Processing Personal Data in Health and Medical Care

Globalization, information society, digitization, integrity, automation, profiling, sensitive personal data, consent, objection, pseudonymization, personal data breach, principles, lawfulness of processing, rights, data protection officer, controller, processor, incident reporting and sanctions. Given the scope of the field, it is perhaps no wonder that the massive and, to some extent, complicated General Data Protection Regulation (GDPR) that will replace Sweden’s existing personal data regulations in May 2018 currently perplexes IT, legal and marketing departments across the country. This year alone, no less than 12 different Swedish Government Official Reports will be presented detailing how this new regulation will affect different fields. Among these, the Official Report SOU 2017:66 was published in August to clarify the changes in the field of health and medical care. This report alone comprises a 766-page tome that effectively concludes that the GDPR will result in one material change – a protective measure introduced in the Medicinal Products Ordinance. So, keep calm! Despite the fact that the GDPR is difficult to get a grip on in certain cases, the practical outcome does not always involve major changes. Still, to provide some clarity, let’s break the GDPR down into its essential elements, starting from the top.

On 25 May 2018, the EU’s GDPR will become directly applicable in Sweden and will replace Sweden’s Personal Data Act (SOU 2017:39, p. 20.). At the national level, GDPR rules are likely to be reformulated to create a new national Data Protection Act.  The Data Protection Act, like the current Personal Data Act, will be supplemented by a number of laws that take precedence over the Act itself in certain specific fields. The Act will thus become subsidiary and only applicable in the field in question, unless otherwise provided in a special law.

The Official Report SOU 2017:66 was published in August of this year as an inquiry into what impact the GDPR will have on personal data processing in health and medical care. As a starting point, the investigation aimed to confirm that data controllers will be able to continue processing data in the same way as previously and that the form of personal data processing that is currently legal under Swedish law will continue to be legal even after the GDPR comes into effect.

Personal data processing in Sweden’s health and medical care sector is regulated by the Swedish Patient Data Act, which takes precedence over more general legislation in the area. The Official Report SOU 2017:66 states that this act will continue to apply to this field. With only a few formal changes, the law will meet the requirements stipulated by the GDPR concerning personal data processing and the processing that is both legal and necessary today will continue to be so in the future. Moreover, the GDPR does not open the way for any future possibility to legalise processing that is not currently legal under Swedish law.

On the other hand, the report does recommend that a protective measure be introduced into Sweden’s Medicinal Products Ordinance in order for it to meet GDPR requirements. It proposes introducing a requirement that would limit personal data processing to specified purposes considered compatible with lawful processing operations. This would mean that pharmaceutical companies cannot reuse sensitive personal data other than for processing in conjunction with archiving that is in the public interest, for scientific or historical research purposes, or for statistical purposes.

Although the specific Swedish acts regulating the field of health and medical care will take precedence, the GDPR will be important at the general level of legal application, where the specific acts provide no guidance. The large number of official government reports currently being prepared testifies to the complexity of the new regulation and, as such, it is too early to tell exactly what practical significance it will have. For the health and medical sector, at least, it seems that, in practice, the GDPR will have very little impact on personal data processing.