An update on privacy regulator guidance for life sciences and healthcare in light of COVID-19 (May 2020)
Health data processing is among the top issues in the COVID-19 crisis. The European Commission, the EDPB and many national regulators – including the DSK – recently published guidance on the use of personal data in the fight against coronavirus. This comes as no surprise. One of the areas with a high regulatory attention from privacy watchdogs has been the healthcare and life sciences space. The GDPR, which has been in force since mid 2018, places more scrutiny on these industries because health data is particularly sensitive and requires comprehensive protection.
EU Regulators and their focus on Life Sciences and Healthcare
EU Regulators have issued many statements and guidance to help with GDPR compliance when processing health data. Data protection laws are also a hot topic of debate in the current global pandemic, especially with regard to mobile device apps that may trace infected persons. This touches on the question of lawful processing of telecommunication data but can have further implications, such as issues concerning employee personal data. We have provided a comprehensive overview of the European regulators’ views on data protection and COVID-19 in an article available here. We want to highlight some further details below.
GDPR compliance in times of the COVID-19 outbreak
Authorities have expressed that it is of particular importance to comply with requirements under all data protection laws. They ask to maintain the high level of protection across the EU, also in the current COVID‑19 healthcare crisis. Regulators acknowledge the obvious considerable overlap with issues such as the lawful basis for processing, data security and data subject rights. For this reason, various governmental bodies and regulatory authorities in the EU and Germany have published guidelines for compliance with data protection regulations. Some examples:
- On 16 April 2020, the European Commission published guidance on the development of new apps that support the fight against coronavirus in relation to data protection. On 8 April 2020, the European Commission had already recommended steps and measures to develop a common EU approach for the use of mobile applications and mobile data in response to the coronavirus pandemic. The Recommendationsets out a process towards the adoption with the Member States of a toolbox, with a focus on
- the use of mobile apps that will empower citizens to be more effective with social distancing by way of warning, preventing and contact tracing, and
- a common approach for modelling and predicting the evolution of the virus through anonymised and aggregated mobile location data.
The recent guidance stresses the importance of all elements necessary for a trustful and accountable use of apps against the coronavirus. This is particularly interesting given recent national and EU agency regulator guidance. So far, regulators have been sceptical and quite conservative in their statements around the use of mobile location and health app data. The European Commission’s guidance addresses in particular the question of national health authorities (or entities carrying out tasks in the public interest in the field of health) as data controllers, the fact that the data subject must at all times remain in control, and discusses the legal basis for processing. The level of detail of the recommendation with regard to the use of location data and other features of mobile device apps is notable.
- On 22 April 2020, the European Data Protection (EDPB) – the body composed of representatives of the national data protection authorities, and the European Data Protection Supervisor – issued statements on the processing of personal data in the context of COVID-19. In particular, the EDPB issued the Guidelines 04/2020 on the use of location data related to individuals’ mobile devices to monitor, contain or mitigate the spread of the coronavirus. The EDPB points out that location data collected through mobility traces of individuals may be highly correlated and unique and, as result, is unlikely to be anonymous. Moreover, in the Guidelines 03/2020 the EDPB addresses the use of personal data for scientific research purposes, including aspects such as “secondary use” and the extent to which consent is freely given in the context of clinical studies. The EDPB had also provided earlier guidance on how employers should handle health data of employees.
- The European Data Protection Supervisor (EDPS), the European Union’s independent data protection authority, had previously also commented on the use of data to track the spread of COVID-19 by telecommunications providers. The EDPS stresses that particularly relevant factors in the use of such technology are data anonymisation, data security and data access as well as data retention.
- The German joint body of Federal State regulators (DSK) had summarised the most important data protection principles in the fight against the global pandemic early on. In particular, the DSK highlights the conditions for the lawful processing of personal data. Among other things, it doubts whether measures that use telecommunication traffic data to trace individual routes of infection are compliant with the GDPR’s requirements. It also emphasises the need for appropriate safeguards for the protection of data subjects, particularly in the case of health data.
- In addition, the regulators of various German Federal States had also provided also guidance on compliance with data protection during the COVID-19 crisis, e.g. Bavaria, Saxony, North Rhine-Westphalia, Baden-Württemberg and Hamburg.
Apart from this Coronavirus-specific guidance, there is of course plenty of other regulatory input specifically with a focus on healthcare and life sciences.
German regulator guidance on health data
Regulators in Germany have issued over 20 decisions or guidance papers on life sciences and healthcare services but there are still unanswered questions in all areas where medical or other health data is being processed. In particular, digital health services and the use of software based on Big Data and Artificial Intelligence have attracted the most attention. A recurring theme from regulators is that, despite some effort to adapt to the new regime under the GDPR, the level of data protection is lacking in this area.
GDPR compliance for app providers within hospitals and related services
Mobile health services are of particular concern to regulators. The DSK published a white paper dealing with state of the art technical and organisational measures and issued guidance which addresses the use of websites and messaging apps that process personal data. Recently, the Federal Cyber Security Authority (BSI) published guidance for security requirements for health apps.
These documents emphasise the high risk of abuse of personal data, especially when sensitive health information is used for diagnostic purposes, including for psychiatric or physical screening. The DSK recommends obtaining the express consent of patients when transferring health data to third parties and implementing security measures to minimise the risk of breaches.
In another guidance paper aimed at clinics and other hospitals, the DSK pointed out that compliance with the GDPR and additional requirements under national laws apply regardless of the size of the service provider. Doctors, pharmacists and related professions were identified in regulatory statements that addressed the appointment of a data protection officer for small medical practices. There were also numerous statements by State regulators addressing other specific questions. Finally, many regulators are calling for the use of web analytics and other tracking tools used by health app providers to be subject to a prior explicit consent requirement.
Statements and guidelines by German agencies
German governmental agencies addressed the requirements to be met in terms of data protection for health service providers by way of specific guidelines. The Guidelines on the Protection of Health Data issued by the German Federal Ministry for Economic Affairs (BMWi) are particularly interesting. They aim to provide an introduction to the GDPR’s requirements for developers and suppliers of digital health products. They outline the impact of the GDPR on some key issues in specific areas, for example, automated decision-making, big data applications and the development of apps.
Enforcement and fines
In terms of enforcement, the most recent fine in this space issued in Germany was in the context of a patient mix-up when admitting the patient. This resulted in incorrect invoicing and revealed structural technical and organisational deficits in the hospital’s patient and privacy management.
Violations of data protection laws in the healthcare and life science sector are also being rigorously pursued in other member states. For example, the Spanish Data Protection Authority of Spain (aepd) has imposed a fine because a data subject’s consent was to be obtained through his inactivity when filling a form containing a checkbox at the time of his admission to hospital. In the Netherlands, the Dutch Supervisory Authority for Data Protection (AP) imposed a fine for no proper internal security of patient records in place at a hospital: dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. Also, the Italian Data Protection Authority (Garante) intervened because of unauthorised persons, namely a trainee and a radiologist, had access to health data in a hospital.
It is not all about fines though. Regulators are increasingly “naming and shaming” as part of their enforcement strategy, realising that the threat of reputational damage can be as much of a compliance incentive as the threat of financial penalties.
The regulatory landscape is by no means complete. As the market and the technology develop, businesses will look to regulators to provide coherent and comprehensive guidance in what is, by definition, a complex space for data compliance. Beyond the COVID-19 issues lies a world of risks companies must address early on. This is of outmost importance for the successful development, distribution and use of their products and services in the life sciences and healthcare sectors. The GDPR and national laws require tackling compliance as a first step, especially due to principles such as the privacy by design requirement.