Personal Data Protection and COVID-19 Test Results
According to the Personal Data Protection Act, information connected to the health of an individual constitutes sensitive personal data. The concept of sensitive personal health data includes supplementary categories which are as follows:
- Any information that relates to both the biological and the mental state of human health;
- Genetic data, to the extent that they reveal information about health or predisposition to disease;
- Biometric data, when they reveal the existence or predisposition of a disease or reveal the genetic identity of a person, also falls into the sensitive personal health data; and lastly
- Data kept in the records of donors and recipients of human tissues and organs.
Understandably, sensitive personal data is also the result of any medical examination and biochemical analysis. The Covid-19 pandemic brings to the surface the criticality of securing the coronavirus test result, as a sensitive personal data. This criticality is exacerbated by the fact that due to the circumstances and characteristics of this particular virus, the specific test is performed in a massive scale, affecting a large number of people.
The European Council of Data Protection, on the occasion of the outbreak of Covid-19, noted that the personal data, that are necessary for the accomplishment of intended objectives, should be processed for specific and explicit purposes.
In addition, data subjects should receive clear information about the processing activities performed and their main characteristics, including the retention period of the collected data and the purposes of the processing. The information provided should be easily accessible and phrased in a clear and simple manner.
The Council, therefore, emphasizes in particular the importance of establishing appropriate security measures and confidentiality policies to ensure that personal data is not disclosed to unauthorized persons. The measures taken to manage the current emergency and the basic decision-making process should be properly documented.
Countries that collect personal data for the purposes of Covid-19, must comply with the GDPR and their own legislations. Indicatively, the Italian Data Protection Authority issued a decree relating to the relationship between the GDPR and Covid-19, the need to process specific categories of personal data and that certain data protection rights could be suspended to combat the virus. Respectively, in France and Ireland instructions have been given on the handling of personal data in the context of Covid-19.
According to GDPR, personal health data should include all data relating to the data subject's state of health which disclose information about the subject's past, current or future state of physical or mental health of the data subject. This includes information resulting from tests or analyses on a part or substance of the body, including genetic data, biological samples and any additional information, for example, about illness, disability, disease risk, medical history, clinical treatment or physiological or biomedical status of the data subject, regardless of source, for example, by a physician or other healthcare professional, hospital, medical device or in vitro diagnostic test.
In addition to this, the processing of personal data is considered lawful when it is considered necessary to protect an interest, that is essential to the life of the data subject or other natural person. Certain types of processing can be used for important reasons in the public interest and for the vital interests of the data subject, such as when processing is necessary for humanitarian purposes, including to monitor epidemics and its spread or situations of humanitarian emergency, especially in cases of natural and man-made disasters.
The Responsible Bodies (hospitals, laboratories, etc.) that carry out the coronavirus tests are responsible for the faithful observance of the above obligations arising from the General Data Protection Regulation (GDPR) and the respective national legislations.
By using an important case as an example, the Data Protection Commissioner of Cyprus, made recommendations to a private hospital during the investigation of a complaint submitted by citizens about the way in which the hospital handled their personal data, which were stated in the “Investigation Form/Statement of Suspect for infection with the new coronavirus (SARS-Cov-2) ” which concerned a sample of a patient who underwent this pre-operative test.
The citizens, following these events, complained that the form was in the hands of unauthorized persons working in various departments of the Hospital, including the surgical department, and that themselves, although directly concerned, had not been properly informed by the manager. The Office of the Data Protection Commissioner found that a nurse of the Surgical Department was aware of the test result, without being an interested party. For these reasons the Manager proceeded with a written reprimand to that particular nurse.
In conclusion, the results of Covid-19 must be treated with a great importance since it concerns sensitive personal data which must be preserved. Disclosure of any test result to unauthorized persons is a clear violation of the GDPR, which can have negative consequences on the personality and morality of the patient.
For any further guidance regarding this procedure or if you require an initial consultation, please do not hesitate to contact our Law Firm at [email protected], +357 22 251 777 or +357 25 261 777 or please visit our office in Nicosia or Limassol.