Health data are personal data concerning the physical or mental health of a person, including the provision of health care services, which reveal information about a person’s health status in the past, present or future. This category of data is marked as a special category of personal data under the GDPR, because of its ‘sensitive’ nature: unlawful processing of health data may cause serious consequences to a person’s rights and freedoms.
Therefore, health-related data are subject to a stricter data processing regime than non-sensitive data: you will not always be allowed to process data revealing information on the health status of persons.
Can I process health data?
In principle, the processing of health data – like any other special category of personal data – is prohibited. But even though the processing of health data is deemed to be riskier than processing regular personal data, processing health data can be necessary in various aspects of our life.
Therefore, the GDPR foresees several exceptions to the prohibition. First, health data can only be processed when there is a lawful basis to do so under article 6.
Additionally, one of the situations mentioned in article 9 needs to be present
If your company processes data concerning health, you will bear an extra burden as these data require a higher standard of protection than non-sensitive personal data. In each situation, appropriate safeguards need to be in place!
Time for action!
Assess whether there is a way to avoid the processing of health data.
Is the processing of health data necessary to achieve its underlying aim?
Is the aim pursued by the processing of health data proportionate regarding the restriction of the concerned person’s rights and freedoms?
Check whether EU or national law set additional requirements or prohibitions for health data processing.
Provide all the necessary information to the individual whose health data your company is going to process in a way that is understandable to the person.
Implement sufficient technical and organisational safeguards (e.g. pseudonymisation, separate storage of health data, restriction on the number of persons that have access to health data) to ensure that health data is adequately protected and is not subject to unauthorised disclosure or other unlawful processing activity.
Don’t forget to consider the principles of personal data processing.
In case of doubts concerning the permissibility of the planned processing activities or the necessary safeguards, consult your DPO (if your company has one) or your DPA (See also "How to contact my DPA?").