On 10 June 2021, the Italian data protection authority fined a dentist € 20,000 on the grounds that the dentist had refused to treat a patient with the HIV virus without having clearly stated that such disclosure could lead to a refusal of treatment, and not only to consequences as to the possible treatment.
While this is a special case, it cuts short any belief that data protection compliance only concerns large companies, the only ones able to exploit personal data on a massive scale and therefore the only ones to be in the crosshairs of the authorities and possible sanctions.
The question then arises as to what measures doctors, dentists and other lawyers (whom I will then refer to as “practitioners” for the sake of simplicity) should reasonably implement to avoid any misadventure.
In reality, these steps are quite simple. First of all, it should be remembered that, unless practitioners deliberately target European residents, they should not be submitted to the GDPR, but only to the Federal Data Protection Act, a revision of which is expected to come into force during 2022.
Without going into detail, practitioners are at first sight subject to three obligations, the scope of the first two of which should however be put into perspective:
The obligation for practitioners to keep a register of processing activities requires in principle to determine, among other things, the type of processing, the purpose of the processing, the categories of persons (patients, employees, sometimes suppliers) and the categories of personal data (which may be sensitive in the medical field) processed, as well as the possible transfers abroad and the recipients of these possible transfers.
However, the Federal Council has exempted companies with fewer than 250 employees from this obligation if the processing concerned does not involve the processing of sensitive data on a large scale or does not lead to the establishment of high-risk profiling. While high-risk profiling may not be possible for practitioners, the processing of sensitive data is certainly possible, particularly in the medical field. However, the “large-scale” requirement seems to presuppose massive processing within a hospital or clinic, which, at first glance, should not be the case for a private practice.
This is an obligation that practitioners should be exempt from.
All data controllers, including practitioners, are in principle obliged to inform the data subject adequately about the collection of personal data and the purpose of the collection (in concrete terms, it is necessary to explain what will be done with the data and why it is necessary to collect it).
While such an obligation is easy to implement, the law provides that when the controller is a private person subject to a legal obligation to maintain secrecy, he or she is released from this obligation. Practitioners are subject to such an obligation by virtue of Article 321 of the Criminal Code; it must therefore be concluded that they have no legal obligation to inform their patients or clients of the processing carried out.
There is, however, an exception to this principle. When the processing contemplated requires the processing of sensitive data, such as medical data, the express consent of the data subject is then required, which implies that the latter must be duly informed of the processing concerned in order for his or her consent to be validly given, it being specified that in Swiss law, unlike European law, consent is considered to be express even if it is given by reference to general conditions.
In the end, it is really the obligations on practitioners to ensure that adequate security measures have been put in place to protect data against the risks involved that are most important.
From this point on, what advice can one give to practitioners?
Even though we have seen that the obligation to provide information is in fact confined to the processing of sensitive data (such as medical data) for which express consent is required, it is nevertheless easy and, in my view, good practice to promote a certain transparency here, which can be done with less effort in two ways:
Finally, it cannot be stressed enough that any transfer of data abroad should only be made with the express consent of the data subject, and that it is important to delete the processed data after a period of time to be determined (usually defined by law) once the data subject is no longer a patient or client (e.g. 20 years for dentists).
Do you have questions about his topic?