Argentina: Privacy and the health sector
The evolution of information technologies and the processing of large amounts of data, even more following the COVID-19 pandemic, has allowed the healthcare industry to develop multiple applications oriented to wellness and medicine on a global scale in the recent years. Mobile applications with tools for prevention, monitoring, diagnosis, and follow-up, for example, which promote changes in habits and energise the relationship between doctors and patients, are becoming more common. Gabriela Szlak, Partner at Lerman & Szlak, reviews the most relevant aspects of the industry applicable to the private sector.
Despite the significant benefits for patients, healthcare professionals, and other players, considering the special categories of information involved in this type of treatment, there is a demand for stronger safeguards against possible violations of personal rights, which translates into a more proactive approach to privacy.
Main regulatory aspects in Argentine legislation
The data privacy regime in Argentina regulated under the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act')1, Decree No. 1558/2001 Regulating Law No. 25.326 ('the Decree')2, and the regulations issued by the Argentinian data protection authority ('AAIP')3 grant health data a differential and more rigorous treatment.
These regulations set forth a strict data protection regime for the collection, storage, use, and transmission of databases and personal information which is stored and/or processed. The data collection and processing implied in the health sector shall be carried out in compliance with these regulations.
It is worth mentioning that there are certain data privacy bills currently filed before the National Congress of Argentina, aiming at aligning the Argentinian data privacy framework with the current global standards. In addition, the ratification of the Convention 108+ for the Protection of Individuals with Regard to Processing on Personal Data is also pending.
According to Article 2 of the Act, health data is considered sensitive data, together with personal data revealing racial and ethnic origin, political opinions, religious, philosophical or moral convictions, union membership, and information concerning sexual life.
The main conditions for the processing of health data are as listed below:
- Consent. As a general rule, the processing of personal data requires the free, express, and informed consent of the data subject. Regarding health data, as it is considered sensitive data, the Act specifically establishes that 'no person may be forced to provide sensitive data'. The data subject must be informed of: the purpose of the collection and processing; the entities responsible for the processing; if the data will be transferred; and the possibility for the data subject of exercising the rights of access, rectification, and deletion, among others (Articles 5, 6, and 7 of the Act);
- Other legal basis. Consent to the transfer is not required when: it is provided for by a law; in the cases provided for in Article 5, paragraph 2 (for example, when it is collected by virtue of a legal obligation; it derives from a contractual, scientific, or professional relationship of the owner of the data and is necessary for its development or fulfillment); when it concerns personal data related to health and it is necessary for reasons of public health, emergency, or for the performance of epidemiological studies4; or when a procedure of dissociation of the information has been applied, so that the data subjects are unidentifiable (see section 'Dissociation techniques' below).
- Applicable principles:
- Principle of purpose: personal data collected from data subjects must be certain, adequate, relevant, and not excessive in relation to the scope and purpose for which they were obtained. The data to be processed may not be used for different or incompatible purposes from those for which it was collected.
- Principle of legality: the collection of data may not be carried out by unfair or fraudulent means or in a manner contrary to the provisions of the law.
- Principle of security: the responsible or user of the database must adopt the necessary measures to guarantee the security and confidentiality of personal data to avoid its adulteration, loss, consultation or unauthorized processing, as well as to detect information deviations, intentional or not, whether the risks come from human action or from the technical means used (Article 9 of the Act). Likewise, Resolution 47/20187 has provided for security measures recommended for the processing of personal data in computerised media.
- Principle of minimisation: personal data must be destroyed when it is no longer necessary or relevant for the purposes for which it was collected.
- Professional secrecy: health professionals involved in any phase of the processing of personal data are bound by professional secrecy, even after the relationship with the data subject (the patient) has ended. However, professionals may be relieved of such duty by a court order or when there are justified reasons related to public safety, national defense, or public health (Articles 8 and 10 of the Act).
- Assignment: the general principle is that assignments may only be performed for purposes directly related to the legitimate interest of the transferee and with the previous consent of the data subject, who must be duly informed of the purpose of the assignment and identify the assignee. This consent is revocable (Article 11 of the Act). The assignee is subject to the same legal obligations as the assignor and share joint and several liability for their non-compliance before the data subject and the AAIP.
- Exercise of data protection rights: the rights established in the Act (access, rectification, suppression, among others) must be guaranteed.
- Patient's rights regarding health professionals and health institutions: the Act establishes that the patient is the owner of its medical records and that they may request them from any health professional or health institution through a request for access (Article 14 of the Act)8. In this regard, as reported by the enforcement authority9 during the first half of 2021, over 50 queries about sensitive data and access to medical records and nine claims for non-compliance have been received and processed by the data protection authorities.
- Health data and advertising: in the offer of goods and services, health data may only be processed if obtained in accordance with the Act and within a relationship between the consumer or user and the provider of medical services and subordinated to non-discrimination (Article 27 of the Decree). Furthermore, such data may not be transferred to third parties without the previous, express, and informed consent of the data subject. Therefore, the data subject must be previously informed of the sensitive nature of this information, as well as the information related to Articles 6 and 11 of the Act, such as the right to request the elimination of the database.
- International transfers to third parties other than the data controller: the obligation of accountability, ensuring adequate guarantees of privacy, and security is contemplated in the Argentine regulation through different regulations such as Provision 60/201610, Resolution 34/201911, and Resolution 159/1812. Likewise, subsection 2 of Article 12 of the Act provides for some cases such as the exchange of medical data, when so required for the treatment of the affected person, or for epidemiological research.
Biometric and genetic data
Genetic and biometric data are not expressly contemplated in the definition of sensitive data provided by Article 2 of the Act. However, they can be considered included within the concept of personal data given the fact that they consist of 'information referring to specific or identifiable individuals [or legal entities]'.
Biometric data is defined by the Best Practices Guiding Criteria for the Application of Act 25326 established by Resolution 4/201913 as 'all personal data obtained from a specific technical treatment, relating to the physical, physiological or behavioral characteristics of a human person, which allow or confirm his or her unique identification'. Nonetheless, given that it consists of 'information referring to specific or identifiable individuals [or legal entities]', as already mentioned, it can be considered included within the concept of personal data.
This Guiding Criteria also provides that this kind of data would qualify as sensitive data 'only when [the data] may reveal additional data whose use could be potentially discriminatory for the data subject' (e.g., data revealing ethnic origin or health information).
On the other hand, the definition of genetic data was incorporated in the Draft Reform of Act, Act No. 25.326 of 2018 as data '[r]elated to the inherited or acquired genetic characteristics of a human person that provide information about his physiology or health, obtained in particular from the analysis of a biological sample'.
Through Legal Opinion 12/201514, the enforcement authority understood that when genetic information consists of an alphanumeric record that provides only identifying information, it shall not be considered sensitive data under the terms of the Law if it does not reveal information related to health, racial, or ethnic origin of a person.
Article 7 of the Act establishes that sensitive data may be processed for statistical or scientific purposes when the data subjects cannot be identified. In this regard, the dissociation of data is defined by Article 2 of the Law as 'any processing of personal data in such a way that the information obtained cannot be associated to a specific or identifiable person'.
Regarding the disassociation procedure, Resolution 4/2019 specifies that 'an individual shall not be considered an identifiable person, in the terms of article 2 of Act 25326, when the procedure to be applied to achieve its identification requires the application of disproportionate or unfeasible measures or deadlines'.
Therefore, through the application of procedures that generate an impossibility to determine to whom the data belongs, data controllers and processors would be in the presence of anonymised data which is considered outside of the scope of the Act, and thus, no data protection principles would be applicable to its processing.
It is important to underline that due care must be taken to ensure that there is no possibility of re-identifying the data subject, for example, through the use of publicly available data.
Finally, it is worth mentioning that, at present, the current regulation on personal data protection in Argentina does not define the concepts of anonymisation or pseudonymisation.
- The National Civil and Commercial Code ('the Code')15: Article 55 of the Code establishes that consent for the disposition of personal rights can be admitted if it is not contrary to law, morals, or good customs, being of restrictive interpretation.
- Law No. 27.553 on Electronic or digital prescriptions16: this law enables the issuing of electronic medical prescriptions and the use of tele-healthcare platforms. In this regard, the PDP has provided advice on how to protect personal data in the different video-call platforms17.
- Law No. 23.511 on National Genetic Data Bank18: This law created the National Bank of Genetic Data for crime prevention and criminalisation purposes.
Argentina has adopted and incorporated international instruments into its domestic law. For example, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was approved by Law No. 2748319 and the Convention on Cybercrime of the Council of Europe, approved in Argentina by Law No. 2741120.
Gabriela Szlak Partner
Lerman & Szlak, Buenos Aires
1. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/60000-64999/64790/norma.htm
2. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/70000-74999/70368/norma.htm
3. Available, only in Spanish at: https://www.argentina.gob.ar/aaip
4. For reference, please refer to the 'Best Practices Guidelines' issued by the AAAIP in relation to principles applicable within the framework of COVID-19, only available in Spanish: https://www.argentina.gob.ar/sites/default/files/guia_temperatura.pdf; and https://www.argentina.gob.ar/sites/default/files/guia_coronavirus_0.pdf
5. Available, only in Spanish, at: https://www.argentina.gob.ar/normativa/nacional/disposici%C3%B3n-18-2015-245973/texto 6. Available, only in Spanish, at: https://www.argentina.gob.ar/sites/default/files/guia_final.pdf
7. Available, only in Spanish, at: https://www.argentina.gob.ar/normativa/nacional/resoluci%C3%B3n-47-2018-312662
8. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/160000-164999/160432/norma.htm
9. See the report of the enforcement authority, available, only in Spanish, at: https://www.argentina.gob.ar/noticias/tu-historia-clinica-tu-derecho
10. Available, only in Spanish, at: https://www.argentina.gob.ar/normativa/nacional/disposici%C3%B3n-60-2016-267922
11. Available, only in Spanish, at: https://www.argentina.gob.ar/normativa/nacional/resoluci%C3%B3n-34-2019-320275/texto 12. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/315000-319999/317228/norma.htm
13. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/315000-319999/318874/norma.htm
14. Available, only in Spanish, at: https://www.argentina.gob.ar/sites/default/files/d2015_12.pdf
15. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/235000-239999/235975/norma.htm#6
16. Available, only in Spanish, at: https://www.boletinoficial.gob.ar/detalleAviso/primera/233439/20200811
17. Available, only in Spanish, at: https://www.argentina.gob.ar/noticias/recomendaciones-para-videollamadas
18. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/20000-24999/21782/norma.htm
19. Available, only in Spanish, at: https://www.argentina.gob.ar/normativa/nacional/ley-27483-318245/texto
20. Available, only in Spanish, at: http://servicios.infoleg.gob.ar/infolegInternet/anexos/300000-304999/304798/norma.htm