News

Legal Updates to Malta’s Data Protection Regime

Official Abolishment of Notification Requirements, Third Country Data Transfers & New Regulations on Secondary Processing of Health Data

  • Legal Update 1: Revocation of Certain Outdated Laws

On the 12th November 2019, Legal Notices 296, 297 and 298 of 2019 were published. These have in scope the revocation of certain laws that were outdated and not applicable in practice, in view of the coming into force of the General Data Protection Regulation (“GDPR”) back last May 2018. More specifically, the relevant Legal Notices revoked:

  1. the Notification and Fees (Data Protection Act) Regulations (S.L. 586.02 of the Laws of Malta), which imposed an obligation on controllers to notify the Information and Data Protection Commissioner (“IDPC”)before carrying out any wholly or partially automated or manual processing operation on personal data;
  2. the Third Country (Data Protection Act) Regulations (S.L. 586.03 of the Laws of Malta) which imposed the obligation on controllers to notify the IDPC prior to transferring personal data to a third country; and
  3. the Transfer of Personal Data to Third Countries Order (S.L. 586.05 of the Laws of Malta) which permitted the transfers of personal data for tax related purposes to certain third countries listed within this subsidiary legislation.
  • Legal Update 2: New Laws on the Secondary Processing of Personal Data in the Health Sector

On the 8th of October 2019, Legal Notice 263 of 2019 was published. This Legal Notice is intended to enact the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (S.L. 528.10 of the Laws of Malta) (“the Regulations”).

The purpose of the Regulations is to permit certain secondary processing of personal data in the health sector, effectively allowing the processing of health data for purposes other than those for which the personal data was initially collected for in certain cases by health care professionals.

Such secondary health data processing may be allowed for specific cases, mainly:

  1. for the processing and analysis of records by licensed entities within the health sector for the purpose of managing and enhancing health services;
  2. for the analysis of health records, as supplied by the Ministry for Health, for the purpose of monitoring and ensuring the quality and cost effectiveness of the health service;
  3. for the monitoring of contractual obligations, for quality control and for the management of information and monitoring of services and systems arising from public-private partnerships and partnerships with non-governmental organisations (“NGO”). Moreover, secondary processing is also allowed for the purposes of ensuring adherence to contractual obligations and the delivery of a safe and accessible service;
  4. to fulfil obligations related to the provision of statistical information;
  5. for the compilation of evidence in medico-legal cases;
  6. for the investigation and monitoring of health threats; and
  7. to access health records for research activities.

The Regulations also provide that health data can be processed for research activities which are in the public interest. Where in such cases it is not possible to anonymize such personal data, secondary processing is allowed subject to the following conditions:

  • in the case of research activity conducted by the Ministry of Health or its partners, such research can be carried out following approval of the Health Ethics Committee within the Ministry of Health and after obtaining prior authorisation from the IDPC;
  • in the case of research activity conducted by academics or students or NGOs having the remit to assist patients in need in the health sector, such research can be carried out following approval of any other ethics committee recognized by the IDPC and after obtaining prior authorisation by the IDPC.

In such cases personal data must be pseudonymised, however if this also not possible, appropriate measures should be taken to safeguard the rights and freedoms of data subjects by ensuring that the personal data is anonymised as soon as it is no longer required in an identifiable manner for the purpose of carrying out research or statistical studies.

Finally, in all other cases, consent of the data subject will be required in line with the GDPR for any secondary processing. 

Article written by Dr Terence Cassar, Dr Bernice Saliba and Legal Trainee Mr Philippe Martens.

For more information or assistance on  data protection, privacy and e-commerce laws kindly contact Dr Ian Gauci on igauci@gtgadvocates.com or Dr Terence Cassar on tcassar@gtgadvocates.com.

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.