Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak

Section 5.4  Integrity and confidentiality

49. As mentioned above, sensitive data such as health data merit higher protection as their processing is likelier to lead to negative impacts for data subjects. This consideration especially applies in the COVID-19 outbreak as the foreseeable re-use of health data for scientific purposes leads to an increase in the number and type of entities processing such data. 

50. It has to be noted that the principle of integrity and confidentiality must be read in conjunction with the requirements of Article 32 (1) GDPR and Article 89 (1) GDPR. The cited provisions must be fully complied with. Therefore, considering the high risks as outlined above, appropriate technical and organisational up-to-date measures must be implemented to ensure a sufficient level of security.

51. Such measures should at least consist of pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, access role restrictions as well as access logs. It has to be noted that national provisions may stipulate concrete technical requirements or other safeguards such as adherence to professional secrecy rules.

52. Furthermore, a data protection impact assessment pursuant to Article 35 GDPR must be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons“pursuant to Article 35 (1) GDPR. The lists pursuant to Article 35 (4) and (5) GDPR shall be taken into account.

53. At this point, the EDPB emphasises the importance of data protection officers. Where applicable, data protection officers should be consulted on processing of health data for the purpose of scientific research in the context of the COVID-19 outbreak.

54. Finally, the adopted measures to protect data (including during transfers) should be properly documented in the record of processing activities.