All companies and organisations working in life sciences and other health and wellness services will eventually need to process the more restricted special categories of personal data, such as health data, genetic data or biometric data. Such processors then need to ensure that all of the special requirements for such personal data are fully met before they start processing it.
A recent decision by the Swedish Authority for Privacy Protection clarified some of these additional requirements that apply particularly to health care providers. However, it is likely that these requirements will also need to be applied more broadly, including for any other processing of health data in Sweden. In this article, we look further into these additional requirements that could be relevant for most actors in the health and wellness and life sciences fields.
A person’s health, genetic and biometric data is classified as special categories of personal data according to article 9 of the GDPR. Such special categories of data are subject to additional requirements that must be met prior to any processing (in fact, ‘regular’ personal data that could be sensitive from a privacy point of view may also be subject to similar additional requirements). The nature and sensitivity of the personal data are thus factors that must be considered when, for example, deciding on appropriate safeguards for the processing to ensure a sufficient level of security and compliance. In other words, the security measures implemented by processors of sensitive personal data or special categories of personal data need to ensure a higher level of security than those implemented by processors only processing less sensitive personal data.
One such security measure is to analyse employees’ needs for access and the related risks for data subjects and then, based on the outcome of the analysis, limit access authorisation to the personal data to those with an actual and legitimate need for access in each specific case.
In December 2020, the Swedish authority for Privacy Protection (‘IMY’ below) set out the requirements for a needs and risk analysis specifically for health care providers’ processing of health data under Swedish law. IMY had performed a large-scale supervisory review of eight health care providers. In its decision, IMY focused in particular on whether the health care providers had conducted, as a specific security measure, a needs and risk analysis, which is required for the processing of patient data under the various Swedish laws and regulations that apply to health care providers. In connection with this supervisory review, IMY published guidelines on how to perform such an analysis and how to comply with the relevant requirements for the health care sector. The Authority stated, among other things, that such an analysis is a required condition for any processing of patient data in health care services in Sweden, and that failure to perform such an analysis would constitute a fundamental and material breach of the GDPR.
As a result of the IMY supervisory review and guidelines, there now no doubt that such a needs and risk analysis is a fundamental requirement under Swedish law for the processing of health data within the health care sector as a specific security measure in line with the GDPR.
However, another less discussed result of the IMY supervisory review and guidelines is that this needs and risk analysis could also, in some cases, be required as an appropriate organisational security measure, under the GDPR, for the processing of health data in other sectors.
As mentioned above, controllers and processors of personal data need to implement appropriate technical and organisational measures to ensure an appropriate level of security, as set out in article 32 of the GDPR. Accordingly, a controller or processor has to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Appropriate measures depend in part on the state of the art, the costs of implementation and the nature and risks of the relevant processing. Since the needs and risk analysis is a specific statutory requirement for the processing of health data within the health care sector, this requirement does not apply directly to other processing of health data. However, due to the wide impact and application of such an analysis in health care providers (which is to be expected, since it is fundamentally required) it is likely that this could be seen to set a standard for organisational security measures for health data – and thus form a requirement for such processing among other actors in the health and wellness and life sciences fields as well. If so, the needs and risk analysis might become an organisational measure which is required under Swedish law for the processing of health data in all fields.
In essence, the closer you get to the processing of health data that is similar to the processing in the health care sector, the more likely you would need to undertake a needs and risk analysis as a fundamental requirement for such processing.
So, with that possible general requirement for a needs and risk analysis in mind, what are the specific steps required under such an analysis according to IMY? As the name of the analysis indicates, it is an analysis not only of the caregivers’/employees’ needs but also of the risk for the data subjects’ rights and freedoms. According to IMY, the needs and risk analysis must be performed in six steps, which can generally be summarised as follows:
- Analyse and determine the needs of the operation performed;
- Identify and analyse the risks for the data subject’s privacy;
- Identify and implement appropriate technical and organisational measures to reduce the risks;
- From the analysis carried out, determine a structure for accessing the data subject’s personal data that supports the needs and minimises the risks;
- Document the analysis and the specific steps and measures taken; and
- Continuously review the structure for access and the safety measures that may be appropriate in order to reduce the risks.
These steps, together with the other specific measures set out in the IMY guidelines, may thus form a new standard for health data processing in Sweden. Authorisation limitations are obviously not new and have formed part of general safety measures for a long time. However, general requirements for such measures have not been common to date, and, according to our experience, authorisation limitations are often technically very difficult and costly to implement (especially in large and complex organisations). It will be interesting to follow these developments and see whether a new standard for needs and risk analysis for the processing of health data will emerge in Sweden.