An Introduction to the GDPR in the Healthcare Environment

Data protection and healthcare can be a challenge due to the nature of the data being processed (special category data on health) and the volume that will be gathered throughout the processing lifecycle by a health provider. In addition, subject access can be complicated due to legal privilege, confidentiality, the sensitive nature of the data, the number of controller / processors involved and the sheer volume of data. 

Under the GDPR you always need a legal basis for processing data such as contract, consent, legitimate interest, public task, vital interest or legal obligation AND for special category data an additional condition has to be met as well. 

For those providing medical or occupational health services condition h. of Article 9.2 may be the right approach. Article 9.2 (h.) states “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards (sic – paragraph 3) … processed by or under the responsibility of a professional subject to the obligation of professional secrecy.”  

Other conditions that could be invoked could be processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent. This condition may be applicable if a patient has lost consciousness and is unable to make decisions on data transfer that may save their life.

Another condition for processing special category data is explicit consent. Therefore, sensitive data could be processed under the initial legal basis of contract and then the additional condition of explicit consent by the data subject. 

A note on consent both as a legal basis of processing and a condition of processing special category data in employee health assessment situations, it can be complicated as consent must be “freely given”. As the balance of power between an employer and an employee is not always even, it can be difficult at times to argue consent is always freely given by the data subject. Therefore, it may be worth considering if using consent is always the correct basis or if another basis is better. Food for thought…

Subject access requests on healthcare is an article in itself but a few things to note in general would be that GDPR doesn’t apply to the deceased. Therefore, if an authorised representative of the (deceased) data subject wishes to make a request for data they would have to request data in another way, outside of the GDPR structure, such as by Freedom of Information (if the organisation processing the data is an FOI body) or by court discovery or other administrative request. 

The onus on refusing an access request (to the living) is for the data controller to prove and can be a high bar to reach, data subjects have the right to complain to the national supervisory authority if they disagree with your reasoning for refusal so you must have a good reason you can stand over. 

One thing to note on access request can be refused if the divulging of the information (contained in the access request documents) will cause harm to the data subject and this is verified by a relevant medical professional. A further refusal can be based on documents withheld under legal privilege. If in doubt check with the national supervisory authority or you data protection advisory service.

The retention of data in a healthcare context is also problematic. The storage of data may be based on reasons such as client need, defined best-practice sectoral standards, statute of limitations periods or legal obligations set down in specific health and safety, employment law or medical legislation or another valid reason. As discussed in other articles, GDPR doesn’t dictate time periods but does ask that the data you have should not be excessive, not kept for longer than required and there must be a legal reason for having it. Therefore, if you have a specific need to retain the data beyond your normal retention periods document it. Organisations should have retention schedules for each document type of personal data they keep and train staff on its use. There will always be exceptions where something will be kept beyond its normal retention period but it key that staff know when to use the retention schedule and when to seek advice. Putting the needs of the data subject / patient first is key while also upholding the requirements placed on your organisation by data protection or other relevant legislation.  

Enguard can assist with the issues which the GDPR raises from audit, security, staff training to drafting policies and procedures. For further details please call us at Enguard on 0818 252 052 or email We would love to hear from you!


Disclaimer: Please note the above article is an opinion piece based on current sources of information available at the time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers. 

Kenneth BakerComment