Introduction – Healthcare Data Protection
The National Authority for Data Protection and Freedom of Information (hereinafter: the Authority) has published a notice on its website on the data protection aspects of recording in healthcare institutions, i.e. recording of natural persons by means of photography, videography and/or audio recording.
According to the notice the Authority learned from the press that a political party intended to record photographs, videos and reports in health care institutions in order to demonstrate the high temperatures and other unpleasant conditions in the Hungarian healthcare system. In the notice the Authority referenced one of its resolutions previously published in May 2019 on the freedom of information and data protection issues of recording in healthcare institutions.
The Resolution from 2019
The Resolution was based on the fact that a hospital had accepted a new set of rules in connection with photography and video recording in the healthcare institution. According to this, a notice was posted across the hospital that stated that all image, video and audio recordings in the territory of the healthcare institution must be subject to prior authorisation by the General Director of the hospital. This practice was then also implemented by a few other healthcare institutions in their everyday operation.
The Authority concluded that there is a clear public interest in allowing photography and video recording in a hospital in a way that fully respects individual rights and freedoms, and by recording certain events, situations and circumstances in a healthcare institution allows for society to create a dialogue or a public debate as part of freedom of expression. In a democratic society governed by the rule of law, the organisation with a public health function must operate in accordance with the principles of transparency and accountability. In the Authority’s opinion, the general and complete prohibition of recording would disproportionately restrict the fundamental rights of data subjects guaranteed by the constitution of Hungary (Fundamental Law of Hungary).
The head of the healthcare institution acts responsibly if, instead of a general prohibition, he or she ensures to place proper notices and information accessible to the data subjects to draw their attention to their right to privacy and their obligation to respect others’ rights as well when recording, the rules of recording in such institutions and the rules protecting privacy and personal data. Such notices shall also include information about who the data subject may contact within the institution and to whom they may address any comments, questions, queries or requests they may have in order to avoid ‘the force of publicity’ as a means of resolving problems, and not to risk the hospital’s reputation unnecessarily or undermine public confidence in the safety of patient care without a compelling reason.
The current notice
According to the Authority, recordings created in such institutions, provided that they do not contain any personal data, should be considered to be data of common interest, more specifically, data of public interest.
On the other hand, it is essential to be considerate of the fact that patients in such places are in a vulnerable situation, and they, their relatives, healthcare workers and other staff members also have a fundamental right to the protection of their personal data, and as such, any recordings of them should be considered as personal data, if they can be recognised and identified on such recordings. Recording such photos or videos, the collection, storage thereof, the editing or masking before publication are all considered as data processing activities covered by the General Data Protection Regulation (GDPR), and demonstration of the conditions of the healthcare system is not a purpose that may be considered as an exemption from the application of the GDPR.
Particular attention should be paid in this context to the fact that recording images of patients in a healthcare institution may also be constituted as the processing of sensitive data, considering that the GDPR provides for special protection of data relating to the health condition of or the healthcare provided to the person concerned. Determining the purpose and means of the processing of such images, as well as creating, transmitting, editing or masking such recordings create an increased responsibility to the persons or organisations responsible in relation to the processing of such data. In the event of causing significant harm or having a gainful interest in such cases, the controller may also be criminally liable in addition to the consequences of violating the GDPR.
Finally, the Authority also highlighted that acting as a representative does not imply having any additional rights as a data controller, therefore, representatives, notwithstanding their position, shall comply with the GDPR and respect the protection of the right to privacy under the Civil Code.
