Sweden’s requirements for processing health data in the cloud – key takeaways from the recent IMY decision

Processing of health data always involves detailed assessments of how to comply with different personal data requirements. The Swedish Data Protection Authority (IMY) has recently issued a pre-consultation decision of high relevance to the health data sphere. In this article, we will highlight key takeaways from IMY’s decision.

Background
Digitalisation of health care provision and processes, including health data, often requires data processing by third party providers of IT solutions. Although it is permissible to outsource processing of health data, IMY has stated that it is essential that controllers of health data maintain GDPR compliance throughout their provision of health care services, including during the procurement of IT solutions. IMY explains that data controllers must have a thorough understanding of the data processing they perform, and the associated risks. Where a healthcare provider lacks such understanding, IMY recommends that the healthcare provider does not proceed with risky agreements.

1. The healthcare provider’s obligations to provide efficient healthcare services do not remove the obligation to comply with the GDPR

The first key takeaway highlights to what extent the GDPR is applicable in relation to other legal requirements. In many instances, a data controller is legally obligated to provide certain services that require data processing. For example, a healthcare provider is legally obligated to maintain a functioning IT system, since a functioning IT system is integral to the provision of healthcare services. Essential processing of personal data to fulfil a legal obligation is a legal ground for data processing.

In this instance, the healthcare provider argued that data processors have to be employed in India and the U.S. for support of the IT system, since the lack of support would cripple the integrity of the IT system and the ability of the healthcare provider to meet its legal obligations. However, according to IMY, a data controller is still responsible for ensuring that its data processing is in accordance with the GDPR, regardless of the existence of other legal obligations that the data controllers must comply with.

In a global market, the requirement of complying with the GDPR at all times, despite the presence of other legal obligations, imposes a challenge to many data controllers in need of IT solutions. Consequently, a data controller may be required to choose a lesser IT solution that is more compliant with the GDPR, rather than the IT solution that better fits the data controller’s technical and practical requirements.

2. Processing of health data by health care providers requires extra care and protective measures

The second key takeaway is how the sensitivity of the processed data affects the data controller’s duty of care. Provision of healthcare services involves the processing of sensitive health data and related data belonging to registered individuals. This processing requires extra discretion, especially when health data and related data are processed extensively, randomly (which is often the case with support functions) and when the data is sourced from every individual within a large geographical area. The effect is that individuals cannot foresee to what extent their personal information is being processed, basically making it hard for individuals to safeguard their own interests.

Although the requirements in the GDPR apply to every individual who processes personal data, processing in the circumstance identified requires extra diligence and pre-emptive actions to promote safe and compliant data processing.

3. The healthcare provider’s impact assessment must be extensive and answer relevant data protection questions, but exactly how extensive is yet to be seen

The third key takeaway highlights the importance of the controller’s impact assessment. Processing of health data requires the data controller to perform an independent, thorough and detailed impact assessment of the parties involved and the data processing in general, and thus to map out risks and solutions associated with the intended data processing. IMY indicates that this includes an assessment not only of the IT solution but also of the supplier of the IT solution, both within the EU and outside the EU.

Personal data may be transferred from the EU to countries that offer an adequate level of data protection comparable to that provided in the EU. The EU Commission can decide that a third country offers adequate data protection; however, at present no valid adequacy decisions apply between the EU and India and the EU and the U.S. The absence of a valid adequacy decision imposes a significant “transfer impact assessment” (TIA) burden upon data controllers employing data processors outside the EU/EEA. The TIA should include, but not be limited to, assessing whether local laws and regulations are in conflict with the GDPR and the SCCs, and to what extent supplementary measures should be implemented to enhance data protection. A common factor that influences the TIA is whether local laws require that data processors share transferred data with the local authorities.

IMY sets out very strict requirements regarding the legal certainty demonstrated through the impact assessments (DPIA/TIA). This entails inter alia that the data controller should not rely on “unknowns” and implicit risk assessments regarding the legality of its data processing; such an approach is against the requirement of delivering a thorough impact assessment. Based on the impact assessment, the controller must instead maintain (some degree of) certainty as regards the legality of the intended processing. IMY does not specify the extent to which the impact assessment must clarify every fact. Nonetheless, when transferring data abroad data controllers must be in possession of confirming facts regarding the application of local laws and regulations. The outcome of an inadequate impact assessment is that IMY cannot recommend the data controller to proceed with the intended data processing.

It cannot be ignored that the requirements set by IMY regarding what questions the impact assessment should answer, or what effort the controller should put into the impact assessment, are very high. This is, nonetheless, in line with the general scope and application of the GDPR and the findings and effects of the Schrems II-judgment.

4. Healthcare providers should not transfer or provide access to health data to India and the U.S. unless very certain there is a legal basis for the transfer and adequate data protection

The fourth key takeaway explains the circumstances in which health data can be transferred abroad. Health data is both sensitive data and data subject to strict confidentiality provisions. This means that the processor must assure a sound legal basis and protection of secrecy. Disclosure of health data to the wrong person or public authority in a third country can lead to severe infringement of the registered person’s rights and freedoms and violation of the confidentiality provisions.

The GDPR prescribes that necessary processing of health data can only be outsourced to professionals subject to Union or Member State confidentiality provisions. In practice, this requirement means that the data processors in India and the U.S. must be regulated by either Union or Swedish confidentiality regulations. This requirement cannot be satisfied through a contractual secrecy provision, e.g. via a data processing agreement. If the legal requirement is not met, there is no legal basis for the outsourcing and subsequent processing of sensitive health data. However, IMY cannot determine whether the Swedish confidentiality regulations also apply to foreign data processors in agreement with Swedish data controllers. Nonetheless, it is clear that enforcing Swedish confidentiality provisions in a country outside the EU would be complicated. IMY therefore recommends that healthcare providers do not continue the intended processing.

Although the above is of great importance in terms of the transferring of health data, the processor must also comply with the GDPR’s general requirements regarding transfer of personal data to a third country. IMY concludes: if an IT solution requires the support personnel to have access to readable personal data, and the support personnel are bound by foreign law to disclose readable data directly to the authorities, no technical measures resolve the issue inherent in allowing such data processor access to readable personal data. Where the data processor holds the key to transferred data that has been encrypted, essentially equivalent protection is not guaranteed, since the provision of the encryption key to the processor makes the encryption void of function.

IMY also shines some light on an issue of principle regarding how to deal with the situation when a person processing or storing the data in the EU is bound by foreign law to disclose the data directly to authorities in a country outside the EU/EEA. The mere existence of a legal obligation that requires a processor within the EU to disclose personal data to an authority in a third country does not constitute a third country transfer. Nonetheless, in the referenced decision, IMY holds that when sensitive personal data is made readable to authorities in a third country by remote access, this goes beyond what is necessary and proportionate, it constitutes an intrusion into the fundamental rights of the registered person, which no technical solutions can resolve.

Summary
The processing of health data in general, and the processing by a healthcare provider specifically, imposes extra requirements beyond those of normal data processing due to the nature of the data and the severity of the risks associated with wrongful processing of health data. The general takeaway from IMY’s decision is that it is still possible to process healthcare data in Sweden and to employ support functions that process personal data abroad. It is preferable that the healthcare provider ensures GDPR compliance as early as possible when procuring or introducing new IT solutions. Since most processing of health data constitutes a high-risk operation, an impact assessment is in all probability always required, especially when outsourcing and transferring personal data to data processors abroad.

The risk of not acting accordingly is threefold: firstly, the rights of registered individuals could be irreparably violated; secondly, a substantial economic risk is associated with non-compliance with the GDPR; and thirdly, the general standing of the organisation in the market could be negatively affected. The above sheds light on the importance of introducing a GDPR-compliance narrative early in the process when procuring and introducing new IT solutions. By investing early in a thorough impact assessment, the data controller is essentially removing unnecessary influence of uncontrollable circumstances that could eventually affect the whole business down the line.