GDPR scope - "Personal data" definition - General Data Protection Regulation

[lzanini]

Hello everybody,

As a young graduate, I just dived into the GDPR as my first mission. I've been reading a lot on it, and I finally came back to the fundamental question : does it apply to us as a company? Let me explain.
Our device is meant to be used in a hospital. It collects monitoring data from the patient. The data collected is of course made available for health professional in the hospital, so they can use it in order to take care of the patient. Hence, they are able to link the data to the patient. However, the company will never have access to the name of the patient, and will not be able to link the data to the patient, making him/her impossible to identify for us. Moreover, the data collected won't enable us to know anything about his/her habits and tastes. It will just be numbers, without a link to anybody in particular.
By collecting and hosting this data, our aim is to simply analyze it to determine if there are any patterns that could later help health professional to prevent certain issues.

• In this specific case, would anyone know if the data the company will have access to will be considered as "personal" since it will just be numbers ?

• Does the GDPR still apply to us as a company?

• What would this specific situation change for us?

I thank in advance anybody who will take the time to read this, and maybe give some help !


Kind regards,
Laura

 

[mihzago]

In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.

However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.

 

[QAengineer13]

I agree with mihzago's comment and in-addition also think about the "Privacy by design " concepts., i.e Proactive not reactive, Privacy as the default setting, Privacy embedded into design, Full functionality ( Positive-sum ,not zero-sum), End to End security, Visibility and transparency , Respect for user privacy into the design if its not too late..... Also think about Data classification, Metadata and role-based access controls (Governance)

 

[lzanini]

Thank you for your answer mihzago, I would just have a few comments/further questions if you allow me

In general, I think the requirements do not apply to you, especially if the device is not connected to your company servers or in no way transfers the data to your infrastructure.

The device is connected to the company servers. But what will be transfered to us will be numbers (such as heart rate) only. In that case, the company will never be able to identify the person these numbers come from. My question is, "In this specific case, are those numbers still considered as personal data as they do not refer to a person anymore ?". And depending on this first answer, then how does the GDPR would apply ?

However, I just did a very similar assessment for a company with a product used during surgery, and I recommended that although the GDPR does not directly apply, there are a number of technical controls that can be implemented in the device to assist the health practitioners or health institutions to comply with the GDPR requirements on their end; especially Article 32, Security of processing.
Some examples are use of login/password to access the device; access to functionality based on roles (admin, user, service, etc.); ability to purge or de-identify data, and a few others.


Also, consider what data you collect during customer support interactions.

Thank you a lot for these recommendations and examples. There are definitely options to explore for us !

 

[mihzago]

Based on the Recital 26 below, if the data is completely devoid of any personal information, or information that may allow identification, then the regulation would not apply.

Recital 26 Not applicable to anonymous data*
1The principles of data protection should apply to any information concerning an identified or identifiable natural person.
2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.
3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
5The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

 

[Mark Meer]

I've got another case to consider:

- The device software allows users (therapists) to create multiple "accounts" for each of their clients.

- The "account" information is just a bunch of open fields, none of which are mandatory. For example, in a "Name" field, the clinician could enter the client's actual name, a pseudonymisation, or nothing at all.

- The device is networked to our servers strictly for the purpose of pushing software updates - none of the account data is ever transmitted.

------
Not certain if/how the GDPR applies in this case.
- Personal data is only maintained if the user chooses to enter personal data.
- This data is never transmitted even though the device is networked. That being said, I'm not certain how continuous networking exposes risk of possible access by unintended means (hacking, malware,...etc.).

Any advice/input much appreciated!
MM