The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
What is a DPIA, what not?
A DPIA is a Data Protection Impact Assessment. It is mandatory under the GDPR in certain cases. What is it and what isn’t it? When is it mandatory? And what is the role of the Data Protection Officer?
What is the DPIA?
The DPIA is the report of a thorough brainstorming session. A plan has been made to do something with personal data, but this could pose risks with regard to privacy. Therefore, the DPIA outlines step by step exactly what processing operations are planned and for what purpose; what the risks are; whether these risks can be adequately covered; whether everything complies with the GDPR; whether any remaining risks that cannot be covered are proportionate to the purpose; and whether, based on all of this, the plans may or may not be implemented. In other words, it is a comprehensive, step-by-step analysis of whether certain plans are actually such a good idea, in light of privacy. Under certain circumstances, data subjects, such as patient associations or employees (via the Works Council), must be involved in this process.
What is the DPIA not?
The DPIA isn’t some sort of ritual. Model DPIAs are often used. There’s nothing wrong with them if they’re used correctly, namely as a tool for a thorough analysis. However, when the model is used as a form that simply has to be filled out, things go wrong. The DPIA isn’t intended to ensure that something is permitted, but to answer the question of whether something is permitted. Moreover, the DPIA isn’t a marketing tool. It’s intended for internal consideration, not to externally demonstrate the enormous importance one attaches to the GDPR. Furthermore, it’s unwise to conduct DPIAs before answering the question of whether one is actually a controller. A processor is someone who processes personal data on behalf of someone else; the controller. The processor may not make themselves a controller. By conducting DPIAs on data for which one is not a controller, one runs the risk of becoming one.
When is it required?
The DPIA must be carried out “when a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing.” DPIAs are required in particular for:
- A systematic and extensive assessment of personal aspects based on automated processing, including profiling, on which decisions are based that produce legal effects or significantly affect certain individuals in a similar manner;
2. Large-scale processing of special categories of personal data or criminal record data;
3. Systematic and large-scale monitoring of publicly accessible spaces;
4. Everything that has been placed on the DPIA list by the Data Protection Authority.
Note that processing special personal data does not always require a DPIA. This is only the case if processing is on a large scale. What is typically done by individual healthcare providers is not covered.
When is it not required?
A DPIA is required for processing operations that are “likely to pose a high risk,” but if it is clear that there are no risks, it is not necessary. Moreover, it is not necessary to conduct a DPIA every time for similar processing operations; if an academic hospital regularly conducts medical research with its own health data in its own secure processing environment, a DPIA does not need to be conducted every time. The data set may be different, but the processing operations are similar. A DPIA is also not required if there is a legal obligation or a statutory task, provided that an impact assessment was already conducted when that law was drafted (unless, of course, that law subsequently requires a DPIA).
Role of the Data Protection Officer
Contrary to popular belief, the DPIA is not carried out by the Data Protection Officer (DPO). However, the controller must consult the DPO (if they have one). If there is indeed an obligation to conduct a DPIA, appointing a DPO will usually also be mandatory. The DPO themselves do not know exactly what the controller has in mind regarding high-risk processing. This must therefore be explained to the DPO, outlining the plan and its rationale, the perceived risks, and the security measures envisioned. The DPO then advises whether the planned measures appear sufficient and whether they appear to comply with the GDPR. However, the DPO does not perform the analysis themselves, nor does it decide whether a plan can proceed. And the DPO certainly does not have the role of simply handing out green checks.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?