The Catalan Data Protection Authority (APDCAT) has approved the Code of Conduct for Data Processing in the field of Social Care, prepared by the Health and Social Consortium of Catalonia (CSC) This is the second code of conduct that the APDCAT approves and registers in Catalonia, after in December 2020 it endorsed the Code of Conduct for the processing of personal data in the health field, inandciativa, also, of the CSC.
The code of conduct is an instrument provided for in the General Data Protection Regulation (GDPR), to establish a common framework for the application of the principles and obligations provided for in a given sector.
Thus, the APDCAT endorses the content of this second code of conduct prepared by the Data Protection Area of the CSC, which should serve to facilitate the application of the standard in the field of social care to entities that adhere, whether entities associated with thefield or other entities of the public sector that provide social services.
In this sense, the APDCAT concludes that the code gives criteria for action regarding the adequate compliance with data protection regulations in the social care sector. Thus, it determines that it satisfies a specific need of the sector, makes cilita and specifies the application of the RGPD, atthe door sufficient guarantees and has effective mechanisms to monitor compliance with the code.
In particular, the code focuses on the specificities of data processing relating to social care and specifies the different categories of persons concerned or affected. Amongothers, minors and particularly vulnerable people, including those at risk of stigmatization. It also foresees the specific circumstances to be taken into account in each case, from the perspective of data protection.
It also specifies the guarantee measures applicable to data processing in the social care sector and, also, those that guarantee compliance with the rights of informational self-determination. This is the case, for example, of a right of access to social history and documentation generated in the social care process or the rectification or deletion of personal data, which can be particularly problematic in this area.
Regarding data security, the code provides different elements to consider in the risk analysis and impact assessment on the protection of personal data, which in the social care sector is especially relevant given that data specially protected by regulations can be processed. In addition, it determines the specific measures for data processing in the framework of research, research and statistical analysis in relation to the provision of social services.
Finally, it provides for the creation of a supervisory bodyto promote, inform, control and evaluate the degree of compliance with the code by the member entities. The body is fully competent to determine the adequacy of the entities to the provisions of the code, initiate procedures or investigation and sanction files and respond to requests and queries from interested persons, among other functions.
More guarantees ofthe correct application of the standard
Codes of conduct are intended to contribute to the correct application of the GDPR, taking into account the specific characteristics of the processing sector to which they relate. The adherence of entities to approved codes of conduct can be used as an element to demonstrate compliance with obligations. In addition, compliance with approved codes of conduct is particularly assessed if the member entity must carry out high-risk treatment, which requires a data protection impact assessment.