By virtue of Legal Notice 107 of 2020 and in the midst of the COVID-10 pandemic, the Processing of Data concerning Health for Insurance Purposes Regulations (Subsidiary Legislation 586.10 of the Laws of Malta) (the “Regulations”) for insurance businesses have been amended.
The purpose of the Regulations is to set out specific grounds for the processing of health related data, especially since in terms of the General Data Protection Regulation (”GDPR”), health related data is deemed to be a special category of personal data (i.e. “sensitive data”), which can thus be processed only for limited specific purposes and in line with stringent conditions and safeguards. In fact, such processing is strictly prohibited unless it qualifies for one of the relative exemptions under the GDPR.
Amendments to the Regulations
Prior to the amendments, the grounds for processing personal health data for insurance (strangely) included reference to withholding of consent as a reason to make recourse to the Regulations. Regulation 4 of the Regulations read as follows;
With the amendments that the Regulations now brought about, this reads as follows:
“The processing of data concerning health shall be lawful where:
The scope of the Regulations have also been widened to capture, over and above the classical business of insurance, insurance distribution activities as defined in the Insurance Distribution Act, Chapter 487 of the Laws of Malta, that is: activities of advising on, proposing, or carrying out other work preparatory to the conclusion of contracts of insurance, of concluding such contracts, or of assisting in the administration and performance of such contracts, in particular in the event of a claim, including the provision of information concerning one or more contracts of insurance in accordance with criteria selected by the clients, through a website or other media and the compilation of an insurance product ranking list, including price and product comparison, or a discount on the price of a contract of insurance, when the client is able to directly or indirectly conclude a contract of insurance using a website or other media, and includes the activities listed in paragraphs (1) to (5) of the Third Column of the Schedule, the distribution activities carried out by an authorised insurance undertaking and any other activities as may be prescribed; in the
The notion of consent as a justification for the processing of health data for purposes of insurance has been done away with in line with the spirit of the GDPR with respect to public interests.
Considering also the timing of such amendments in view of COVID-19, the Regulations may be of use considering that we are in a situation where there is a pressing need to prevent or “control of communicable diseases and other serious threats to health.”
Effectively the amendments now clarify that the processing of personal health data necessary for the health insurance system to function is to be allowed based on a substantial public interest and in line with fundamental freedoms.
News Item written by Senior Associate Dr. Terence Cassar and Associates Dr. Bernice Saliba and Dr. Sean Xerri de Caro.
For more information or assistance on data protection and insurance law kindly contact Dr Ian Gauci on firstname.lastname@example.org Dr Ivan Gatt on email@example.com or Dr Terence Cassar on firstname.lastname@example.org.
This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them