Spain: AEPD publishes guide for health sector professionals
The Spanish data protection authority ('AEPD') published, on 22 June 2022, its 'Guide for professionals in the health sector', which answers frequent questions from professionals involved in the provision of health services, aiming to facilitate compliance with data protection regulations. In particular, the guide outlines issues often raised in this sector, such as the legitimacy to process health data, who can access the patients' clinical history and in what cases, the responsibility and obligations derived from such processing, and the management of the rights of patients or situations that may involve communication of data to third parties.
Specifically, the guide addresses a variety of topics and provides the below answers, among others:
- Where a third party is contracted for services, such as the management of clinical histories, a contract must be in place, clearly and specifically identifying the data processed and the instructions for the processing which the third party intends to carry out, as well as establish the way in which it ensures compliance with its accountability obligations.
- The patient's consent is generally not required when the processing is necessary for purposes of preventative or occupational medicine, evaluation of the work capacity of the employee, medical diagnosis, and management of health and social care systems and services, among others; instead, the guide explains that the processing is based on the corresponding legislation or by virtue of a contract with a healthcare professional, highlighting that processing by healthcare professionals is subject to professional secrecy.
- The processing of the personal data of a minor may only be based on their consent when they are over 14 years of age.
- Access to the clinical history of the patient is limited: not any professional and under any circumstance can access it. The guide specifies that both health personnel and other professionals can access it solely for the performance of their duties, without being able to reveal the data to which they have access to third parties, further explaining that the possibilities to access the clinical history data are different depending on the type of professional function and the purpose of access to said data.
- The appointment of a data protection officer ('DPO') is mandatory for public and private health centres, noting except where health professionals carry out their activity privately on an individual basis.
- While patients have the right to access documentation relating to their clinical history in accordance with state health regulations, data protection regulations do not recognise the right of access to specific clinical history documents, but rather allow for the provision of confirmation of the personal data processed and granting of access to such data by means of a copy.