Official Abolishment of
Notification Requirements, Third Country Data Transfers & New Regulations
on Secondary Processing of Health Data
Legal Update 1: Revocation of Certain Outdated Laws
On the 12th
November 2019, Legal Notices 296, 297 and 298 of 2019 were published. These have
in scope the revocation of certain laws that were outdated and not applicable
in practice, in view of the coming into force of the General Data Protection Regulation
(“GDPR”) back last May 2018. More
specifically, the relevant Legal Notices revoked:
the Notification and Fees (Data Protection Act)
Regulations (S.L. 586.02 of the Laws of Malta), which imposed an obligation on
controllers to notify the Information and Data Protection Commissioner (“IDPC”)before carrying out any wholly or partially automated or manual
processing operation on personal data;
the Third Country (Data Protection Act) Regulations (S.L.
586.03 of the Laws of Malta) which imposed the obligation on controllers to
notify the IDPC prior to transferring personal data to a third country; and
the Transfer of Personal Data to Third Countries Order
(S.L. 586.05 of the Laws of Malta) which permitted the transfers of personal
data for tax related purposes to certain third countries listed within this
subsidiary legislation.
Legal Update 2: New Laws on the Secondary Processing of Personal Data in the Health Sector
On the 8th
of October 2019, Legal Notice 263 of 2019 was published. This Legal Notice is
intended to enact the Processing of Personal Data (Secondary Processing)
(Health Sector) Regulations (S.L. 528.10 of the Laws of Malta) (“the Regulations”).
The purpose
of the Regulations is to permit certain secondary processing of personal data
in the health sector, effectively allowing the processing of health data for
purposes other than those for which the personal data was initially collected
for in certain cases by health care professionals.
Such secondary
health data processing may be allowed for specific cases, mainly:
for the processing and analysis of records by licensed
entities within the health sector for the purpose of managing and enhancing health
services;
for the analysis of health records, as supplied by the
Ministry for Health, for the purpose of monitoring and ensuring the quality and
cost effectiveness of the health service;
for the monitoring of contractual obligations, for quality
control and for the management of information and monitoring of services and
systems arising from public-private partnerships and partnerships with
non-governmental organisations (“NGO”).
Moreover, secondary processing is also allowed for the purposes of ensuring adherence
to contractual obligations and the delivery of a safe and accessible service;
to fulfil obligations related to the provision of
statistical information;
for the compilation of evidence in medico-legal cases;
for the investigation and monitoring of health threats;
and
to access health records for research activities.
The
Regulations also provide that health data can be processed for research
activities which are in the public interest. Where in such cases it is not
possible to anonymize such personal data, secondary processing is allowed subject
to the following conditions:
in the case of research activity conducted by the
Ministry of Health or its partners, such research can be carried out following
approval of the Health Ethics Committee within the Ministry of Health and after
obtaining prior authorisation from the IDPC;
in the case of research activity conducted by academics
or students or NGOs having the remit to assist patients in need in the health
sector, such research can be carried out following approval of any other ethics
committee recognized by the IDPC and after obtaining prior authorisation by the
IDPC.
In such
cases personal data must be pseudonymised, however if this also not possible, appropriate
measures should be taken to safeguard the rights and freedoms of data subjects
by ensuring that the personal data is anonymised as soon as it is no longer
required in an identifiable manner for the purpose of carrying out research or
statistical studies.
Finally, in
all other cases, consent of the data subject will be required in line with the
GDPR for any secondary processing.
Article written by Dr Terence Cassar, Dr Bernice Saliba and Legal Trainee Mr Philippe Martens.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy