The new right to data portability (art. 20 GDPR) shall also apply to health data.
This interpretation is clearly illustrated in the recent Guidelines on the right to data portability, issued by the WP 29 on December, 13 2016.
At point III, the Guidelines states three necessary conditions to apply the right:
- personal data concerning the data subject;
- data provided by the data subject
- the right to data portability shall not adversely affect the rights and freedoms of others
Regarding point 2 (data provided by the data subject ) the Guidelines specifies:
. In general, given the policy objectives of the right to data portability, the term “provided by the data subject” must be interpreted broadly, and only to exclude “inferred data” and “derived data”, which include personal data that are generated by a service provider (for example, algorithmic results). A data controller can exclude those inferred data but should include all other personal data provided by the data subject through technical means provided by the controller
In a footnote the Guidelines states that:
This includes all data observed about the data subject during the activities for the purpose of which the data are collected, such as a transaction history or access log. Data collected through the tracking and recording of the data subject (such as an app recording heartbeat or technology used to track browsing behaviour) should also be considered as “provided by” him or her even if the data are not actively or consciously transmitted
Consequently, after May 2018, a patient with pacemaker, a patient on glucosio monitoring or under telemedicine treatment (as examples) may request the Hospital his own data and the Hospital will be obliged to forward the request “in a structured, commonly used and machine-readable format”
Therefore the health clinics should be equipped with suitable technology and all the manufacturers of medical devices should start to plan and produce “privacy by design” in the shortest terms.