Cloud computing and privacy series: legal issues related to sensitive

This sixth and final article of our cloud computing and privacy series (links to our previous articles below) discusses the legal issues related to the processing of sensitive data and the hosting of health data in a cloud environment.
Directive 95/46/EC (the “Data Protection Directive”) provides for a special regime applicable to so-called ‘sensitive data’. The rationale behind a reinforced legal regime is based on the presumption that the misuse of such category of data “could have more severe consequences on the individual’s fundamental rights”. For instance, the misuse of health data “may be irreversible and have long-term consequences for the individual as well as his social environment”(1).
Considering that cloud computing services and infrastructures are increasingly being used to store and process personal data of such sensitive nature, the present article examines how the processing of sensitive data, and in particular health data, is regulated in the EU as well as in certain Key Member States(2). Although this article addresses the issues of electronic health records, it does not examine the specific issues relating to non-privacy requirements such as provided under criminal law, medical ethics or health legislations or on patients’ rights.
The concept of sensitive (health) data in the EU
Pursuant to Article 8 of the Data Protection Directive, sensitive data concerns “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and (…) data concerning health or sex life”.
As highlighted by the Article 29 Working Party (the “Working Party”) in its Advice Paper on special categories of data (“sensitive data”) of 4 April 2011, Article 8 of the Data Protection Directive has been implemented in similar ways across the EU. However, there are some differences, notably with respect to the categories of sensitive data.
All national data protection legislations in the Key Member States include the data listed under Article 8 of the Data Protection Directive. Some Member States have, however, included additional types of data. For instance, when focusing on health data, we note that the Czech Data Protection Act explicitly includes in the legal definition of sensitive data genetic and biometric data. Similarly, the Polish Data Protection Act includes genetic code, as well as addictions. Also, a few countries explicitly provide for a more detailed list, such as the United Kingdom which refers for instance to “physical and mental health”.
The Working Party admits that health data represents the most complex area of sensitive data and that it displays a great deal of legal uncertainty. Consequently, the proposition to create new categories of sensitive data has emerged. This notably includes the idea of adding genetic and biometric data, but also data of minors or on individuals’ geo-location. As a result of the problems relating to certain categories of sensitive data, and in particular health data, in the national implementation of the Data Protection Directive, the Working Party has encouraged a revision of the current system.

Read more at: Cloud computing and privacy series: legal issues related to sensitive by Bird & Bird


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s