Under the GDPR, who would be LEAST likely to be allowed to engage in the collection, use, and disclosure of a data subject’s sensitive medical information without the data subject’s knowledge or consent?
A.
A member of the judiciary involved in adjudicating a legal dispute involving the data subject and concerning the health of the data subject.
B.
A public authority responsible for public health, where the sharing of such information is considered necessary for the protection of the general populace.
C.
A health professional involved in the medical care for the data subject, where the data subject’s life hinges on the timely dissemination of such information.
D.
A journalist writing an article relating to the medical condition in QUESTION, who believes that the publication of such information is in the public interest.
The GDPR defines data concerning health as a special category of personal data that is subject to specific processing conditions and safeguards. The GDPR prohibits the processing of such data unless one of the exceptions in Article 9 applies. One of these exceptions is the explicit consent of the data subject, which means that the data subject has given a clear and affirmative indication of their agreement to the processing of their health data. Another exception is when the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care. A third exception is when the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. These exceptions are based on the principle of necessity, which means that the processing must be strictly necessary for a specific purpose and cannot be achieved by other means.
In the given scenario, the journalist does not fall under any of these exceptions. The journalist is not a health professional, a public authority, or a person who has obtained the explicit consent of the data subject. The journalist is not processing the data for any legitimate purpose related to public health, medical care, or social protection. The journalist is merely pursuing their own interest in publishing a story that may or may not be in the public interest. The journalist is not respecting the data subject’s rights and freedoms, especially their right to privacy and confidentiality. Therefore, the journalist would be least likely to be allowed to engage in the collection, use, and disclosure of the data subject’s sensitive medical information without their knowledge or consent. References:
Article 4 (15) and Article 9 of the GDPR
Health data | ICO
What does the GDPR mean for personal data in medical reports?
Sensitive data and medical confidentiality - FutureLearn
Health data and data privacy: storing sensitive data under GDPR
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit