GA4GH GDPR Brief: What Records of Processing Does the GDPR Require Health Sector Organizations to Maintain? (April 2020)

6 April 2020

GDPR, regulatory and ethics

The GDPR requires entities using personal data for their own ends (controllers) and performing specified services for third parties using personal data (processors) to keep records relating to their processing activities. The records must be held in written or electronic form and be made available to supervisory authorities on request. Beyond the minimum requirements of the GDPR, supervisory authorities propose further technological and organizational practices to ensure the accuracy and utility of records kept.  

Controllers must record their name and contact information, and that of their representative and data protection officer. The categories of personal data processed, the categories of data recipients, the purposes of such processing, and the categories of individuals to whom it relates must be specified. Transfers to third countries and international organizations must be documented, indicating the recipient country or organization. If possible, the controller must document the security measures used in general terms, and the anticipated time limits of data retention for each category of data.    

Each processor must record the name and contact details of the controller(s) for which it is acting. For each controller, the processor must maintain the following records. The processor must document the categories of data processed. Transfers to third countries and international organizations must be documented, indicating the recipient country or organization. The processor must also document its own name and contact details, as well as the name of its own representative and data protection officer or those of the controller. If possible, the processor must document the anticipated security measures used.  

For ‘exceptional’ transfers of personal data to non-EEA countries and international organizations that are not deemed ‘adequate’ and not carried out using another habitual GDPR transfer mechanism, the controller or processor must maintain detailed documentation of the safeguards used to protect the data.  

Health sector entities should be vigilant of additional record-keeping requirements imposed by their local laws. Belgium and the United Kingdom, for example,  have implemented additional record-keeping requirements in their national data protection legislation.   

Hospitals and other organizations managing large quantities of health data have expressed concerns as to the capacity of their health informatics infrastructures to maintain such records. While entities with fewer than 250 employees may be exempt, where genomic and health-related data are processed, the record-keeping obligations remain the same. Generally, even small entities holding health data will have to respect the record-keeping requirements. Hospital administrators and health informatics communities have proposed integrating audit logs and audit trails to information technology infrastructures as potential mechanisms for automating or facilitating the creation of such records.

Beyond technical measures, the United Kingdom’s Information Commissioner’s Office (ICO) further recommends that organization heads interview staff members and conduct data audits across departments to gain further insight into data handling practices and the nature of the data held. Agreements, contracts, internal documents such as policies, breach reports, consent documentation, and data protection impact assessments are best retained along with the statutorily required reports and can assist in the compilation thereof.  Using data flow maps can also be helpful in establishing records of processing activities. France’s supervisory authority, CNIL, recommends updating the records when the processing activities change. The CNIL and other national supervisory authorities have published record models for use by controllers and processors. 

Relevant GDPR Articles and Recitals: 

Further reading: 

Alexander Bernier (B.C.L, LL.B) is an Articling Student at McGill University’s Centre of Genomics and Policy.

Funding acknowledgements: The author wishes to thank EUCANCan, euCanSHare, and the Cancer Genome Collaboratory for their financial support.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.