By virtue of Legal Notice 107 of 2020 and in the midst of the COVID-10 pandemic, the Processing of Data concerning Health for Insurance Purposes Regulations (Subsidiary Legislation 586.10 of the Laws of Malta) (the "Regulations") for insurance businesses have been amended.
The purpose of the Regulations is to set out specific grounds for the processing of health related data, especially since in terms of the General Data Protection Regulation ("GDPR"), health related data is deemed to be a special category of personal data (i.e. "sensitive data"), which can thus be processed only for limited specific purposes and in line with stringent conditions and safeguards. In fact, such processing is strictly prohibited unless it qualifies for one of the relative exemptions under the GDPR.
Amendments to the Regulations
Prior to the amendments, the grounds for processing personal health data for insurance (strangely) included reference to withholding of consent as a reason to make recourse to the Regulations. Regulation 4 of the Regulations read as follows;
- such processing is necessary and proportionate for the purposes of a policy in the business of insurance
- the data controller cannot reasonably be expected to obtain the consent of the data subject; and
- the data controller is not aware that the data subject is withholding consent.
With the amendments that the Regulations now brought about, this reads as follows:
"The processing of data concerning health shall be lawful where:
- The processing of data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities.
- The processing referred to in this regulation shall be subject to the suitable and specific measures designed to safeguard the fundamental rights and freedoms of data subjects.”
The scope of the Regulations have also been widened to capture, over and above the classical business of insurance, insurance distribution activities as defined in the Insurance Distribution Act, Chapter 487 of the Laws of Malta, that is: activities of advising on, proposing, or carrying out other work preparatory to the conclusion of contracts of insurance, of concluding such contracts, or of assisting in the administration and performance of such contracts, in particular in the event of a claim, including the provision of information concerning one or more contracts of insurance in accordance with criteria selected by the clients, through a website or other media and the compilation of an insurance product ranking list, including price and product comparison, or a discount on the price of a contract of insurance, when the client is able to directly or indirectly conclude a contract of insurance using a website or other media, and includes the activities listed in paragraphs (1) to (5) of the Third Column of the Schedule, the distribution activities carried out by an authorised insurance undertaking and any other activities as may be prescribed; in the
The notion of consent as a justification for the processing of health data for purposes of insurance has been done away with in line with the spirit of the GDPR with respect to public interests.
Considering also the timing of such amendments in view of COVID-19, the Regulations may be of use considering that we are in a situation where there is a pressing need to prevent or "control of communicable diseases and other serious threats to health."
Effectively the amendments now clarify that the processing of personal health data necessary for the health insurance system to function is to be allowed based on a substantial public interest and in line with fundamental freedoms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.