Health data processed for insurance purposes – amendments to the Subsidiary Legislation 586.10

On 27 March 2020, Legal Notice 107 of 2020 was enacted for the purposes of amending the Processing of Data Concerning Health for Insurance Purposes Regulations (‘‘Subsidiary Legislation 586.10’’). These amendments were very much anticipated and serve to clarify the conditions under which ‘data concerning health’ can be processed for insurance business and insurance distribution purposes in accordance with Maltese data protection laws.

‘Data concerning health’ is defined under the EU General Data Protection Regulation 2016/679 (‘‘GDPR’’) as ‘‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.’’ The GDPR categorises data concerning health as a special category of personal data which can only be processed if specific grounds exist. In terms of the enabling powers under Article 9(4) of the GDPR, Member States are permitted to introduce additional conditions under which processing of health data is permitted.

By virtue of Subsidiary Legislation 586.10, our legislator had exercised the prerogative granted under Article 9(4) GDPR and introduced further conditions (over and above those provided for under GDPR) under which ‘health data’ may be processed. The amended Subsidiary Legislation 586.10 now states that ‘‘the processing of data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities.’’ (Emphasis added).

This new provision is in line with the notion of ‘substantial public interest’ which is one of the grounds under which data concerning health can be processed (Article 9(2)(g) GDPR). It is also in line with the GDRP in that ‘‘a derogation may be made for health purposes [omissis] in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system’’ (Recital 52). Accordingly, by means of the amendments introduced to Subsidiary Legislation 586.10, it has now been clarified that both the “business of insurance” and “insurance distribution activities” equate to a “substantial public interest”, which should help dispel the uncertainty which previously existed under Maltese law with regards to relying on article 9(2)(g) in a health-insurance context. The terms ‘business of insurance’ and ‘insurance distribution activities’ are also defined providing more clarity to insurers and insurance intermediaries.

Prior to these amendments, the conditions for processing under Subsidiary Legislation 586.10 alluded to consent, which is not completely consistent with the notion of consent’s under GDPR which must be free, unambiguous and, in the case of a special category of data such a health data, explicit. Within the EU the notion of consent for processing of health data was also a hotly-debated issue. Therefore, prior to the amendments, the position under Article 4(1)(b) of Subsidiary Legislation 586.10 processing of health data for insurance purposes was dependant on three cumulative conditions:

1. that the processing is necessary and proportionate for the purposes of a policy in the business of insurance;
2. that the data controller cannot reasonably be expected to obtain the consent of the data subject; and
3. that the data controller is not aware that the data subject is withholding consent.

These cumulative conditions, including the references to consent created a deviation from the notion that consent must be freely given in that there must be a genuine or free choice to refuse or withdraw consent without any detriment (Recital 43 GDPR). For that reason, a service provision, such as the issuance of an insurance policy, should preferably not be based on consent as its legal ground, since if the provision or availability of the requested services will be denied if no consent is provided, then it is arguable that the customer had no real ‘free or genuine’ choice. Furthermore, it goes without saying that health data would need to be collected in order to issue health insurance policies, therefore, the appropriate lawful basis should not be consent but an understanding that health data for insurance purposes represents a substantial public interest.

The new amendments have certainly been a step in the right direction in terms of deleting the previous Regulation 4 and substituting it with a new Regulation 4. This new Regulation removes the reference to consent and establishes that “the processing of data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities”. Notwithstanding these welcome amendments, it is crucial to bear Regulation 4(2) which provides that such processing must be ‘‘subject to the suitable and specific measures designed to safeguard the fundamental rights and freedoms of data subjects’’ and that processing should only take place if it is ‘‘necessary’’ (article 4(1) of the amended Subsidiary Legislation 586.10). Accordingly, health data should only be processed by this industry where it is strictly necessary. The processing of data concerning health should be the exception and not the norm as such data must be afforded a higher degree of protection.