As reported an expert opinion by Prof. Wolfgang Wohlers on the disclosure of data subject to professional secrecy (e.g., patient data) to outsourcing providers has caused a stir. Wohlers considers such disclosure without the consent of the owner of the secret to be unlawful, unless the disclosure of the secret is indispensable and foreseeable for the owner of the secret, and this despite the legal inclusion of auxiliary persons in the circle of secret owners who are threatened with punishment in case of violation. In practice, the opinion is met with great skepticism, at least in its results.
privatim, the association of Swiss data protection officers, has now presented a proposed solution for this reason:
privatim, the association of Swiss data protection commissioners, is strongly committed to strong protection of health data in the interest of patients. At the same time, privatim is aware that the trend toward outsourcing health data cannot be stopped. The data protection commissioners therefore advocate a pragmatic middle way, which enables the outsourcing of health data while guaranteeing patient confidentiality, the third party, i.e. the outsourcer, does not obtain knowledge of the data. Specifically, this would mean that personal health data would be Outsourced only in encrypted form be allowed and that Key management in any case with the client, that is, remains with the doctor or the hospital. In individual cases, a contractually secured deviating solution would be possible. With an adjustment of the law, cloud services and IT companies could also be held accountable and certified for compliance with medical professional secrecy, for example.
The first part of the solution, the disclosure of encrypted data without accessibility of the key, does not lead to a disclosure of the secret and is already permissible today without further ado. The second part, however, would be a relief compared to the Wohlers opinion. However, the proposal leaves questions unanswered:
- The fact that key management remains with the client does not necessarily mean that the key itself is not accessible to the contractor under any circumstances. Nor does it mean that the client may not decrypt data in individual cases.
- If deviations are possible “in individual cases” – does “individual case” mean as much as “in each individual case” or rather “in cases described in detail”? According to the second interpretation, outsourcing in typical cases could generally be contractually secured.
- Is the proposed solution to be understood de lege lata or de lege ferenda? From the following reference to a change in the law on the certification of providers, it follows that the proposed solution is already intended to be applicable under current law.
As a result privatim’s proposal should probably be understood to mean that the outsourcing of patient data (but probably also other data subject to professional secrecy) is de lege lata permissible without consent, despite the Wohlers expert opinion, provided that the outsourcing is contractually secured for specifically defined cases, whereby particular weight is to be attached to data security.