Data protection and the liberal professions: not so complicated
On 10 June 2021, the Italian data protection authority fined a dentist € 20,000 on the grounds that the dentist had refused to treat a patient with the HIV virus without having clearly stated that such disclosure could lead to a refusal of treatment, and not only to consequences as to the possible treatment.
While this is a special case, it cuts short any belief that data protection compliance only concerns large companies, the only ones able to exploit personal data on a massive scale and therefore the only ones to be in the crosshairs of the authorities and possible sanctions.
The question then arises as to what measures doctors, dentists and other lawyers (whom I will then refer to as “practitioners” for the sake of simplicity) should reasonably implement to avoid any misadventure.
- No application of the GDPR
In reality, these steps are quite simple. First of all, it should be remembered that, unless practitioners deliberately target European residents, they should not be submitted to the GDPR, but only to the Federal Data Protection Act, a revision of which is expected to come into force during 2022.
- Legal obligations
Without going into detail, practitioners are at first sight subject to three obligations, the scope of the first two of which should however be put into perspective:
- The register of processing activities
The obligation for practitioners to keep a register of processing activities requires in principle to determine, among other things, the type of processing, the purpose of the processing, the categories of persons (patients, employees, sometimes suppliers) and the categories of personal data (which may be sensitive in the medical field) processed, as well as the possible transfers abroad and the recipients of these possible transfers.
However, the Federal Council has exempted companies with fewer than 250 employees from this obligation if the processing concerned does not involve the processing of sensitive data on a large scale or does not lead to the establishment of high-risk profiling. While high-risk profiling may not be possible for practitioners, the processing of sensitive data is certainly possible, particularly in the medical field. However, the “large-scale” requirement seems to presuppose massive processing within a hospital or clinic, which, at first glance, should not be the case for a private practice.
This is an obligation that practitioners should be exempt from.
- The duty to inform
All data controllers, including practitioners, are in principle obliged to inform the data subject adequately about the collection of personal data and the purpose of the collection (in concrete terms, it is necessary to explain what will be done with the data and why it is necessary to collect it).
While such an obligation is easy to implement, the law provides that when the controller is a private person subject to a legal obligation to maintain secrecy, he or she is released from this obligation. Practitioners are subject to such an obligation by virtue of Article 321 of the Criminal Code; it must therefore be concluded that they have no legal obligation to inform their patients or clients of the processing carried out.
There is, however, an exception to this principle. When the processing contemplated requires the processing of sensitive data, such as medical data, the express consent of the data subject is then required, which implies that the latter must be duly informed of the processing concerned in order for his or her consent to be validly given, it being specified that in Swiss law, unlike European law, consent is considered to be express even if it is given by reference to general conditions.
- Adequate security measures
In the end, it is really the obligations on practitioners to ensure that adequate security measures have been put in place to protect data against the risks involved that are most important.
From this point on, what advice can one give to practitioners?
- Practical considerations
- On the technical side
- Firstly, the fact that the practitioner must ensure that his infrastructure guarantees a form of security for his patients’ or clients’ data. In this respect, it should be noted that it is now widely accepted that the use of a cloud provider is admissible insofar as the latter appears to be an auxiliary (in the same way as the administrative staff) of the practitioner; entrusting him with the processing of data does not therefore appear to be a violation of Art. 321 CP. Ideally, the supplier’s servers should be located in Switzerland or, at the very least, in Europe (a point of view that is disputed here as to the admissibility of having a supplier outside of Switzerland, but in Europe), and that they are subject to certain certifications as a guarantee of security, such as the ISO27001 standard. Of course, nothing prevents practitioners from having an internal server duly protected by a firewall or a VPN when the practice of the profession, especially for lawyers and teleworkers, involves remote work.
- Secondly, access control should be put in place, since there is often no justification for all administrative staff to have access to all the potentially sensitive data of the patients treated, or even for each employee to know how much his or her colleagues are paid. The Anglo-Saxon principle of “need to know basis” should apply here.
- Finally, one should avoid using unprofessional email addresses, as some in the medical field unfortunately do, such as hotmail, Gmail or bluewin. Moreover, the use of an instant messaging system such as What’s App should be avoided in the professional world, except at the express request and agreement (and insistence, I would add) of the patient or client. Email encryption, nowadays easy (see a provider like www.swisssign.com), is to be recommended.
- On the information side
Even though we have seen that the obligation to provide information is in fact confined to the processing of sensitive data (such as medical data) for which express consent is required, it is nevertheless easy and, in my view, good practice to promote a certain transparency here, which can be done with less effort in two ways:
- Secondly, and more particularly in the medical field where it is usual to have to fill in a form before any consultation, the use of this form is a practical and easy way to mention the reason for the collection of certain data (in particular health data for which express consent is required), the way in which they are kept, for what duration and with whom they are shared.
Finally, it cannot be stressed enough that any transfer of data abroad should only be made with the express consent of the data subject, and that it is important to delete the processed data after a period of time to be determined (usually defined by law) once the data subject is no longer a patient or client (e.g. 20 years for dentists).
Do you have questions about his topic?Contact Us