Health Data and Pre-trial Disputes

Let's say you're a Data Protection Officer in a medical center. One of your patients has a complaint about the services provided. What personal data about the client can we give to third-party lawyers without asking for consent in order to protect our interests? Can you hand over medical records or just the name? Or do you still need to get consent?

Today we'll cover quite a sensitive topic — health data in the context of litigation and pre-trial disputes.

Processing personal data in such context in any jurisdiction poses a risk to privacy of a quite vulnerable category of patients. And to what extent will the medical center be protected from unscrupulous patients? Digging deeper into the situation, we come across the peculiarities of regional regulation.

?? What about the GDPR?

First, medical centers collect complaints and claims as a separate process. They do it to get feedback and protect their rights, not because consent is required by law.

The next challenge is patients' health data, which is also a special category and in many cases requires consent for processing. At this point, some colleagues won’t risk sending a full medical record to lawyers in order to avoid entering the special categories area.

?? But there is one trick! Even if you just email the lawyer the patient's first name and surname, the fact that the person has been to a medical center (whether a general clinic or a specialized urological center) will reveal data relating to their health. Don't forget the context of the processing.

Nevertheless, the GDPR provides an exception for processing which is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity (Article 9(2f) GDPR). Such processing is interpreted quite broadly and include not only ongoing legal proceedings but also administrative or out-of-court proceedings (preamble 52). It's important to underline the necessity of a processing: it's still not a good idea to send a lawyer the entire medical history, just in case a person has a complaint about an extracted wisdom tooth.

The final situation that may trigger consent for such data disclosure under the GDPR is a cross-border transfer of data to a jurisdiction that does not provide an adequate level of protection, based on the Article 49 derogation.

The formula here is simple: either seek local counsel to avoid transferring of data abroad or use the Article 49(1e) GDPR derogation (“the transfer is necessary for the establishment, exercise, or defense of legal claims”). The EDPB's guide on Article 49 derogation also allows the use of this derogation for data transfers in the pre-trial phase.

?? Friendly reminder: if a patient was not initially informed that their data may be shared with a third-party law firm, you (as a DPO) are expected to take care to update your privacy policy and provide additional notification of the changes.

?? If your medical center is not located in an EEA country, you need to pay attention to the legal basis, the special categories regulation and the rules on transfers to third parties. These are the areas where national laws vary most. You won't be able to transfer personal data without consent in countries where consent is the main legal basis. The law provides an exception to the application of consent in the form of a situation where “processing of personal data is necessary for the establishment or exercise of the rights of the personal data subject or third parties, as well as in connection with the administration of justice”, but pre-trial settlement does not fall into this category.

What do you think: should the regulator in this situation make life easier for the medical center, or give more control to the data subject?

Share your thoughts in the comment section ????

Author: Julia Bahdanava , GDPR DPP, GDPR DPM, CIPP/E, Strategic Privacy by Design.