Legal basis for processing personal health data for insurance purposes

26 Авг

Статья посвящена вопросам, связанным с обработкой личных данных для целей страхования, что особенно актуально в свете широко обсуждающегося GDPR (General Data Protection Regulation — Общий регламент ЕС по защите персональных данных). Особое внимание уделяется автором проблеме необходимости прямого согласия на обработку персональных данных, а также контексту правового поля Португалии.

Processing personal data under GDPR
Explicit consent
Data Protection Act

Insurance activity, policies and products generally rely on personal data and data processing, including the processing of special categories of data (also known as sensitive data) for certain types of insurance coverage. Health data is top of the list of special categories for which processing is required, particularly for:

health insurance;
motor insurance;
accident at work insurance;
life insurance; and
personal accident insurance.
Processing personal data under GDPR

Under the General Data Protection Regulation (GDPR), which applies from 25 May 2018, the processing of health data for insurance purposes requires the data subject’s ‘explicit consent’. This poses enormous challenges for the insurance industry and could (when applied fully) jeopardise the ability to provide certain policies which require the processing of health data for their execution and performance. Such data is also essential for the performance of accident at work and personal accident insurance contracts. The challenges for the insurance industry are great with regard to processing the health data of policyholders and their family members and beneficiaries included in group policies.

A number of EU member states have included insurance-specific provisions in national laws passed before the GDPR came into effect, providing specific grounds for the processing of health data in the insurance industry. These provisions were foreseen by Article 9(2)(g) of the GDPR, which states that where data processing is required for public interest reasons, the law of EU member states must be «proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject».

Portugal has no specific national legislation in this regard. However, the Data Protection Act Proposal is under discussion in Parliament and is expected to be approved in the next few months.

The initial version of the Data Protection Act Proposal includes no insurance-specific provisions regarding the processing of health data. The only relevant provision concerns the processing of health data in the context of:

Article 9(2)(h) of the GDPR, which includes data processing required for:
preventive or occupational medicine;
the assessment of an employee’s working capacity;
a medical diagnosis;
the provision of healthcare or social care; or
the management of healthcare or social care systems and services on the basis of EU member state law or pursuant to a contract with a health professional; and
Article 9(2)(i) of the GDPR, which concerns data processing required for public interest reasons in the public health sector.
In both cases, data processing must be entrusted to persons subject to professional secrecy or confidentiality duties.

Explicit consent

The industry-wide problem of ‘explicit consent’ remains unresolved. Under the GDPR, explicit consent requires the data subject to give their permission and data controllers must obtain specific consent for each use of health data in this context. Further, the data subject must be able to withdraw consent without any disadvantage. This would be impossible in the context of health data processed for the execution and performance of the insurance policies listed above.

It appears that for certain types of insurance, other grounds foreseen in Article 9(2) of the GDPR could be enough to allow the processing of health data (and other special categories of data) for insurance purposes – in particular, for:

underwriting or claim administering; and
exercising rights or complying with obligations under insurance contracts.
The same applies to reinsurance.

This would be the case for compulsory insurance such as accident at work or compulsory motor liability insurance, which allow the processing of health data required for compulsory insurance purposes under Article 9(2)(g) of the GDPR and do not require the data subject’s explicit consent.

The grounds for processing health data for health insurance purposes could also be covered in the specific legitimacy grounds foreseen in Article 9(2)(b), which refer to data processing that is «necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of… social protection law», insofar or to the extent under which health insurance might still be envisaged as a form of social protection.

Although this understanding may be debatable, it seems to be in line with an understanding acceptable to the Portuguese supervisory authority on data protection, which addressed this issue in a May 2018 opinion on the Data Protection Act Proposal.

The supervisory authority’s opinion states that, with regard to non-compulsory insurance coverage (other than health insurance), the GDPR provides no specific grounds on which an insurer could base the processing of health data. As a result, this will lead to the explicit consent dilemma for such processing (eg, for life insurance purposes).

Data Protection Act

The Data Protection Act could (and should) provide specific insurance grounds for the processing of health data in line with a relevant number of EU member states. This could be achieved through legal provisions that:

acknowledge a «substantial public interest» pursuant to Article 9(2)(g);
respect the requirements of proportionality of the aim pursued;
respect the right to data protection; and
provide for suitable and specific measures to safeguard the data subject’s fundamental rights and interests.
In that regard, Recital 52 of the GDPR states as follows:

Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security.

Arguably, this could be achieved by mirroring the relevant legal provisions under Article 9(4) in the Data Protection Act that allow EU member states to «maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health».

Recital 10 explicitly states as follows:

This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

It therefore seems that each EU member state, including Portugal, can provide specific conditions (grounds) for the processing of personal data, including special categories of data. This possibility does not seem to be excluded by Recital 53 of the GDPR.


Helena Tapp Barroso