At a glance: data protection and management of health data in … – Lexology

At a glance: data protection and management of health data in …  Lexology

Data protection and management

Definition of ‘health data’

What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?

According to established legal doctrine and court practice, health data is any information that (directly or indirectly) allows the drawing of conclusions on the physical or mental state of the health of an individual (namely, any medical findings following an examination and also if such finding is below the threshold of an actual diagnosis). As such, medical bills for treatments received or in certain instances also bills for medicines constitute health data. Under the Federal Act on Data Protection (FADP), which – together with the corresponding Data Protection Ordinance (DPO) – generally governs data processing by private parties and federal bodies, data on health is considered sensitive personal data. Under the revised FADP (which will enter into force on 1 September 2023, together with the revised DPO), genetic data and biometric data (which unequivocally identify an individual) will be added to the definition of sensitive personal data.

Although there is no statutory definition of anonymised (health) data, anonymisation is commonly understood to refer to an irreversible process after which the data can no longer be linked to a specific individual (without disproportionate effort).

Several further federal acts and ordinances specifically govern the processing of health data, such as the Federal Act on Research involving Human Beings (HRA). The HRA, which applies to research concerning human diseases and the structure and function of the human body, defines health-related personal data as information concerning the health or disease of a specific or identifiable person, including genetic data (defined as information on a person’s genes, obtained by genetic testing).

The HRA defines anonymised health-related data as health-related data that cannot be traced to a specific person (without disproportionate effort). The Human Research Ordinance further specifies that for the proper anonymisation of health data, all items that, when combined, would enable the data subject to be identified without disproportionate effort (in particular, the name, address, date of birth and unique identification numbers), must be irreversibly masked or deleted.

Data protection law

What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?

According to the FADP, health data benefits from a higher level of protection than regular personal data, as health data is considered sensitive personal data. Under the FADP, the processing of sensitive personal data is governed by special rules:

  • private parties must register their data files (prior to operational use) with the Federal Data Protection and Information Commissioner (FDPIC) (as further set out in the DPO) if, among others, they regularly process sensitive personal data;
  • disclosing sensitive personal data to third parties requires a justification (by, eg, express consent, overriding public or private interest or law); and
  • active information duties apply if sensitive personal data are obtained or processed (such duties also apply where the data is collected from third parties).

Under the revised FADP, the duty to notify data files to (and register with) the FDPIC will be abolished and replaced by a general duty to maintain records of processing activities. Further, extensive processing of sensitive personal data will be determined as likely to lead to a high risk to an individual’s personality or fundamental rights and thus, will require performing a data protection impact assessment (DPIA). If the DPIA indicates that the contemplated processing may be of a high-risk nature despite any measures taken, the FDPIC must be consulted prior to such processing.

Under the revised DPO, if sensitive personal data are processed on a large scale by automated means and if preventive measures cannot guarantee data protection, data logs must be kept (logging at least the saving, modification, reading, disclosure, deletion and destruction of the data). The log must provide information on the identity of the person who carried out the processing, the type, date and time of processing and, if applicable, the identity of recipients. The logs must be kept for at least one year and separately from the system in which the personal data is processed. The logs must further be accessible only to the bodies and persons responsible for verifying the application of the data protection provisions or preserving or restoring the confidentiality, integrity, availability and traceability of the data, and the logs may only be used for such purposes.

Also under the revised DPO, processing regulations for processing by automated means must be issued (and regularly updated), if sensitive personal data are processed on a large scale. Such regulations must provide information on the internal organisation, data processing and control procedures as well as measures to ensure data security.

Under the HRA, if health-related personal data is further used for research, the consent of the persons concerned must be obtained at the time of collection, or they must be informed of their right to object. The HRA contains detailed provisions on such further use of genetic data and non-genetic health-related personal data as well as a transfer for purposes other than research, export and storage of health-related personal data. The Human Research Ordinance further contains detailed provisions on storage, measures for collection and further use of health-related personal data.

Anonymised health data

Is anonymised health data subject to specific regulations or guidelines?

To the extent health data is truly anonymised (namely, subjected to an irreversible process after which the data can no longer be linked to a specific individual – without disproportionate effort), respective output data is no longer considered to constitute personal data. Consequently, general data protection laws no longer apply. This understanding is further corroborated by the revised FADP, which provides that personal data no longer needed should be destroyed or anonymised. However, the procedure of anonymising health data (or any other personal data for that matter) as such entails data processing and is thus, subject to the relevant data protection rules. That being said, contrary to European doctrine (according to which the anonymisation itself is considered to be a change of processing purpose requiring a justification), anonymisation (without retention of a copy of the original non-anonymised data) is treated in the same manner as a deletion (and thus requires no justification). Under the revised FADP, which explicitly treats destruction and anonymisation in the same manner and that further provides that personal data may be processed for purposes compatible with the initial purpose, anonymisation (even if a copy of the original non-anonymised data is retained) requires no justification (as such ‘compatibility’ with the initial purpose may be assumed in the case of anonymisation).

Pursuant to a provision in the HRA, the HRA does not apply to anonymously collected or anonymised health-related data.

Enforcement

How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?

The FDPIC is the federal data protection authority in Switzerland. Cantons may establish their own cantonal data protection authorities (which may supervise data processing by cantonal and communal bodies).

The FDPIC has no direct enforcement (or criminal or administrative sanctioning) authority. However, the FDPIC investigates on its own initiative or at the request of a third party if:

  • methods of processing are capable of breaching the privacy of a large number of persons;
  • data files must be registered; or
  • there is a duty to provide information in connection with a cross-border data transfer.

To this end, the FDPIC may request files, obtain information and arrange for processed data to be shown. Based thereon, the FDPIC may recommend that a certain method of data processing be changed or abandoned. Such recommendations are not binding but if they are not complied with or are rejected, the FDPIC may refer the matter to the Federal Administrative Court and, on appeal, to the Federal Supreme Court for a decision. Any such final decision is binding on the parties.

Under the revised FADP, the FDPIC will initiate, ex officio or upon notification, an investigation if there are sufficient indications that a specific data processing could violate data protection rules (unless such breach is of minor significance), and if such investigation reveals a violation, render binding administrative measures, including:

  • that processing is fully or partially adjusted, suspended or terminated;
  • that personal data is fully or partially deleted or destroyed; and
  • in certain cases, disclosure abroad is deferred or prohibited.

Unlike most other European data protection authorities, the FDPIC still cannot impose any (administrative) fines.

Private parties are liable to a fine of up to 10,000 Swiss francs if they, among others, wilfully:

  • fail to notify data files or in so doing provide false or incomplete information;
  • provide the FDPIC with false information in the course of an investigation or refuse to cooperate;
  • fail to inform on the collection of sensitive personal data; or
  • breach the duty to keep sensitive personal data confidential.

Under the revised FADP, these (and many further) violations are subject to a fine of up to 250,000 Swiss francs.

Since the investigative possibilities of the FDPIC are limited (and fines can only be imposed by a court of law of competent jurisdiction), there are very few significant investigations (or sanctions) related to data protection violations. Accordingly, there have been very few notable ‘enforcement’ actions in relation to digital healthcare technologies.

One case in point is the Helsana+ case, in which the FDPIC recommended to a health insurance company that its app-based bonus program called Helsana+ (in which participants could perform activities to gather plus points, which could then be converted into cashbacks and other non-cash benefits) should not be used to collect or process any basic insurance data or to obtain consent to such collection and processing and that cashbacks should not be offered to participants who only had concluded the mandatory basic insurance. Since the recommendations were declined, the FDPIC brought the case before the Federal Administrative Court. The Court ruled that the consent obtained to collect personal data from the basic insurance service providers was not compliant with data protection law. However, the use of data lawfully obtained from policyholders who only concluded the mandatory basic insurance was found not to breach the FADP.

Another recent example is the FDPIC’s investigation into the National Organ Donation Register (NODR) (an online register where registered users can enter their will for or against organ donation in the event of their death) operated by Swisstransplant, the Swiss Foundation for Organ Donation and Transplantation. Following a complaint by the persons responsible for a Swiss investigative TV programme, the FDPIC opened a formal fact-finding procedure concerning the NODR’s electronic registration process. After it became apparent early on in the investigation that it was possible to register with the NODR under another person’s name, Swisstransplant discontinued registration (initially with the intention of replacing it with a more secure online process but later indefinitely in light of the federal register that will replace the NODR, presumably by 2024). The NODR would still have been accessible to hospitals for a transition period, but registered users would no longer have had the possibility to change their expression of will and would only have been able to delete their accounts. The FDPIC had already issued its report when Swisstransplant decided not to accept any new registrations, making some of the recommendations obsolete. With the exception of two recommendations to improve technical security, Swisstransplant accepted all remaining recommendations, which would have significantly reduced the operational risks associated with the NODR. The two rejected recommendations primarily referred to the abandoned registration process but a residual risk remained in relation to the account deletion process (accounts could have been deleted by unauthorised third parties). However, since Swisstransplant finally decided to permanently cease all operations of the NODR entirely, even such residual risk was no longer relevant.

Cybersecurity

What cybersecurity laws and best practices are relevant for digital health offerings?

Switzerland has no dedicated cybersecurity laws. However, under the Federal Act on Data Protection (FADP), any personal data must be protected against unauthorised processing through adequate technical and organisational measures, as further specified in the Data Protection Ordinance (DPO), including:

  • general measures to ensure confidentiality, availability and integrity of data to ensure an appropriate level of data protection. In particular, systems must be protected against unauthorised or accidental destruction; accidental loss; technical faults; forgery, theft or unlawful use; and unauthorised alteration, copying, access or other unauthorised processing. In assessing the adequacy of measures, the purpose of the data processing; the nature and extent of data processing; an assessment of the possible risks to data subjects; and the current state of the art must be taken into account. The measures must be reviewed periodically;
  • special measures to be implemented, in particular for automated processing, including entrance, data carrier, transport, disclosure, storage, usage, access and input controls, each as further described in the DPO. Also, data files must be structured in a manner that data subjects are able to assert their rights of access and to have their data corrected;
  • record-keeping, among others, with respect to automated processing of sensitive personal data if preventive measures cannot ensure data protection, in particular, if it would not otherwise be possible to determine whether data has been processed for the purposes for which it was collected or disclosed. The records must be stored for one year in a state suitable for auditing and be accessible only to those whose duty it is to supervise compliance with data protection regulations, and may be used only for this purpose;
  • issuance of processing policy (if automated data files subject to registration with the Federal Data Protection and Information Commissioner (FDPIC) are used) describing internal organisation and data processing and control procedures and containing documents on planning, realisation and operation of the data file and information technology used – to be updated regularly and made available to the FDPIC (or the data protection officer, as applicable) upon request in a comprehensible form; and
  • in the case of disclosure, notification of data recipient or recipients as to how up-to-date and reliable the personal data disclosed is, unless such information is evident from the data itself or the circumstances.

Under the revised FADP and revised DPO, the necessary level of protection must be determined and suitable technical and organisational measures (to be reviewed and adapted, as required) be implemented in a risk-based approach. Thereby, the types of processed data, purpose, type, extent and circumstances of data processing, risks to personality and fundamental rights, the current state of the art and implementation costs shall be considered. The revised DPO includes detailed provisions on the foregoing.

The FDPIC published the Guide for technical and organizational measures, which addresses data access (security of premises, server rooms and workspaces, identification and authentication, access rights), life cycle (data entry, recording, pseudonymisation and anonymisation, encryption, device security, data backup and destruction, outsourcing of processing, security and protection) and transfer (network security, encryption and signing of messages, handover of devices, recording of data transfers) and access rights (individual right of data subjects concerned and replicability of procedures).

Best practices and practical tips

What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?

The disclosure of sensitive personal data requires the express consent of the data subjects concerned (or a justification by an overriding private or public interest or law). Since for most applications of digital health solutions, no justification seems apparent, a clear process should be established for obtaining express (and informed) consent from any individuals whose health data are disclosed. Further, internal policies should be put in place to address any requests made by individuals with respect to their health data and to set out how health data may be processed by employees or contractors of the digital health solution provider.

Although there is no respective legal requirement, to the extent an operational data protection officer (who meets the requirements set out in the FADP and the DPO) is appointed, the controller of data files is not required to declare its files to the FDPIC. Under the revised FADP, to the extent a data protection adviser (who meets the requirements set out in the revised FADP) is appointed, the consultation of such data protection adviser may replace the consultation of the FDPIC following a data protection impact assessment (DPIA), as applicable.

Since many new duties will be introduced by the revised FADP, it seems reasonable to already apply them to new digital health solutions, including:

  • implementing privacy by design and by default (setting up technical and organisational measures to meet data protection regulations and data processing principles from the planning of the processing, which shall be appropriate with respect to the state of the art, type and extent of processing and associated risks; and ensuring through appropriate predefined settings that data processing is limited to the minimum required by the purpose, unless the data subject instructs otherwise);
  • keeping records of processing activities (containing all relevant information and at least such information explicitly set out in the revised FADP);
  • implementing a process for automated individual decisions, if any (inform individuals of any decisions solely based on automated data processing and having legal effects or significantly affecting him or her, whereby the affected individual may generally request to express his or her point of view and have the decision reviewed by a person);
  • implementing processes to conduct DPIAs (whenever it appears that an envisaged processing activity is likely to lead to a high risk to an individual’s personality or fundamental rights (eg, in the case of extensive processing of sensitive personal data, which will often be the case with respect to digital health solutions) and consult with the FDPIC (prior to such processing if the DPIA indicates that the contemplated processing may be of a high-risk nature despite any measures taken);
  • implementing a process to address data breaches (data breaches that are likely to lead to a high risk to the personality or fundamental rights of the individual concerned must be notified to the FDPIC as quickly as possible. Where necessary for the protection of the individual or if requested by the FDPIC, the controller must also notify the respective individuals);
  • implementing technical capabilities to retain data logs, as necessary;
  • drawing up processing regulations, as necessary; and
  • reviewing and adapting, as necessary, the technical and organisational measures in place.

The FDPIC published on its website guidelines on the processing of personal data in the medical field, which address the doctor-patient relationship including:

  • processing and sharing of health data, access rights and data security (in particular access, device, transport, disclosure, storage, usage and input controls as well as logging or recording of automated processing and virus protection);
  • electronic processing of medical records;
  • electronic health cards;
  • maintenance of hard and software containing health data; and
  • processing of medical data for research, planning and statistics purposes.

The FDPIC further published guidelines on biometric recognition systems.