GDPR and health data: Article 9 and the boundaries of processing

AIHealth

On-premise clinical platform with local LLMs, RAG on FHIR/DICOM data, diagnostic support, remote follow-up. Architecture designed for the MDR pathway.

Discover AIHealth →

Digital Health

Medical software development compliant with CE and MDR regulatory standards. Clinical decision support systems, AI integration in clinical workflows.

Discover →

25 May 2018

Regulation (EU) 2016/679 — GDPR — was approved by the European Parliament and Council on 27 April 2016, published in the Official Journal of the European Union on 4 May 2016 and becomes directly applicable in all Member States from 25 May 2018. Direct applicability means that no national transposition act is needed for its effect; Member States may however maintain or adopt more specific provisions on a set of topics — expressly including the processing of data concerning health.

In Italy the Legislative Decree 30 June 2003, no. 196 (Privacy Code) remains formally in force, pending the adaptation decree that will align it with the Regulation. The decree — expected as Legislative Decree 101/2018 — is still in parliamentary process at the time of writing, but the GDPR applies from 25 May regardless of when national legislation is completed.

What is health data

Art. 4(15) of the GDPR defines data concerning health: “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. Recital 35 clarifies that the definition includes, among others, information:

• On a natural person collected in the course of registration for, or the provision of, health services
• Identifying a person for health purposes (a number or identifier uniquely identifying them in the health system)
• Resulting from examination or tests on body parts or biological substances
• On diseases, disabilities, risk of disease, medical history, treatments or physiological status

Added to these are genetic data (art. 4(13)) and biometric data meant as data processed to uniquely identify a person (art. 4(14)) — both treated autonomously by the Regulation but often coexisting with health data.

Article 9: prohibition and derogations

Art. 9(1) lays down the general prohibition of processing of special categories of personal data, including racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, sexual life and sexual orientation.

Art. 9(2) lists ten exhaustive derogations. For the healthcare sector, the most relevant are:

• (a) explicit consent — valid but problematic in the care context: consent must be freely given, and the power imbalance between patient and provider weakens it as a standalone legal basis; the EDPB (formerly WP29) discourages its use as primary basis in care
• (h) preventive medicine, diagnosis, healthcare or social assistance or treatment, management of healthcare systems and services — the primary legal basis for clinical processing. Paragraph 3 requires the processing to be done by or under the responsibility of a professional subject to professional secrecy
• (i) reasons of public interest in the area of public health — protection from cross-border threats, quality and safety of care; typical basis for disease registries, epidemiological surveillance systems, pharmacovigilance
• (j) archiving in the public interest, scientific or historical research, statistical purposes — the basis for observational studies and research databases; requires appropriate safeguards (pseudonymisation, minimisation, dataset separation)
• (g) reasons of substantial public interest — requires a legal basis under Union or Member State law

Member State leeway

Art. 9(4) allows Member States to maintain or introduce further conditions, including limitations with regard to the processing of genetic, biometric and health data. Italy will typically use this space to retain certain specificities of the previous Privacy Code: the need for general authorisations by the Garante (to be replaced by “general prescriptions” of the Garante under the new regime), consent requirements for certain processing, specific constraints on genetic data.

The incoming Legislative Decree 101/2018 should insert into the adapted Privacy Code new articles 2-sexies (processing on substantial public interest grounds, subject to a statutory or regulatory basis) and 2-septies (genetic, biometric and health data — subject to safeguards to be defined by a periodically updated measure of the Garante).

Obligations: DPO, DPIA, records of processing

The GDPR introduces — or strengthens — a set of organisational obligations. The most relevant for the healthcare sector:

• Data Protection Officer (DPO) — mandatory (art. 37) for public authorities (all public health authorities, hospitals, IRCCS) and for controllers processing health data on a large scale. WP243 Guidelines clarify that a hospital exceeds the “large scale” threshold
• Data Protection Impact Assessment (DPIA) — mandatory impact assessment (art. 35) where processing entails high risks to rights and freedoms. Systematic processing of health data at scale is presumed high-risk and requires a DPIA
• Records of processing activities (art. 30) — internal documentation of all processing, mandatory for controllers with more than 250 employees and anyway for systematic processing of special categories
• Privacy by Design and Privacy by Default (art. 25) — integration of data protection measures into system design and default configuration
• Data breach notification (art. 33-34) — notification to the Garante within 72 hours of awareness of a breach, and communication to the data subject if the risk is high
• Accountability (arts. 5(2) and 24) — general principle of responsibility: compliance must be demonstrable, not merely carried out

Pseudonymisation, anonymisation, minimisation

Art. 4(5) defines pseudonymisation: “the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately”. Pseudonymised data remain personal data and fall within the scope of the GDPR, but benefit from a mitigation that the Regulation recognises as an appropriate safeguard.

Anonymisation is not defined by the GDPR but is addressed by WP29 Opinion 05/2014: truly anonymous data do not allow identification by reasonably available means, neither alone nor combined with other data, and are not subject to the GDPR. In practice, robust anonymisation of healthcare datasets is hard — the risk-based approach, aggregation and k-anonymity techniques require careful case-by-case evaluation.

Minimisation (art. 5(1)(c)) is a cross-cutting principle: process only the data necessary to achieve the purpose. It has concrete consequences on architectures — for example separation between care and research zones.

The Electronic Health Record and GDPR

The Italian FSE model — built between 2012 and 2015 — already incorporates many principles the GDPR consolidates: dual consent (population and access), granular masking, access tracing, logs kept for ten years. The alignment between DPCM 178/2015 and GDPR will be the subject of an update of the FSE-specific Garante Guidelines, expected in the months following the Regulation’s application.

In the meantime, legal bases applicable to the FSE come down to:

• Art. 9(2)(h) for care purposes, with the twofold anchor: national provision (art. 12 DL 179/2012 + DPCM 178/2015) and processing by professionals bound by secrecy
• Art. 9(2)(i) for public health and planning purposes
• Art. 9(2)(j) with the patient’s specific consent for research purposes, as already provided by the DPCM

Extra-EU transfers

Chapter V (arts. 44-50) regulates transfers of personal data to third countries. Valid bases include European Commission adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and approved codes of conduct. The topic is critical for healthcare cloud infrastructures involving non-EU providers.

As of May 2018 the EU-US Privacy Shield (adopted in July 2016) operates as the main mechanism for transfers to US providers. Its framework is already under judicial challenge, with outcomes that could change the landscape in the coming years.

Sanctions

Art. 83 provides administrative fines up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher. Severity — and in particular the possibility of turnover-based fines — represents a structural change compared with the previous regime.

What changes in practice

The GDPR does not revolutionise the principles of health data processing, already present in the 2003 Italian Privacy Code and in the 2009 Garante Guidelines on the FSE, but harmonises them at European level, makes them enforceable with coordinated supervisory authorities (EDPB) and pairs them with a new sanctions regime. For entities of the National Health Service, the concrete work of 2018 is more organisational than technical:

• Appointment and structure of the DPO
• DPIAs on structural processings (clinical record, regional FSE, labs, PACS, pharmacy)
• Drafting and maintenance of records of processing activities
• Revision of information notices and consents
• Staff training
• Renegotiation of contracts with data processors (IT vendors, document archives, cloud providers)

The real technical impact — integrating portability, objection and erasure mechanisms into systems — will emerge in the following months, with the interaction between Regulation, national adaptations and Garante guidance.

Legislative references: Regulation (EU) 2016/679 (GDPR), arts. 4, 5, 6, 9, 25, 30, 33-34, 35, 37, 44-50, 83. Legislative Decree 196/2003 (being adapted). Garante Guidelines on FSE, 16 July 2009. WP29 Opinion 05/2014 on anonymisation techniques. WP29 Opinion 3/2015 on health data in mobile devices. WP243 DPO Guidelines.