III. Basic concepts
The definition of personal data
Pursuant to the GDPR personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The controller shall be fully liable for every damages that may occur to the data subject in connection with the data management. [GDPR Article 4, point 1]
Processing of special categories of personal data
Besides of the definition of personal data, the GDPR Article 9 gives a short list about the special categories of personal data which are revealing the follows:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
The following data also belong:
- the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
- Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6 (1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority. [GDPR Article 10]
The data management shall be progressed with caution during the processing of special categories of personal data.
The tasks of the controller and the processor are also especially the record of the data, the enumeration of the processed data, the safety data storage, and if it necessary, performing the impact assessment.
The data subject (patient/patients)
The most important task and aim is the protection of the patients. It ensures their data shall be processed appropriately and the unauthorized person does not have access to these data.
Pursuant to the GDPR Article 4 data subject shall mean a natural person who has been identified or is identifiable by reference to any information. The legal persons data shall be not protected by the data protection regulation.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. [GDPR Article 4, point 7]
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. [GDPR Article 4, point 2]
Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects. [GDPR Article 26]
Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. [GDPR Article 4, point 3]
During the data management, it can be occurred that the data process shall be restricted by the controller because of the request of the data subject.
The processor assists for the controller work. It is worth to notice in connection with the data processing that the processor has not got individual decision-making power and the right to dispose. The processor does his/her work following the instructions of the controller. Data processor shall mean a natural or legal person or unincorporated organization that is engaged in processing operations within the framework of and under the conditions set out by law or binding legislation of the European Union, acting on the controller’s behalf or following the controller’s instructions. The Info Act Sec. 25/C states that where processing is carried out by a person or body, such processors must be able to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner to ensure the lawfulness of data processing and the protection of the rights of the data subject. Before the commencement of processing the data processor shall provide proof to the data controller of having such guarantees. Pursuant to the Info Act Sec. 25/D (3) point a) the data processor acts only on instructions from the controller made out in writing. Relating to the Info Act 25/D (3) point c) the processor assists the data controller by any appropriate means to ensure compliance with the provisions on the data subject’s rights. Basically this means that the processor assists the data controller’s work with auxiliary technical activities. These activities can be the followings for instance: collecting or transmission. [GDPR Article 4, point 8 with Info Act Sec. 25/C and Sec. 25/D (3) points a), c)]
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. All person shall be regarded as recipient, who get the data for any purpose. [GDPR Article 4, point 9]
The consent of the data subject (patient)
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. [GDPR Article 4, point 11]
In Hungary, the National Authority for Data Protection and Freedom of Information (NAIH) is responsible for carrying out supervisory and official tasks. The NAIH safeguards the security of the data, enforces the data protection laws, responsible for the appropriate functioning of the data protection and enforce the application of the GDPR and Info Act. Draws the attention of the controller and processor to their obligations and inform the affected persons to their rights. Besides this, the NAIH conducts the official investigation and keep inner records. [GDPR Article 4, and 51]
Personal data breach
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. [GDPR Article 4, point 12]
Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. [GDPR Article 4, point 13]
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. [GDPR Article 4, point 14]
Data concerning health
Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. [GDPR Article 4, point 15]
The Ethics Code of the Psychologists (ECP) point 5.1. describes the concept of the psychological secret. The psychologists are burdened by the obligation of the psychological secret relating to every single psychological and personal data which came to his/her attention. The ECP states that the psychologist may only inform these data to an authorized person and he/she shall be obligated to handle the data confidentially. Besides the above-mentioned and described obligations, the ECP prescribes that the psychologists obligation of confidentiality still exist after the end of his/her relationship with client.
Pursuant the ECP point 5.1.1. psychologists secrets shall include all psychological and personal data which obtained in the course of their professional activities, as well as other data relating to the treatment that is required, ongoing or completed, and which is known in connection with the treatment regardless he/she has known these data with written or oral communication or during any other psychological care. [Ethics Code of the Psychologists point 5, 5.1, 5.1.1]
It important to notice that, in addition to the notion of the psychological data, the ECP use the term of the personal identification data in the concept of psychological secret. It can be said that the sphere of the processed data was narrowed, (specified) to the particular data, like as the personal identification data.
In the interpretation of the ECP, it can be preposterous because during the psychological care, not only the psychological and personal data will be recorded but also the physical, physiological or intellectual data which can be connected to the patients psychological status. It would be better the use of the concept of personal data. This concept gives a wider sphere of the data to be stored. To avoid the confusion, the sphere of the personal identification data like as the name, residence, the dwelling place, the social security number, etc. should be mentioned as an example in the concept of personal data.
Pursuant to the ECP point 5.1.2. psychological data in particular are the follows: those data which are related to the data subject’s mental and psychical state, the behavior, the data which are also related to performing adoptive parenting, foster parents, guardian tasks, or those data which are related to exclusion the ability of performing the above-mentioned tasks, or aptitude or its exclusion or those data which are related to pathological passion, detected, examined, measured, mapped and derived data furthermore those data which can be related to the previous ones and also those data which influence the previous mentioned data. [Ethics Code of the Psychologists point 5.1.2]
During the psychological cares, the psychologist must ensure the right process, storage and protect of the patient’s personal data. Formerly it shall be applied the Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest. By making the Info Act the aforementioned act was repealed. In the health care from 25th May 2018 besides the Info Act, the GDPR is applicable primary in Hungary.
The HCA (Act CLIV of 1997 on the Health Care; Health Care Act) Sec. 25 (1)-(7) regulate the legal institution of the medical confidentiality. According to the Commentary, the rule of the medical confidentiality shall not only applied to the doctors but also to every single health care provider. The medical confidentiality include the patients all personal data, within is this particularly their health care data which are related to their health status and which are come to the knowledge of those persons who are involved in the health care during the patients treatment. The patients have the rights that these data, particularly those data which are related to their health status shall be communicated only to the authorized persons and these data shall be processed confidentially by those persons who are involved in the health care. All of these data are called uniformly medical confidentiality by the Health Law and the Medical Science. [HCA Sec. 25 (1); Commentary on the Health Care Act]
It is worth to note that the HCA also use the concept of personal identification data. In itself this is not a problem but it would be better to use the notion of personal data in the introduction of this chapter of HCA because this concept include a wider sphere of the patient health data. All in all it can bear on more report content than the previous notion.
Enterprise, group of undertakings, supervisory authority
The GDPR determines the concept of enterprise in the following way: it is a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity. [GDPR Article 4, point 18]
The GDPR determines the concept of group of undertakings in the following way: it means a controlling undertaking and its controlled undertakings. [GDPR Article 4, point 19]
According to the GDPR the supervisory authority is an independent public authority to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. The public authorities are provided by the member States of the European Union. [GDPR Article 4, point 21 and Article 51 (1)]
Right to information
Although the right to information is one of the patients fundamental rights during the treatment, it is still closely connected to the data management. Namely during the treatment the patient, the doctor and the health care provider exchange the information between each other. The patient asks questions to the doctor in relation with his/her health status or the treatment and the doctor answer them in connection with the aforementioned questions. Pursuant to the HCA the patient has the right to get detailed information about his/her health status, the treatments (interventions), planned schedule, the decision-making power related to the treatments, the possible alternative procedures, the methods, the process and outcome of the treatment, about the further treatments and the recommended lifestyle. Furthermore, the patient has the right to asks questions or get to know about his/her results of the performed health treatments and interventions, their failure and their different results and their reasons. The patient also has the right to get to know those doctors and persons name, qualification with their position who were contributed during the patient treatment. Here also belongs the consent based on information because the patient may only agree to the treatment if he/she has the proper information. The conditions required for information are provided by the health care provider. If the patient speaks in foreign language, he/she has a right to use the help of interpreter. Before the treatment, the doctor must inform the patient about the costs and fees of the treatment if the patient health status makes it possible. [HCA Sec. 13 (1)-(9)]
The right to information of the health document
The patient has the right to get to know about his/her health document with its content like as the data related to his/her health treatments. The patient may make extract and copy about these documents. The patient also has a right to get the medical report or a written summarized opinion about his/her health status. The patient entitled to choose the authorized person who has the right to look into the documents behalf of him/her. [HCA Sec. 24 (1)-(13)]
The aforementioned list is not complete. It solely describes the basic concepts which occur during the health data management based on the GDPR, the Info Act and the Health Care Act. The concepts which were missed out from the GDPR are the following: main establishment, representative, binding corporate rules, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service, international organisation, third party, filing system, profiling, pseudonymisation. The missed concepts will be discussed in separate articles, if it necessary.
The third part of the article will discuss the legal base of the health data management and the prevailing basic principles which occur during the data management.