GDPR Brief: what records of processing does the GDPR require health sector organisations to maintain?

6 Apr 2020

The GDPR requires entities using personal data for their own ends and performing specified services for third parties using personal data to keep records of their processing activities. The records must be in written or electronic form and be made available to supervisory authorities on request. Beyond minimum requirements of the GDPR, supervisory authorities propose further technological and organizational practices to ensure the accuracy and utility of records.

The GDPR requires entities using personal data for their own ends (controllers) and performing specified services for third parties using personal data (processors) to keep records relating to their processing activities. The records must be held in written or electronic form and be made available to supervisory authorities on request. Beyond the minimum requirements of the GDPR, supervisory authorities propose further technological and organizational practices to ensure the accuracy and utility of records kept.  

Controllers must record their name and contact information, and that of their representative and data protection officer. The categories of personal data processed, the categories of data recipients, the purposes of such processing, and the categories of individuals to whom it relates must be specified. Transfers to third countries and international organizations must be documented, indicating the recipient country or organization. If possible, the controller must document the security measures used in general terms, and the anticipated time limits of data retention for each category of data.    

Each processor must record the name and contact details of the controller(s) for which it is acting. For each controller, the processor must maintain the following records. The processor must document the categories of data processed. Transfers to third countries and international organizations must be documented, indicating the recipient country or organization. The processor must also document its own name and contact details, as well as the name of its own representative and data protection officer or those of the controller. If possible, the processor must document the anticipated security measures used.  

For ‘exceptional’ transfers of personal data to non-EEA countries and international organizations that are not deemed ‘adequate’ and not carried out using another habitual GDPR transfer mechanism, the controller or processor must maintain detailed documentation of the safeguards used to protect the data.  

Health sector entities should be vigilant of additional record-keeping requirements imposed by their local laws. Belgium and the United Kingdom, for example,  have implemented additional record-keeping requirements in their national data protection legislation.   

Hospitals and other organizations managing large quantities of health data have expressed concerns as to the capacity of their health informatics infrastructures to maintain such records. While entities with fewer than 250 employees may be exempt, where genomic and health-related data are processed, the record-keeping obligations remain the same. Generally, even small entities holding health data will have to respect the record-keeping requirements. Hospital administrators and health informatics communities have proposed integrating audit logs and audit trails to information technology infrastructures as potential mechanisms for automating or facilitating the creation of such records.

Beyond technical measures, the United Kingdom’s Information Commissioner’s Office (ICO) further recommends that organization heads interview staff members and conduct data audits across departments to gain further insight into data handling practices and the nature of the data held. Agreements, contracts, internal documents such as policies, breach reports, consent documentation, and data protection impact assessments are best retained along with the statutorily required reports and can assist in the compilation thereof.  Using data flow maps can also be helpful in establishing records of processing activities. France’s supervisory authority, CNIL, recommends updating the records when the processing activities change. The CNIL and other national supervisory authorities have published record models for use by controllers and processors. 

Relevant GDPR Articles and Recitals: 

• GDPR Article 30 – Records of processing activities
• GDPR Article 32 – Security of processing
• GDPR Article 49 – Transfers of personal data to third countries or international organisations (Derogations for specific situations)
• GDPR Recital 13 – Taking Account of Micro, Small and Medium-Sized Enterprises
• GDPR Recital 82 – Record of Processing Activities

Further reading: 

• The United Kingdom Information Commissioner’s (ICO) Guide to the General Data Protection Regulation (GDPR), On Documentation.
• France CNIL Data Protection Toolkit, Record of Processing Activities.
• The Article 29 Working Party: Position Paper on GDPR Record-Keeping Obligations.
• Cátia Santos-Pereira et al. “Are the Healthcare Institutions Ready to Comply with Data Traceability Required by GDPR? A Case Study in a Portuguese Healthcare Organization.” HEALTHINF 2020 – 13th International Conference on Health Informatics, Conference Proceedings.
• Regina Becker, Pinar Alper, Valentin Grouès, Sandrine Munoz, Yohan Jarosz, Jacek Lebioda, Kavita Rege, Christophe Trefois, Venkata Satagopam, Reinhard Schneider. “DAISY: A Data Information System for accountability under the General Data Protection Regulation.” GigaScience, Volume 8, Issue 12, December 2019.

Alexander Bernier (B.C.L, LL.B) is an Articling Student at McGill University’s Centre of Genomics and Policy.

Funding acknowledgements: The author wishes to thank EUCANCan, euCanSHare, and the Cancer Genome Collaboratory for their financial support.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.