Healthcare

No. The owner of personal data, and in particular the data in medical records, is always the patient. The health centre, doctor, private health insurance company, etc. who compile medical records are the controllers of the information they process, and must store, preserve and protect it.

Medical records can be kept in paper or electronic format, as long as it is possible to guarantee the authenticity of the content and that the records can be consulted in the future. A record must be kept of each time a record is accessed or modified, as well as the doctors and healthcare professionals who have accessed or modified it.

Although healthcare organisations may opt for different systems, the norm for some time now has been to use computerised medical records. For several years the Catalan public health system has been using the Shared Clinical History (HC3), which allows access to relevant information on the medical records of the different health centres in the public healthcare network.

For paper medical records, secure containers that do not allow unauthorised persons to retrieve information, and paper shredding machines must be used. It may be appropriate to entrust this process to companies that guarantee certified safe destruction.

In the case of electronic medical records, health centres or healthcare professionals must securely erase the information or, if necessary, physically destroy the medium or device.

Health centres, archives, and documentation centres must keep a record of the disposal of medical records.

Health centres and services that close and professionals who stop working permanently must guarantee access to the medical records they keep, for the purpose of ensuring medical care and patients' rights.

When a self-employed doctor ceases to practice, they should notify patients so that they can collect their medical records and, if necessary, hand them over to a new professional. The doctor can consult with their professional association regarding how to manage this situation without jeopardising the rights of their patients and, where appropriate, how to securely destroy information.

No. These are two different information rights:

• In healthcare, informed consent refers to the duty to collect the consent of patients who have to undergo certain more or less invasive treatments (examinations, clinical analyses, biopsies, surgery, care, medical treatments, etc.). The patient must be told what the action will consist of so that they can decide whether or not to authorise it.
• The right to information established in the personal data protection legislation is a right that belongs to all patients. Health centres do not have to ask for consent to process the data provided by patients in order to attend to them, but they are obliged to explain to them how they will use their data.

The information that patients receive should be concise, transparent, intelligible and easily accessible, with clear and simple language, particularly in the case of information specifically aimed at children. The information must be provided in writing or by other means, including, where appropriate, in electronic format.

The patient has the right to ask for any clarification they need. To do so, they can contact the data protection officer of the data controller.

No. Requesting a signature from a patient without first informing them of what data will be collected, why, who it will be shared with, etc., and without allowing them to ask any questions, is not correct. The information required by law must be provided in such a way that there is a record of its having been provided, and the patient must be able to understand it. The patient should never sign without knowing what they are signing for. The patient has the right to obtain a copy of any document they have signed.

The use of apps to track fitness or promote health is becoming more and more common. These applications collect a significant amount of health data (heart and pulse rate, calories consumed, exercise, diet, etc.) directly or through sensors (wrist band, smart watch, mobile phone, etc.). Therefore, they must provide the user with the information required by personal data protection regulations.

Before starting to use these applications or provide health information, users are advised to carefully read this information, especially that relating to the company or companies responsible for processing the information, what they can use it for, where it is kept, who they may share it with, the consequences that may arise from the processing and how to make complaints.

The right of access does not include the provision of this information. The obligation to provide this information only exists if the medical record has been communicated to external entities or persons.

However, some health centres have established the provision of this information as best practice. In addition, in the case of public administrations, the regulations on access to public information may also allow patients to access it, given their legitimate interest in knowing it.

Sometimes, patients do not need to know everything included in their medical record, whether for their own benefit or that of other people (for example, when the professionals attending to the patient consider that there exist overriding healthcare needs or when there are subjective annotations).

No. The patient, as the data subject, may exercise the right to obtain a copy of all their healthcare reports. There is no obligation to explain to the clinic the reason for the request and, even if they are informed of the reason, this does not justify refusal to provide the information. If the clinic refuses to release the information, the patient can complain to the Catalan Data Protection Authority.

Yes. The right to know one's own biological origins includes the right to know the identity of biological parents. This right is recognised for children and adolescents who are not in the care of their parents (those who are adopted, or who are or have been under state guardianship), once they have reached the age of majority or are emancipated. Applicants must be able to access certain information from the biological mother's medical record that may be relevant to their own health.

The owner (data subject) of the medical record is the woman who undergoes the assisted reproduction treatment. Her partner has the right to access his or her own data. If one of the two partners wants to access the data of the other one contained in shared documents, they need the consent of the owner. Data relating to pre-embryos can be considered information owned by both partners, meaning that both of them would have the right to access it.

The Assisted Reproduction Techniques Act states that medical teams must place all information on donors in a medical record, which must be properly safeguarded. The data included in medical records, except for the identity of the donors, must be made available to the recipient and their partner, or to the child born by these techniques or to their legal representatives, when they reach the age of majority, if requested.

No. The law recognises the right of children and adolescents to know their genetic origin and to request, from the competent public administrations, the documentation that allows them to ascertain their identity. This means that information on embryo donation must be kept in the mother's medical record and, consequently, that this information cannot be erased. However, the mother can request that no one but the children access this information.

No. In cases of rectification or erasure of data, the data protection regulations impose the duty to block the data. This involves locating the data and maintaining it outside of the usual work circuits, and adopting measures to prevent its processing, so that it is only available to judges and courts, the Public Prosecutor's Office or the competent public administrations, and in particular to data protection authorities, to enforce possible responsibilities arising from the processing and only until such responsibilities expire.

It is important that medical records adequately and truthfully reflect the relevant circumstances of patients' healthcare processes. Errors in the date of a surgical procedure or in the identification of the doctor in charge may negatively influence current and future care (for example, it may make it impossible for doctors to check whether the patient's recovery is within normal range, or it may make it impossible to confirm the information with the professionals who cared for them). Therefore, the information must be rectified.

No. The healthcare provided by the centres and services of the public healthcare network is not based on the consent of patients, but on the laws that establish that we all have the right to receive this service (section 4.1 of this guide).

However, portability can be requested from controllers (health insurance companies, doctors in private practice, etc.) that process data automatically in accordance with a prior decision of the patient who has contracted this service.

Health regulations state that medical record data should only be accessible, for healthcare purposes, to healthcare professionals who need to treat the patient, and these professionals must protect and respect the confidentiality of this information.

The right to object means that, for reasons related to the patient's personal situation, they can request that only certain professionals have access to information on this episode. However, this right may be limited if the health centre can prove that there are compelling legitimate reasons that must prevail (for example, if it may jeopardise the healthcare received by the patient or the proper functioning of the health system).

Granting the right to object does not necessarily imply that the information will be erased, but that, due to the requirements of the law on patient autonomy, it must be kept for certain periods (section 1 of this guide).

The fact that the exercise of a right will not have the effect intended by the requesting party (the effective erasure of a piece of data, for example) does not justify the lack of response. On the contrary, a response must be given within one month, explaining why the request has been rejected. As the right has not been respected, a claim for protection of rights can be filed with the Catalan Data Protection Authority.

You can contact the Data Protection Officer (DPO) of the controller. You can find their contact details in the information clause that must be provided by the controller when the data is collected.

Alternatively, and also if you do not agree with the response given by the Data Protection Officer, you can contact the Catalan Data Protection Authority.

The communication of health data by telephone carries the risk of providing the information to a third party who is impersonating the patient. For this reason, this should be avoided, unless protocols have been implemented to securely identify the person requesting the information.

No. Unless these people are involved in providing medical care to the patient, access would be inappropriate and would violate the principle of confidentiality. Merely because someone works in a health centre does not mean they are allowed to access a colleague's information without their consent. Health centres should give proper instructions to their workers in this matter. The patient can complain to the Catalan Data Protection Authority or the judicial authorities.

No, unless they have the free, specific and unequivocal consent of the parents (or children, from the age of 14) and have properly informed them. In addition, if it can be deduced from the photograph that the child suffers from any type of illness, the consent must be explicit. The advertising purpose may be legitimate, but the provision of healthcare does not imply that images of patients can be disseminated.

The law allows relatives who so request to be provided with a letter with information about the patient they have accompanied. However, this letter only contains the minimum information necessary for the worker to request and take the time off provided for by labour regulations in order to accompany a relative to the doctor.

Yes. Before providing any information about a patient's state of health, health centres must verify the identity of the caller, their relationship with the patient and, where appropriate, the instructions given by the patient. Otherwise, they may violate the patient's privacy. It is good practice for the centre to ask the patient who may receive information about them, for example, on their recovery after surgery.

The hospital can only give the room number (which is data that forms part of the medical record) to family members or the people who are accompanying them during their treatment. For other visitors, the patient must give their authorisation.

When, in the opinion of a doctor, a patient is not able to make decisions about their own health (for example, due to a serious accident or mental illness), the people who represent their interests or are family reasons or a common law partner, may access their information.

Yes. Family members or civil law partners of deceased subjects of medical records may request access to the deceased's personal information, unless this has been expressly prohibited by the deceased. Access to medical records by a third party due to a risk to the health of the latter should be limited to relevant data. Information that affects the privacy of the deceased, subjective notes of professionals or information that may be harmful to third parties should not be provided.

No. Access to a medical record without the patient's consent or without justification on the grounds of healthcare is a violation of the principle of confidentiality of patient information. Therefore, medical professionals who, although they work in the same primary health centre, hospital, social care centre, care home, etc., are not involved in the care of a patient, may not access their personal data.

When treating a patient (a worker) referred by a mutual insurance company that works with the public healthcare system, health centres may provide information on the worker's diagnosis without their consent, in order to manage financial benefits and healthcare arising from work-related incidents, and to monitor and control the worker's temporary disability.

Yes. When it comes to compulsory insurance, the law allows health centres to claim from insurance companies the cost of the healthcare provided to policyholders of these companies. To do so, the health centre must be able to disclose patient data to prove that the required healthcare has been provided.

Yes. If the data is necessary to exercise the right of defence or compliance with the insurance contract, the hospital may provide the patient's health data to its lawyers or to the insurance company of the hospital or the doctors involved.

If it is a notifiable disease, the law allows the health authorities to provide notification of the patient's identity (if absolutely necessary) and the disease they are suffering from to their workplace, school or people related to them, to check for spread of the disease. Within workplaces and schools, the information should reach the minimum number of people required for the health authorities to take appropriate action.

Yes. It is lawful for public health authorities to process our health data when necessary for reasons of public interest; for example, to control the spread of epidemics or pandemics and, ultimately, when health crises or cross-border threats occur that pose a serious danger to the health of the population. Processing is also lawful for the purpose of protecting the health of the data subject or others.

If there is a risk of transmission, the competent public health authorities must take the necessary measures to control patients, people in their immediate environment and those who are or have been in contact with them. To do so, they can process whatever data are needed.

In these situations, public health authorities can activate systems to contact and warn people who have been in contact with an infected person, in order to protect their health and prevent these people from spreading the disease. Whenever possible, authorities should report only on the possibility that the contagion has occurred or may occur, without disclosing the identity of the person who is the source of the contagion.

Establishing this as a general measure without the consent of the people concerned has no legal basis, unless established by the competent public health authorities.

This is without prejudice to the power of company health and safety departments to adopt appropriate health surveillance measures with respect to their workers if the health status of a worker may pose a danger to themselves, to other workers or to people who have contact with the company.

Yes, as long as these apps or websites that collect and process people's data comply with the requirements of data protection regulations.

These applications make it possible to know if a person has symptoms of infection, provide data on their psychological state, etc. and offer them suitable help and health resources. They can also be used to conduct epidemiological and statistical studies with the aggregate data they obtain from users (e.g. aggregated geolocation data to detect geographic areas with the highest epidemiological risk and incidence, to allow authorities to establish control measures).

Before using the app, you should have enough information. It is important to read and understand the privacy policy and know who the data controller is; what data can be processed or disclosed; what purpose they will be used for; what rights users have and where they can be exercised; and the storage period and location of the data being processed.

No. The provision of health data is strictly voluntary.

Although in some cases this processing may occur on the basis of patient consent, the law also envisages other possibilities such as, for example, the processing of pseudonymised health data for health research purposes. However, the data controllers must protect the information with appropriate security measures so as not to jeopardise the rights of data subjects (functional separation when performing pseudonymisation, confidentiality and non-re-identification commitments, specific security measures, ethics committee report, etc.).

No. The active participation of a patient in research studies is always voluntary, and the conditions or quality of the medical treatment they receive cannot depend on whether or not they choose to participate.

If the patient agrees to participate, before they join the study, they must receive all the information they need about the characteristics and implications of the study and how their data will be processed.

If medical research performed with pseudonymised data detects a real and specific danger to the safety or health of one or more people or a serious threat to their rights, or if necessary for the purpose of ensuring adequate healthcare, the people concerned may be re-identified.

If the participant stated that they did not want to know the results of the study, this wish must be respected. However, if it is considered based on medical criteria that, as a result of the findings of the study, the health or safety of their biological family members is in real and specific danger or there is a serious threat to their rights, or it is necessary for the purpose of ensuring adequate healthcare, they will need to be informed.

Yes. The patient can always revoke their initial consent. Your decision must be respected and may not have any detrimental effects on the healthcare you receive. However, the law protects medical research due to the general benefits it brings, so that in these cases the person in charge of the study can keep whatever data has already been collected and previously processed.

When researchers begin a specific line of research, they often do not know whether, as the research progresses, it may be relevant to expand the object of study. For example, research on a particular rare disease, as it progresses, may yield results that are useful for research into another disease related to the initial area of research. The law allows this data to be reused for the new research related to the initial area of research, and such processing would be considered compatible with the initial processing.

No. When the processing of health data requires the consent of the interested party, the consent must be explicit and must be recorded.

Yes. In this case, it is considered that the surgical procedure is recorded not for healthcare purposes, but rather for educational purposes, so the patient can authorise the processing of the images. The procedure cannot be recorded if the patient does not give their consent. If the images or other data are to be used in teaching or in scientific publications, the patient must not be identifiable.

Patients or their representatives may authorise trainees to be present during the provision of their healthcare (for example, during a physical examination or check-up). Doctors should limit the presence of students when deemed inappropriate due to the patient's clinical, emotional or social situation.