Internal hyperlinks for navigation

Article - Sectors of industry

Guidelines on the Protection of Health Data

Introduction

What is the target group of the Guidelines and what support do they provide?

The health industry is one of the largest sectors in Germany. Digitisation increasingly plays a major role for its development. Established companies are developing new digital solutions, and young start-ups are advancing creative ideas and innovative business models. At the same time, it is difficult for enterprises to successfully enter the health market as desired due to regulatory requirements. Against this background, the digitisation of the health industry offers great potential, and the Federal Ministry for Economic Affairs and Energy is providing active support to fully tap this potential.

The requirements to be met in terms of data protection are a major challenge for digital products. This has been true even more since the European General Data Protection Regulation (GDPR) entered into force on 25 May 2018. Data protection plays a key role in the health industry as health data are particularly sensitive and need to be protected comprehensively. Developers of digital products should take account of these data protection requirements at an early stage to make sure that their products do not need to be adjusted in a time-consuming way at a later stage.

The Guidelines on the Protection of Health Data therefore aim to serve as an introduction in this important field for developers and suppliers of digital health products. They outline the general data protection requirements and the provisions in specific areas, e.g. automated decision-making, big data applications and the development of apps. In order to ensure that they are practical, the Guidelines have been developed in coordination with companies of the digital economy. They also include references to freely accessible diagrams, checklists and sample forms of authorities and associations.

Apart from the detailed description in the Guidelines on the Protection of Health Data (in German) (PDF, 3 MB) and the introduction on this website, further information about the key terms of the legislation on the protection of health data is provided in the FAQs and in the Glossary.

The document is targeted at all companies that collect and process health data. The Guidelines are based on a comprehensive definition of the term of ‘health data’ to grant optimum protection to sensitive health data (part 1 of the Guidelines (in German) (PDF, 3 MB).

General Requirements

Requirements on dealing with health data

Reasons that justify the processing of health data

The processing of personal data requires special reasons justifying it. In the case of sensitive health data, additonal requirements must be met apart from the general data protection requirements. The Guidelines describe the practical reasons and possible exemptions using concrete examples (part 2 A.1 of the Guidelines (in German)) (PDF, 3 MB). They explain in particular the requirements regarding the approval by the person concerned, which is extremely important in practice, and present a best practice.

Organisational measures to protect health data

Companies that deal with sensitive health data must make organisational provisions to ensure the protection of these data. In the context of these provisions, employees must commit themselves to keep the data secret and a list of all data processing operations must be drawn up. One important requirement is the appointment of a data protection officer who advises the company concerned on data protection and keeps in contact with the competent supervisory authority (part 2 A.II of the Guidelines (in German)) (PDF, 3 MB).

A risk-based data protection impact assessment helps to identify the specific measures to be taken. The Guidelines present the necessary procedures and refer to further guidelines and practical cases (part 2 A.VI of the Guidelines (in German)) (PDF, 3 MB).

Measures to safeguard users’ rights

Persons concerned are granted various rights to protect their data. First, they must be informed by companies about the processing of their data in a data protection statement. Furthermore, persons concerned can request information about their data and/or the correction or deletion of their data. They can object to the further processing of (some of) their data or request the transfer of these data to other suppliers. When companies develop products they must therefore ensure that they can comply with these rights of persons concerned. In addition to the individual rights of persons concerned and their significance, the Guidelines contain proposals for relevant concepts for this purpose (part 2 A.III of the Guidelines (in German)) (PDF, 3 MB).

Data protection requirements

Data security is particularly important in the health sector. The persons concerned and the public react in a very sensitive way in case of data leaks. The GDPR specifies the binding required protection level. The Guidelines describe these requirements in more detail and present examples of adequate security measures as well as the procedure and the related requirements in case of data leaks. In addition, they refer to further guidelines published by data protection authorities and associations (part 2 A.IV and A.V of the Guidelines (in German)) (PDF, 3 MB).

Data processing by several persons

Data processing by several persons

Due to the increasing complexity of data processing, the data are often processed by several persons.

Common responsibility for data security

The general data protection requirements are to be met when several persons are involved in data processing. The Guidelines explain how cooperation can be agreed on and how persons concerned can be informed in line with the general rules (part 2 A.VII of the Guidelines (in German)) (PDF, 3 MB).

Processing by specialised service providers

However, the situation is different when a company commissions a specialised (technical) service provider to process health data on its behalf. This is often the case when cloud services are used. In the case of such data processing by service providers, the GDPR provides for certain privileges and exemptions from the strict requirements applied on the exchange of health data with other companies. In order to be granted such privileges and exemptions, the service provider needs to be commissioned as a contractor subject to instructions, taking account of specific requirements. The Guidelines outline the scope of the privileges and the conditions to be met for this type of processing, using examples. Special consideration is given to service providers abroad, making a distinction between EU countries, privileged third states, the United States and other third countries (part 2 C of the Guidelines (in German)) (PDF, 3 MB).

Special data types

Requirements for special data types

The requirements pertaining to data protection may vary for special data types. While data that are subject to professional confidentiality must comply with even stricter rules, the requirements do not need to be met in the case of effectively anonymised data.

Data subject to professional confidentiality

Data from doctors and members of other medical professions must meet special requirements as these medical professions are subject to professional discretion whose violation may be subject to criminal prosecution. In these cases, it must therefore not only be examined whether data protection requirements are met, but also whether the processing of data is permitted under professional rules (part 2 B of the Guidelines (PDF, 3 MB) (in German)).

Anonymisation of data

In the case of anonymous or anonymised data, the requirements of the GDPR do not need to be met as the data do not contain information about individuals. However, it should not be taken for granted that health data in particular have actually been anonymised. It must not be easy to identify the person to whom the data refer. This is not the case if the person can still be identified by means of information provided by third parties. As data on an individual’s health are very specific, it is relatively easy to identify persons especially on the basis of health data. The Guidelines therefore present various procedures to successfully anonymise health data (part 2 F.II of the Guidelines (PDF, 3 MB) (in German)).

Special Products

Requirements for apps, profiling and big data

The data protection requirements may also vary depending on the type of products offered.

Requirements for apps

Apps are a major part of mHealth. Thanks to mobile devices, users can benefit from health services provided anywhere. This, however, may imply special risks for their health data. The Guidelines outline what data protection requirements should be paid special attention to and what additional legal requirements must be taken into account (part 2 D of the Guidelines (PDF, 3 MB)) (in German).

Special requirements for profiling and automated decision-making

Many innovative digital health products make use of profiling and automated decision-making as additional instruments for diagnosis and therapy recommendations. For this purpose, specific personal aspects of natural persons are evaluated to analyse their health conditions. Theoretically, a diagnosis is possible on this basis without the involvement of natural persons. Such applications, however, are subject to particularly strict requirements in view of the related impact on the patients concerned. The Guidelines explain under which conditions the use of such instruments is permitted and what security arrangements must be taken (part 2 E of the Guidelines) (in German).

Big data evaluations

Big data applications are expected to contribute to making progress in the medical sector. The analysis of a huge amount of data helps to identify interactions. Apart from the rare case of anonymised data, such applications must meet special data protection requirements. The Guidelines provide an introduction to this topic and outline solutions (part 2 F.I of the Guidelines (PDF, 3 MB)) (in German).

Compiance with data protection requirements

Proof of compliance with data protection requirements

It is very important for companies to be able to provide proof of compliance with data protection requirements, if necessary. For this purpose, a comprehensive documentation is needed. In addition, various bodies offer to examine whether data protection requirements have been complied with and issue the relevant certificates or certifications. The Guidelines give an overview of these bodies (part 3 of the Guidelines (in German)) (PDF, 3 MB).

iStock.com/Nastasic