical, legal or business reasons.

Amidst uncertainty and with governments and enterprises exploring data-driven solutions to curb a global health pandemic, it is important to emphasise the use of methods that protect sensitive personal data such as health data. Now more than ever we need to display a commitment to data protection and not sacrifice it at the altar of efficiency and an 'end justifies the means' mentality. Privacy technologies must therefore be the forerunners in ensuring that in the quest of ensuring containment and collaboration in light of COVID-19, data is protected. A day will dawn when COVID-19 will be behind us. Will the actions we will have taken to get there guarantee us a robust respect for data protection or will we have to pick up the post-dystopian pieces when it is already too late?


This article was written by Jade Makory