In April 2016, the European Parliament approved and adopted the General Data Protection Regulation (GDPR), which aims to bring a single cohesive system of privacy regulation to the European Union (EU). The GDPR replaces the previous EU Data Protection Directive 95/46/EC, and is intended to “to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” The GDPR comes into force on May 25, 2018.
The GDPR primarily applies to all EU member states; however, it may have broader territorial reach and application for some non-EU (and Canadian) organizations. This article summarizes the key requirements of the GDPR, to assist Ontario hospitals and other health sector organizations in determining whether this Regulation applies to any of their activities.
Key Definitions in the General Data Protection Regulation
The GDPR relies on a number of key definitions, as outlined below:
- Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union/Member State law.
- Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
- Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Territorial Reach and Application
When it comes into force, the GDPR will apply to organizations that have an establishment in the EU; and to organizations established outside of the EU if they:
- Offer goods and services to EU subjects, irrespective of whether payment is required; or
- Monitor the behaviour of EU subjects within the EU (for example, tracking internet activity for targeted advertising purposes).
Where either of these provisions apply, controllers and processors who are not established in the EU may have to appoint a designated representative in an EU member state as a contact person for all EU subjects.[1] This individual or entity would serve as a representative for all inquiries and compliance issues relating to the GDPR.
Ontario hospitals and health sector organizations may wish to consider whether their activities fall under (1) above.[2] Explanatory guidance under the GDPR indicates that merely having a general website, accessible to a global audience, would not suffice to indicate an intention to offer “goods and services” to EU subjects. Rather, “factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”[3]
Requirements with Respect to Consent
If a hospital or health sector organization determines that the GDPR applies, there are particular requirements with respect to consent for processing of personal data. In general, consent must be “freely given, specific, informed and unambiguous.” Such consent must be expressed “by a statement or by a clear affirmative action.” Explicit consent (i.e. orally or in writing) is required for “sensitive personal data” - which may include demographic and health-related information. There must be an opportunity for individuals to specifically withdraw or refuse consent in relation to processing of sensitive personal data. In addition, a number of other consent-related principles apply:
- Individuals must generally be given a right to withdraw consent at any time, and it must be as easy to withdraw consent as to give it. Controllers are required to inform individuals of the right to withdraw consent before it is provided;
- An individual can submit a request to the controller to have personal data erased or to prevent further processing of that data, in certain circumstances;[4]
- Consent must be specific to each data processing operation, unless subsequent activities are sufficiently similar to ones previously consented to;
- Any child under the age of 16 requires parental consent for the processing of personal data; and
- Records must be maintained to demonstrate that consent has been provided.
Ontario hospitals and health sector organizations may wish to consider how the requirements of the GDPR align with consent-related provisions under key provincial legislation, including the Personal Health Information Protection Act, 2004 (PHIPA); the Freedom of Information and Protection of Privacy Act, and its municipal counterpart; and in relation to marketing activities under Canada’s anti-spam legislation (CASL). Implied consent under PHIPA may not be sufficient in all circumstances relating to EU residents.
Requirements with Respect to Breach Notification
The GDPR will require organizations to report a “personal data breach” to the applicable data protection authority (DPA) within 72 hours after having become aware of it. A “personal data breach” is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Reporting is not required if a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”
A DPA is characterized as an independent public authority that supervises, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and address complaints lodged against violations of the GDPR and relevant national laws. Each EU member state has its own DPA.[5]
If the breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms,” organizations must also inform affected individuals without undue delay. A “high risk” indicates that the threshold for informing individuals is higher than for notifying the DPA.
Guidelines on Personal Data Breach Notification under the GDPR[6] indicate that the following factors should be taken into consideration in the assessment of risk:
- The type of breach;
- The nature, sensitivity and volume of personal data;
- Ease of identification of individuals;
- Severity of consequences for individuals;
- Special characteristics of the individual (for example, when children or vulnerable individuals are affected);
- The number of affected individuals; and
- Special characteristics of the data controller (for example, whether that controller possesses highly sensitive information).
Note that the GDPR does not directly clarify how organizations established outside of the EU should report to the DPA, although reporting through a designated representative is a possibility. Ontario hospitals and health sector organizations who determine that the GDPR applies should consider their privacy breach notification obligations under PHIPA, including requirements to notify the Office of the Information and Privacy Commissioner (IPC), and determine the appropriate course of action in the event of a privacy breach.
Other requirements of the GDPR
The GDPR contains a number of other technical requirements that may be of interest to Ontario hospitals and health sector organizations:
- Individuals have a right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller must provide a copy of the personal data, free of charge, in an electronic format;[7]
- Individuals also have a right to receive personal data that they have provided to a data controller in a structured, commonly used and machine readable format and to transmit that data to another data controller without hindrance;
- Controllers must implement appropriate technical and organizational measures, including data protection policies that comply with the requirements of the Regulation. This may include appointing a data protection officer and conducting data protection impact assessments; and
- Data processors (i.e. those who process on behalf of controllers) must also implement appropriate measures to ensure that the processing will meet the requirements of the GDPR.
Further information on these and other requirements under the GDPR is available through the EU GDPR Information Portal.
Penalties for Non-Compliance
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 million euros (whichever is greater). This is the maximum fine that can be imposed for serious infringements of the Regulation; however, smaller fines (2% or 10 million euros) may be imposed under specific provisions.
Additional Information
There many other technical and operational requirements under the GDPR. For additional information, please see:
ABOUT THE AUTHOR
Alice M. Betancourt is a Senior Legal and Policy Advisor with the Ontario Hospital Association (OHA). This article was originally published on www.oha.com, for use by OHA members and the general public. This article is not intended as, nor should it be construed as, legal or professional advice or opinion. The author would like to gratefully acknowledge feedback received from OHA colleagues in the preparation of this article.
[1] Further information on the designation of a representative is outlined under Article 27 GDPR and Recital (Explanatory Note) 80
[2] It is assumed that Ontario hospitals and healthcare sector organizations are not participating in activities under (2) – i.e. that involve online monitoring or profiling of EU residents for marketing purposes
[3] See Article 3(2) GDPR and Recitals (Explanatory Notes) 23 and 24 for specific applications.
[4] Certain conditions apply – for example, only when the personal data is no longer necessary or relevant in relation to the purpose for which it was original collected – see Article 17 GDPR and Recital (Explanatory Note) 65 and 66.
[7] Note that the controller may charge a reasonable fee for "repetitive requests", "manifestly unfounded or excessive requests" or "further copies" – see Articles 12 and 15 GDPR