On 21st of April 2020 the European Data Protection Board adopted Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak and Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.
The Guidelines aimed to pay attention to the most urgent legal questions concerning the use of health data, such as the legal basis of processing of health data for the purpose of scientific research, the implementation of adequate safeguards and the exercise of data subject rights.
Data concerning health can be derived from different sources, for example:
- a health care provider in a patient record (results of examinations and treatments).
- data cross referencing that makes it health data by revealing state of health or health risks.
- a ‘’self-check’’ survey, where data subjects answer questions related to their health
- data used in a specific context (information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professional to make a diagnosis), which makes it health data.
When talking about ‘’processing of health data for the purpose of scientific research’’ there are two types of data usages:
- Research on personal health data which consists in the use of data directly collected for the purpose of scientific studies (‘’primary use’’).
- Research on personal health which consists of the further processing of data initially collected for another purpose (‘’secondary use’’).
The guidelines state that the GDPR contains several provisions for the processing of health data for the purpose of scientific research, which also apply in the context of the COVID-19 pandemic. Also, the guidelines address legal questions related to the fight against COVID-19, in the absence of an adequate decision or other appropriate safeguards.
The COVID-19 pandemic causes an exceptional sanitary crisis of an unprecedented nature and scale. In this context, the European Data Protection Board (EDPB) considers that the fight against COVID-19 has been recognized by the EU and most of its Member States as an important public interest, which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and My also involve transfers to third countries or international organizations.
These Guidelines contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their effort to monitor and contain the spread of COVID-19.
The guidelines have two aims:
- Use of location data to support the pandemic response by modeling the spread of the virus in order to assess the overall effectiveness of isolation measures.
- The use of contact tracking, which aims to notify people who may have been in the immediate vicinity of someone who has been confirmed as a holder of the virus, in order to break the chain of distribution as early as possible.
Also, the Commissioner adopted a guide for contact tracing apps. The aim is to provide general guidance to designers and implementers of contact tracing apps, underlining that any assessment must be carried out on a case-by-case basis.
The European Data Protection Board emphasizes its position, expressed in a letter to the European Commission on 14 April 2020, that the use of mobile contact tracking applications should be voluntary and should not rely on individual tracking, but on information on the physical proximity of users.
Both sets of guidelines will exceptionally not be submitted for public consultation due to the urgency of the current situation and the necessity to have the guidelines readily available.