Health data are special because they are qualified as sensible data. They are subjected to special protection thanks to legislation (as the GDPR, public health code, legislation on data protection, and so on..) In order to guarantee the respect for privacy.

What is health data?

The GDPR, which entered into force on 25 May 2018, gives a broad definition about them.

What kind of definition does the GDPR give?
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

This definition includes for example:
– information about the natural person collected in the course of the registration for, or the provision of, health care services to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes;
– information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples;
– information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
This definition includes some measurement data from which it is possible to deduce information on the health status of the person.

Basically, what impact does it have?
The concept of health data is now broad. It should be assessed on a case-by-case basis, taking into account the nature of the data collected.

We have three categories of data that fall under this concept:
– those called “health data” as medical history, a disease, assistance services provided, examination results, treatment, disability, etc.
– those that became health data because they are crossed-data. They allow a conclusion to be drawn on a person’s state of health or health risk: crossing a weight measurement with other data (number of steps, measurement of caloric intake, etc.), voltage crossover with stress measurement, etc.
– those which became health data because of their destination, concerning their medical use.

Note: The law does not apply to treatment that includes health data for the exclusive use of the person. For example, the law does not apply to mobile healthcare applications that offer in their functionality, collection, recording or storage of data provided that these operations are performed locally on a computer, a smartphone or a tablet, without external connection and for exclusively personal purposes.

The health data definition does not include the possibility to draw conclusions about medical conditions of the data subject (for example an app that recollects a series of steps during a walk without crossing off these data with others).

Once we have defined health data, we have to apply a legal system for the sensitivity of data. The following list provides an overview of the different applicable laws (this list is not exhaustive, it is necessary to conduct a case-by-case analysis):

• Data Protection Act (Art. 8 and Chapter IX);
• secrecy provisions (Art. L. 1110-4 of the CSP);
• provisions on safety and interoperability
• standards for health data (Art. L. 1110-4-1 of the CSP);
• provisions on the hosting of health data (Art. L.
• 1111-8 and R. 1111-8-8 and s. of the CSP);
• provisions on the provision of health data (Art. 1460-1 et seq. of the CSP);
• prohibition of the transfer or commercial
• exploitation of health data (Art. L. 1111-8 of the SPC, Art. L 4113-7 of the SPC) …

Questions/Answers

The data collected, outside of a medical context (number of steps, weight, daily activity, etc.), Through self-measuring instruments (watches, connected wristbands, mobile applications, etc.), are health data?
It all depends on one side on the nature of the data (excessive weight may reveal obesity), on the other side if these data cross with other data thus revealing information on the health status of the person .

Is disability information contained in a treatment, a health issue?
Yes. As a reminder, any handicap constitutes a limitation of activity or a limitation of participation in life in society suffered in one’s own environment by a person as a result of a substantial, lasting or definitive alteration of one or more physical functions, sensory, mental, cognitive or mental, polyanic or disabling disorder (Art. L. 114 of the Code of Social and Family Action).

Is information on a disability rate contained in the treatment’s health data?
Yes, if the disability rate reveals that the person has a disability under Article L. 114 of the Social and Family Action Code.

The information on care in a care facility, contained in a treatment, are health data?
Information on care in a care facility contained in a treatment constitutes health data, as it provides an indication of the state of health (e.g., hospitalisation in a specialised institution or hospital service).

Is the CCAM (Common Classification of Medical Acts) coding health data?
Yes, if the information resulting from this coding leads to the delivery of information on the state of health or treatment related to a particular disease.

Is the registration number in the National List of Natural Persons (NIR) a health figure?
No, NIR is not a health figure, even if used as a national health identifier.

Is fitness exercising a health factor?
No, the ability to exercise a sport is not in itself a health problem. However, if it is associated and / or cross-referenced with other information such as the circumstances of issuing the certificate, it shall be considered as health data. The inability to exercise a sport is a health factor.

TO KEEP IN MIND:
The health data concept is defined from European legislation. This concept includes not only data which are collected and produced as part of the treatment process, but also data of other sectors that give information about people’s medical conditions (like application developers).
The GDPR applies to the health system. In particular, it shall pursue the objectives of strengthening the rights of individuals and empowering stakeholders.

Processing of health data: how to inform the persons concerned?
Persons whose health data are collected have rights, including the right to be informed. They can be patients, people involved in research, etc. The information allows these people to maintain control of the data concerning them. This is an obligation under the GDPR

Who informs it about this?
The processor must take appropriate measures to inform data subjects.

In the health sector, there are many people in charge of care: health workers, care facilities, providers of technical solutions, etc.

Basically, the operational actors (in particular health professionals) act in the name and on behalf of the data processor (health institution, care service, etc.) who provide the information.

What are the characteristics of the information?
The information shall be provided in a concise, transparent, comprehensible and easily accessible manner. It must be able to be accessible by the large audience.

According to this requirement, you must go to the bases including in the informative document all the mandatory information. It is also recommended to work on a medium to make the information as intelligible as possible. For example, the understanding of the person can be facilitated by the use of visual pictograms, the highlighting of essential information in written documents (e.g. welcome booklet, written information documents provided to patients) or even the use of videos (e.g. video transmission in waiting rooms), etc.

The information must be adapted according to the pathology of the person, his age, the circumstances of the data collection. In particular, information shall be provided specifically for minors. Similarly, targeted information should be provided to vulnerable people (e.g. the elderly, patients with cognitive disorders, etc.).

What is the content of the information?
The content of the information to be provided varies according to two hypotheses: health data were collected directly by the person concerned or not (indirect collection of data).
There are cases in which the data controller may be exonerated from informing the data subject. Cases of exemption depend on whether health data were collected directly from the person concerned or indirectly.

Questions/Answers

Who should be informed when the data subject is a minor?
The holders of the parental authority shall be informed of the processing of the health data relating to the child. The child also receives specific and adapted information.

Keeping in mind that, in some cases, specific provisions will be applied. Examples: art. L 1111-5 e L. 1111-5-1 of the “codice di sanità pubblica sulla cura dei minori nella riservatezza” (which allows a child, under certain conditions, to object to the information of the holders of parental authority) art. 58 of the law on the protection of data for medical research (which allows minors under 15 years or more to oppose, under certain conditions, the access of the holders of parental authority to the data concerning him collected during research, study or evaluation).

What information should be provided about the processing carried out in the context of research?
Reference should be made to the specific provisions of Article 57 of the Data Protection Act. These provisions are intended to evolve within the framework of the future data protection law.

Is the information given to the person concerned in the form of a display enough?
With the exception of situations for which there is a legal obligation to inform individually the interested person (example of medical research), the information of the person can be produced by sending a message.

In the case of healthcare facilities, the information may also be provided in the welcome booklet given to the patient when they are hospitalized. The publication shall be clearly visible and include all mandatory information specified above. Individual information has yet to be preferred.

If the interested person has already been informed, should they be informed again?
Yes, in some cases: substantial modification of the processing, transmission of health data from the processor to a recipient, use of health data by the controller for another purpose, etc.

KEEPING IN MIND

The GDPR strengthens the right of individuals to information, in particular to its content (contact details of the data protection officer, storage period, etc.). At the same time, this information must be concise, transparent, comprehensible and easily accessible.
It is therefore necessary, in view of 25 May 2018, to identify the various terms and information documents and verify their compliance with the requirements of the rules on the substance (content) and on the form (legibility).

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL