• AEPD office inspections, which are not punitive, try to find out a global overview in order to detect deficiencies and offer improvements.
• The plan includes recommendations to public bodies, companies and holder institutions in social health centers that affect actions necessary for the proper implementation of the GDPR and the LOPDGDD.
• Includes also a decalogue that sums up the main conclusion and a group of questions and answers about the doutbs.
• Access to the Inspection Plan for Partner Health Care Office.

(Madrid, 1st June 2020)
The Spanish data protection authority (AEPD) published a “the Inspection Plan for Partner Health Care Office” that analyzes for the first time processing in this sector and evaluates compliance towards the data protection legislation.

The offical inspections by the Spanish Authority in differents sector or specific areas are not punitive but only preventive in order to obtain a global overview that allows to find out deficiencies and create recommandations.
The aim of this inspection is to increase the level of citizen protection by the data analysis managed by organization.

This plan contains conclusions related to the compliance with GDPR and the Organic Law on data protection and the guarantee of digital rights(LOPDGDD), recommendations towards public bodies, societies and institutions that have social health center, that have an impact on actions necessary for the proper application of the regulations. It also includes a decalogue that summarizes the main conclusions and a group of frequently asked questions and answers with the doubts raised during its execution.

Among the most relevant conclusions are those concerning the information to be offered to the user of these services, which will preferably be layered, concise and with clear language, according to the ability of the recipient of the information to understand. For example, the first layer should be simple information posters located in center access areas, which might include references to other layers of more detailed information.

During the audits, problems related to the identification by those responsible for the legal bases covering the processing were identified, and the Authority recalls that for each processing activity carried out, its legal basis must be identified.

The FAQ provides answers to other questions arising in the context of the activity of social health care, for example, if it is possible to cancel certain data of a user at his request, carry out treatments for medical research purposes in a facility, or if it is mandatory to provide personal data of the users of the center if requested by the security forces.

On the other hand, recommendations regarding data security are offered because they are special categories, such as minimizing the sharing of personal data between professionals to what is strictly necessary; develop access profiles that consider the information needs of each professional; auditing accesses; employees who process users’ personal data sign a commitment of confidentiality, or avoid the use of generic users whose use is shared among several employees, among others.

Doubts were also noted as to whether the centres could provide information about a user’s stay, location or health status at the request of family members. In this sense, the AEPD notes that the user’s consent must be obtained. However, in cases of vital urgency or if the presence of persons linked to the user for family reasons or in fact could be essential for the proper attention of the user, provided that the patient has not objected to the information being provided, the center can inform if the person is entered and his location, without indicating special category data or care provided.

Other recommendations concern, for example, that processing contracts specify all the obligations stipulated by the GDPR; security policies are based on risk analysis and that Data Protection Impact Assessments are carried out for new treatments of partner-health centres.

The “Inspection Plan for Social Health Care Office” is part of the actions provided for in the AEPD Strategic Plan. In particular, it has its origin in action 1.3.2, whose objective is to detect the treatments and transfers of data that are carried out between both sectors, social and health, seeking its suitability to data protection legislation.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SPAGNA – AEPD