Expert Advice Community

Guest

Health information

  Quote
Guest
Guest user Created:   Sep 23, 2019 Last commented:   Sep 23, 2019

Health information

Our company needs to send some health information about the people using our devices to the ministry of health.
  1. Do we need to get the consent before?
  2. Are we allowed to keep copies of their ID cards?
  3. Are there any security requirements on how to protect health data?
  4. We are sending some health data but only non aggregated/statistical data to some of our producers that are outside the EU are there any specific thing we need to do?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Sep 23, 2019

 

1. Do we need to get the consent before?

My assumption is that you have a legal obligation to send the health information to the Ministry of Health and if this is the case you don`t need to ask the data subjects for consent. However, in the privacy notice addressed to them you would need to mention that their personal data, as well as health data, will be sent to state authorities based on an existing legal obligation.
If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

2. Are we allowed to keep copies of their ID cards?

I would advise you to keep copies of IDs only if you have a specific legal obligation to do so. There are quite very limited situations where keeping copies of IDs would be justified.

3. Are there any security requirements on how to protect health data?

The EU GDPR does not impose specific security requirements these need to be decided depending on the types and categories of personal data you are processing. Since you are processing health-related data I would suggest having in place more strict measures such as encryption both in transit and at rest. ISO 27001 can be used as an example of best practices when it comes to security measures.

4. We are sending some health data but only non aggregated/statistical data to some of our producers that are outside the EU are there any specific thing we need to do?

If the data is truly and irreversibly anonymized you can send it without restriction.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 23, 2019

Sep 23, 2019

Suggested Topics

Guest user Created:   Mar 10, 2021 EU GDPR
Replies: 3
0 0

Is explicit consent request necessary?

Guest user Created:   Oct 16, 2019 EU GDPR
Replies: 1
0 1

Questions regarding GDPR

Guest user Created:   Feb 13, 2018 EU GDPR
Replies: 1
0 0

EU GDPR obligations