The case of social media used for donations of citizens and potential medical data protection:
Example for the potential constructive and destructive use of social media for social good
In February 2019, the Commission for Personal Data Protection of Bulgaria issued a statement about the medical documents regulation in social media. The topic is scarcely debated or analyzed publicly in Bulgaria. The statement’s focus is on the application of Regulation (EU) 2016/679 (General Data Protection Regulation) in relation to the donations collection via Facebook groups.
The commission was initiated by the head of a non-governmental organization named ‘Citizen against the bureaucracy’. The organization gave notice that it had received signals related to donation campaigns for the treatment of people via Facebook groups in which medical documents with specific health condition data were being posted. In addition the NGO stated that despite the prohibition imposed by article 9, Regulation (EU) 2016/679 (General Data Protection Regulation), users insisted individuals with deteriorating health condition or their parents, to publish these documents in which personal data is often not erased. Based on the above, the notifier warned such an approach could prove to be a prerequisite for misuse and requested the commission to declare whether the practice to publish online medical documents referring to health condition could be considered lawful.
The commission made a comprehensive legal analysis and made the following conclusions:
- Publishing medical documents by natural persons or by their relatives is handling of personal data, if the legal definition of the EU regulation is followed. The commission draws attention to the fact that the EU regulation provides for bans if such data related to health condition is published.
- Data on health condition represents a special category of personal data according to article 9 of the regulation and requires increased/enhanced protection of the rights and freedoms of the relevant subjects of data.
The final statement of the Commission puts forward three hypotheses under which publishing of personal medical data could be justified, namely:
- Cases in which the administrator of the website is the one who implements the publishing of the documents, containing health information. In order for this hypothesis to be relevant, the data subject should give her consent in advance.
- Cases in which the person herself publishes the medical documents related to the corresponding illness.
- Lastly, there can be a hypothesis when the information is being published by the relatives of the sick person. This case is considered as related to the vital interests of such person if there is an immediate threat to her life, which is imminent and real if medical help is not implemented.
The Commission for Personal Data Protection also cautiously adds that no matter which one of the three hypotheses described is relevant, the medical data to which the statement refers to is sensitive and is a subject of special protection. In addition, the context of handling those data can create considerable risk for the basic rights and freedoms of the person. The administrator of personal data must therefore undertake suitable technical and organizational measures, having in mind the technical progress, scope, context and goals of processing the information, as well as the risks which may occur in relation to that.
Compiled by Media 21 Foundation from Становище на КЗЛД относно приложението на Регламент (ЕС) 2016/679 при събирането на дарения за лечение посредством групи във „Фейсбук”