The breadth and complexities of health data
Victoria Hordern of Bates Wells discusses the conditions most likely to be relevant for the processing of health data, and any additional safeguards needed.
If I email you to ask you how you are, and you respond by email that you’re not feeling well, am I processing your health data? At what point does information about a person become personal data concerning health? The GDPR states that personal data concerning health “should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject” (recital 35). Given how widely mental health conditions are now defined, that’s a fairly broad concept. Moreover, the GDPR indicates that personal data concerning health includes information about a person’s registration for health care services (e.g. doctor’s appointments), any number or symbol that uniquely identifies an individual for health purposes, information from tests or medical examinations, as well as information on a disease, disability or disease risk, medical history and clinical treatment.