Health data management: the anti-Covid-19 measures, which have been gradually introduced by the national emergency regulations of recent months, have led to a proliferation of opportunities to collect data on health status from individuals who are generally not involved in managing this type of information. The legitimacy of such collections has already been mentioned in a previous post on the culture of personal data processing.
In this post, we will focus on health data management and the security measures necessary to protect health status data.
Health data management: security measures for protecting data according to GDPR
One of the new features of GDPR is the fact that the choice of security measures for health data protection is entrusted to the data controller who decides to take into account certain factors: state-of-the-art technology, costs, the nature of the data, the context, the purposes of the processing and the risks to the rights and freedoms of people that the processing may involve.
On closer inspection, a similar rule was also contained in the old Privacy Code, which also prescribed the obligation to adopt a series of measures, the so-called “minimum”, which were precisely described. If the controller had considered these measures insufficient, he would have had to identify others according to his own assessment. In reality, in most cases, the minimum measures were considered sufficient to ensure compliance with the law, and rights granted to the owner were ignored. All of this led to the downward standardization of security measures for health data management that were not only “minimal” because the legislator had essentially identified a lowest common denominator among the many possible, but the measures were also the same for all types of processing and all types of data, with some extra attention for sensitive data.
Acknowledging the objective impossibility of prescribing the security measures to be adopted in the most varied and constantly evolving contexts, the European legislator, recognizing the right of the data subject to protect his or her own data through adequate security measures, established that it is the data controller who decides which measures to adopt.
Therefore, while the data controller is obligated to put in place “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, the choice of which measures is up to him. His task is to assess their adequacy by balancing the risk — determined by the nature of the data, the context, and the purpose of the processing — with the available technology and its costs.
The costs of technology for health data management are very important: admitting that measures to protect data can be chosen by evaluating this aspect also means recognizing that the level of security can be considered adequate even if the most secure technology is not chosen because of how much it costs. Of course, this does not justify any downward choices, but allows the controller to take costs into account in his decision making. If this was not the case, the controller would have had to decide on the most appropriate way to protect the data even if this involved an investment that he could not afford.
The risks of processing personal data
Therefore, the controller chooses the security measures to protect the data and adapt them to the risk. But what risks must be considered?
The Regulation mentions the risks in detail, recognizing that the data subject has the right to complete protection of their data, against all possible risks. In fact, it is not only a matter of preserving data from abusive access, but of ensuring that the data is not destroyed, lost, modified, or disclosed accidentally or abusively. Of course, the objective can be raised that avoiding the destruction or modification of data is in the data controller’s interest (who, for example, would like to lose their patients’ data?) but if the latter can assume all the risks and bear any damage resulting from imprudent conduct, such conduct is not allowed when the data of natural persons are involved.
Moreover, if it is a risk that information on a person’s health status should not be disseminated, it is also a risk that the data that indicates someone is allergic to certain drugs is not available to the person who has to prescribe a certain therapy is refused. This is just one example.
Therefore, the controller must assess the risks, considering data protection at 360 degrees.
What are the appropriate security measures?
Once the risks have been identified, it is then a question of choosing the appropriate measures for health data protection.
Here, the Regulation provides some indications, saying that “the measures include, where appropriate,
a) pseudonymization (i.e. the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the use of additional information) and encryption of personal data;
b) the ability to permanently ensure the confidentiality, integrity, availability, and resilience of processing systems and services;
c) the ability to restore the availability and access of personal data in a timely manner in the event of a physical or technical incident;
d) a procedure to regularly test, verify, and evaluate the effectiveness of technical and organizational measures in order to ensure the security of the processing.”
The list is not the most homogeneous: if a) and d) identify specific measures, b) and c) are very generic and do not add anything to what we already know. It is clear, for example, that if we are to reduce the risk of unauthorized access and accidental or illegal disclosure, we must take measures to ensure the confidentiality of data on a permanent basis.
This is what the European Regulation writes. However, security measures to protect health data have been the subject of laws, regulations, guidelines, and international standards to which it is possible to refer at least as food for thought to identify those suitable for the case.
In this post, we are limiting ourselves to the legal regulations and guidelines of the Italian Data Protection Authority. These include Prime Minister Decree 178/15 on electronic health records, which, in article 23 describes, in detail, the security measures with which data must be protected; the Guarantor’s Guidelines on Health of June 4, 2015 and those on online reports of November 19, 2009.
The above mentioned measures are provisions concerning health data management and not the broader category of health data. According to the GDPR, this category includes a person’s data that was collected during his or her registration in order to receive health care services; numbers or symbols assigned to a person to uniquely identify him or her for health purposes; information resulting from tests and controls carried out on a body part or an organic substance, including genetic data and biological samples; and any information concerning, for example, a disease or risk of a disease, disability, medical history, medical treatment, or the physiological or biomedical status of the person concerned, regardless of source, such as a doctor or other health care professional, a hospital, a medical device, or an in vitro diagnostic test.
Article 2f of the Privacy Code establishes that data related to health status, perceived in this broad sense, may be processed in accordance with the measures ordered by the Guarantor, which must identify “security measures, including encryption and pseudonymization techniques, minimization measures, specific methods for selective access to data and for making the information available to the data subjects, as well as any other measures necessary to guarantee the rights of data subjects”.
The measures are currently being drafted and are therefore not available at the present time. In the meantime, we can try to line up the security measures that protect health data by drawing inspiration from the health data provisions, while being aware that the contexts and, therefore, the risk levels, can obviously be very different.
To protect health status data, the following security measures should be considered:
- suitable authentication and authorization systems for people in charge according to the roles and requirements of access and processing. The adoption of strong authentication systems, for example with two-factor authentication modes, should be considered;
- procedures for the periodic verification of the quality and consistency of authentication credentials and authorization profiles assigned to people in charge;
- identification of criteria for the encryption or separation of data that reveal the state of health from other personal data;
- traceability of accesses and operations carried out;
- audit log systems for access control and the detection of anomalies;
- procedures for anonymizing direct identification elements when they are not necessary for the purposes of processing, for example by replacing the tax code with an anonymous identification code;
- operational continuity and disaster recovery plans.
In the event that the data can be accessed online, the following measures are envisioned:
- suitable authentication and authorization systems for consultation;
- secure communication protocols based on the use of cryptographic standards;
- measures to avoid the acquisition of information in caching systems;
- possible definition of the duration of information availability;
- possibility to subtract certain data from the consultation.
If the data is transmitted via email, instead, the following indications can be followed:
- transmission of data in the attachment and not in the body of the text;
- protection of attachments by password or cryptographic key;
- email address validation systems.
In addition to these specific measures for health data protection are those normally adopted to protect data, such as firewalls, antivirus software, etc. and those related to any cloud services for which specific consideration would be necessary. Obviously, in addition to strictly technical measures, those related to organizational issues such as instructions, policies, warnings, etc. would be added.
Although the above mentioned measures are only a starting point to identify the most suitable measures for specific cases, the list highlights the care that is necessary for protecting health status data and the effort required to manage it. The commitment required for their protection should, therefore, lead us to consider carefully whether it is actually necessary to collect such data.
For example, one could reflect on the unfortunately widespread practice of recording employee body temperature data even when it remains below the threshold. If the absence of the duty to record the body temperature data is not enough to avoid this processing, it could force us to consider that the required measures to protect such data are not trivial, and this must be evaluated considering the risks associated with their processing.
Before addressing the issue of health data protection, it is therefore appropriate to verify whether there is a concrete need to collect and process data. In this way it will be possible to concentrate efforts, and consequently also financial efforts, where there is a real need.