Does medical data require a passport?
Keeping medical data within a jurisdiction
European regulations on the handling of medical data have a long and complicated history from country to country. With the addition of the GDPR, an additional layer of complexity was added to the laws of data jurisdiction. Let’s examine this in greater detail, and determine what exactly the law says about medical data in particular.
Before the GDPR
Medical data, such as private patient records have always been protected with the utmost seriousness. For this reason, many of those records were not allowed to be handled outside of specific countries. Germany’s Bundesdatenschutzgesetz and France’s 2018 data protection law, for example, force data senders and receivers to obey their regulations, while data handlers are required to reside in the country in question.
This required anyone who wanted to send data across borders to read up on the legislation of their point of transmission and data destination location. Essentially, the holder of the data would have to guarantee the protection and privacy of any personal data and only process that data within the jurisdiction of the data’s origin. However, the exact specifics of each country would change depending on the law in question. Some country’s standards were higher than others, and some simply had limited to no data regulation at all.
The General Data Protection Regulation (GDPR) was created to rectify this situation across the EU - for medical data as well as any travelling personal data.
The GDPR and Medical Data
The GDPR defines a framework for all EU nations to protect the private data of their citizens. In essence, all data protection laws would have to fall under the bare minimum of the GDPR’s regulations.
The regulations the GDPR set out include how personal data may be gathered, what data may be collected, how it is processed and, most importantly for this blog, where it may travel.
Regulations for medical data
Every individual or organisation that deals with EU citizens has to abide by the GDPR. Effectively, this includes most multinational organisations, including the life sciences industry. The regulation has obligations put upon those who collect the data and those who process it.
The GDPR places most of the legal obligations on the processor, which include:
- Maintaining records of personal data
- Correctly processing and handling personal data
- To secure and protect all personal data collected
Controllers are expected to:
- Ensure all contracts with processors comply with the GDPR
- Have the intent to use the data in good faith
Also, the GDPR imposes many regulations on data transmission between EU countries or even outside of the EU. Let’s take a closer look at those requirements.
Medical data travelling outside of the EU
Non-EU Organisations or individuals who are either data controllers or processors must either appoint an accredited EU representative or have appropriate safeguards approved by the European Commission.
Appointment of an EU Representative
An EU Representative approved in writing through a duly signed letter of accreditation is required for any organisation sending data leaving the EU. Organisations who fail to designate such a representative, violate the GDPR and will be subject to fines of up to 10 million Euros or 2% of the annual worldwide turnover.
Countries outside of the EU are known as third countries. Organisations operating out of third countries are forbidden by the GDPR to control or process data of EU subjects unless appropriate safeguards are imposed and formally considered adequate by the European Commission.
These safeguards include:
- Binding corporate rules
- Standard contractual clauses issued by the DPA
- Scheme of binding and enforceable commitments
- Legal rules and regulations (such as the CCPA in California)
However, due to the nature of how the internet works, organisations cannot guarantee that their data travels to or between locations that are approved by the GDPR or have sufficient safeguards. This had led to the utilisation of private networks to guarantee the secure transport of sensitive data with the approved protection policies.
Since the internet works by simply selecting the cheapest route possible to its final destination, it cannot guarantee secure transmission or keep the data within the bounds of approved countries.
Some service providers offer private networks to guarantee that any data that travels through is contained within a specific jurisdiction. This helps life science companies to keep sensitive data within the EU and avoid any risks associated with data travelling externally.
However, using private networks leads to more expenses in access and maintenance. Due to the multiplication of accesses for companies that work with the life science industry, companies have to stack their accesses for every medical research or study.
Luckily, today there is an opportunity for life science organisations who want to stay within the jurisdiction of the GDPR and control where their data goes with the Next-Generation Internet.
The Next-Generation Internet
The single best way life science organisations can stay compliant with the GDPR and ensure their patient data is contained within a jurisdiction is by controlling their data, where it goes and who sees it. Next-generation internet services such as Anapaya’s offer this control and additional security measures to help stay compliant and secure.
Anapaya offers life science organisations the ability to select which networks their sensitive patient data passes through. For example, if they want data to stay within a particular territory and avoid others, they may do so.
This ensures that life science organisations who use Anapaya’s Next-Generation Internet, stay compliant with the GDPR and retain ultimate control over their data and where it goes.
Anapaya’s solutions are a reliable, stable and secure alternative to connect and send data online. If you would like to find out more about Anapaya’s solutions to regain control over your data and secure it against cybercrime, contact us.
Disclaimer: Anapaya and those associated with the creation of this article are not legal professionals. The information contained above is intended to educate and inform but is by no means meant to be construed as legal advice. Always consult an accredited legal professional should you require advice on the GDPR or national legislation.