Data Portability impact on healthcare facilities

By | Wednesday January 25th, 2017

The new right  to data portability (art. 20 GDPR) shall also apply to health data.

This interpretation is clearly illustrated in the recent Guidelines on the right to data portability, issued by the WP 29 on December, 13 2016.

At point III, the Guidelines states three necessary conditions to apply the right: 

  1. personal data concerning the data subject;
  2. data provided by the data subject
  3. the right to data portability shall not adversely affect the rights and freedoms of others

Regarding point 2 (data provided by the data subject ) the Guidelines specifies:

. In general, given the policy objectives of the right to data portability, the term “provided by the data subject” must be interpreted broadly, and only to exclude “inferred data” and “derived data”, which include personal data that are generated by a service provider (for example, algorithmic results). A data controller can exclude those inferred data but should include all other personal data provided by the data subject through technical means provided by the controller

In a footnote the Guidelines states that:

This includes all data observed about the data subject during the activities for the purpose of which the data are collected, such as a transaction history or access log. Data collected through the tracking and recording of the data subject (such as an app recording heartbeat or technology used to track browsing behaviour) should also be considered as “provided by” him or her even if the data are not actively or consciously transmitted

Consequently, after May 2018, a patient with pacemaker, a patient on glucosio monitoring or under telemedicine treatment (as examples) may request the Hospital his own data and the Hospital will be obliged to forward the request “in a structured, commonly used and machine-readable format”

Therefore the health clinics should be equipped with suitable technology and all the manufacturers of medical devices should start to plan and produce “privacy by design” in the shortest terms.

Category: Impact, Risk and Measures Legal framework

About Silvia Stefanelli

Senior Lawyer, Owner Studio Legale Stefanelli&Stefanelli Specialized in: Health service legislation, e-Health, Privacy and Data protection, Product Legislation (CE Marking), National and International Agreements (sale and distribution in particular), Health Authorizations, Health Advertising, Corporate Compliance (Law nr. 231/2001)

One thought on “Data Portability impact on healthcare facilities

  1. paolo calvi

    in effetti la LG del WP29 sulla portabilità ha aperto gli occhi, almeno a me. prima avevo inteso, come credo altri, che la norma riguardasse essenzialmente i social. invece impatta fortemente la sanità, terreno sul quale per la verità il tema dell’interoperabilità (che è cosa diversa ma contigua) è già attuale da tempo ma ancora lontano dall’essere risolto.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.