In a nutshell: Spanish data protection legislation

The definition of health data is provided by the International General Data Protection Regulation (GDPR). In particular, the GDPR defines ‘health data’ as ‘personal data related to a natural person’s physical or mental health, including the provision of health care services, that reveal information about his or her health status’ in section 4.15. This definition is reaffirmed in the Spanish Data Protection Act, and the Spanish Data Protection Authority (SDPA) includes ‘genetic data’ as ley de protección de datos sanitarios, which refers to personal data relating to an individual’s inherited or acquired genetic characteristics that provide unique information about that person’s physiology or health, and that is obtained in particular from the analysis of a biological sample of that person.

As a result, health information in Spain will primarily include:

Personally identifiable gathered during enrollment for or requirement of health services. Numbers or signifiers assigned to a natural person to identify that person for health purposes. Information derived from test results or investigation of internal organs or natural body toxins and any information about maladies, learning difficulties, or medical treatment options contained in just about any sour.

ley de protección de datos sanitarios

Is kept anonymous health information subject to any laws or rules?

In order to protect patients’ anonymity, the Spanish Law on Patient Autonomy establishes as a general principle that personal identification data (ID Card, Social Security number) and health data contained in medical records must be separated. This obligation shall be exempted only when patients consent or when required in the context of scientific research, judicial inquiries, or a relevant public health risk. According to ley de protección de datos sanitarios  authorities, anonymisation is the irreversible process of stripping data of all elements that could reasonably be used by controllers or third parties to identify a natural person.

Only anonymous data is exempt from data protection requirements, according to Recital 26 of the GDPR. However, because anonymisation is a form of data processing, data controllers must follow all of the legal requirements when anonymising personal data. In accordance with this, businesses should pay special attention to their data anonymisation processes and address the risks of re-identification (ie, the use of different sources of information to revert anonymisation of data). Concerning the risk of re-identification, the SDPA has published the document K-Anonimity as a privacy measure.

Rescind enforcement actions

Since the GDPR’s implementation, the SDPA has imposed a number of fines for violations involving the processing of health data. The most severe penalties are imposed for unauthorised access to medical records and the retention of records containing health data under inadequate security conditions.