Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which we are making available with this post.
Clinical trials in the EU include the collection of sensitive health data from patients. Trial sponsors are obliged to reconcile their respect of regulations governing data protection with regulations governing the conduct of clinical trials. The GDPR¹ could not fully harmonize these rules since this area is already heavily regulated by public health regulations that vary between EU Member States. One of the most disconcerting areas of divergence between EU Member States is the different national positions on whether patient consent is a valid legal ground for processing personal data in clinical trials.
With the coming into effect of the General Data Protection Regulation (“GDPR”), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (“EDPB”).
The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
Last week, the UK’s Information Commissioner’s Office published a monetary penalty notice, which fined a private healthcare company, HCA International, £200,000 for its failure to keep sensitive data secure.
On Wednesday, August 17, 2016, the Future of Privacy Forum released a set of detailed guidelines for the collection and use of consumer-generated wellness data. The document, Best Practices for Consumer Wearables & Wellness Apps & Devices, was drafted by FPF with input from a wide range of stakeholders, including privacy advocates, companies, and regulators. The Best Practices guidelines set forth a Fair Information Practice Principles-based trust framework that builds on existing legal expectations to provide a set of best practices providing appropriate protections given the nature and sensitivity of the data.
On 6th July, the UK Government published two independent reviews concerning data security and data sharing in the health and care system in England. At the same time the UK Government launched a public consultation on proposals resulting from these reviews. The public consultation will be of interest to organisations that regularly interact with the public health sector in the UK and in particular to those organisations that rely on access to health data from the NHS for research purposes.
Part 3 of Future-Proofing Privacy: The Concept of Personal Data Revisited. Along with the concept of personal data, as opposed to anonymous data, the Regulation introduces a third category, that of pseudonymous data. Pseudonymous data is information that no longer allows the identification of an individual without additional information and is kept separate from it. At the moment the standards according to which data is considered as anonymous or pseudonymous are established by the DPAs at a national level. Once the Regulation comes into force, the requirements and the applicable regime will become more uniform and this will provide greater legal certainty. Genetic data and biometric data are also both defined for the first time.
Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.
The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.
With the new year fast approaching, the Federal Trade Commission and the National Telecommunications & Information Administration, a bureau within the Department of Commerce, recently announced a number of privacy initiatives for 2014 that will break new ground for both agencies and will impact a wide array of industries.
A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction. The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at […]