Health information

1. Do we need to get the consent before?

My assumption is that you have a legal obligation to send the health information to the Ministry of Health and if this is the case you don`t need to ask the data subjects for consent. However, in the privacy notice addressed to them you would need to mention that their personal data, as well as health data, will be sent to state authorities based on an existing legal obligation.
If you want to find out more about privacy notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/).

2. Are we allowed to keep copies of their ID cards?

I would advise you to keep copies of IDs only if you have a specific legal obligation to do so. There are quite very limited situations where keeping copies of IDs would be justified.

3. Are there any security requirements on how to protect health data?

The EU GDPR does not impose specific security requirements these need to be decided depending on the types and categories of personal data you are processing. Since you are processing health-related data I would suggest having in place more strict measures such as encryption both in transit and at rest. ISO 27001 can be used as an example of best practices when it comes to security measures.

4. We are sending some health data but only non aggregated/statistical data to some of our producers that are outside the EU are there any specific thing we need to do?

If the data is truly and irreversibly anonymized you can send it without restriction.