+90 212 356 0350 / +90 533 191 32 11
·
info@ckay.com.tr
Mon. - Fri. | 08:00-18:00
·
+90 212 356 0350 / +90 533 191 32 11
·
info@ckay.com.tr
Mon. - Fri. | 08:00-18:00
·
Boutique Approach
To Corporate Matters
Tailored, Personalized
& Solution-Oriented
Trusted By Individuals
& Professionals

Definition and Types of Health Data

,
Home > Publications > Health Law > Definition and Types of Health Data

Definition and Types of Health Data

Discover the types of health data, their significance, and how laws like GDPR and KVKK protect privacy. Learn about challenges in securing sensitive health information.

Personal health data covers a variety of information, such as individuals’ health status, medical history, and genetic information. This data is created and recorded when an individual receives healthcare services or when obtaining information about their health status. Personal health data includes any information that serves to identify a person, either directly (such as name, ID number) or indirectly (such as genetic information).

This data is broadly divided into several main categories. The first is demographic information, which includes basic information such as age, gender, and date of birth. Medical history includes information such as previous illnesses, surgeries, medications, and vaccinations. Genetic information is also an important part of personal health data. Laboratory tests and imaging results are also part of this data. In addition, lifestyle information, such as smoking or alcohol use, dietary habits, and exercise patterns, are also important components of health data.

The protection of personal health data is of great importance for the privacy and security of individuals. Access to this information by unauthorized persons may pose serious threats to the security and privacy of individuals. It is, therefore, extremely important that personal health data is securely stored and accessible only by authorized persons.

Importance of Health Data Protection

Today, the rapid development of digital technologies has led to radical changes in the health sector. Innovations such as electronic health records (EHR) and telemedicine have enabled healthcare services to reach faster, more effective, and wider audiences. Health data is now collected, stored, and easily shared across the world on digital platforms. This digitalization has brought many advantages, such as improving the treatment processes of patients, increasing access to healthcare services, and accelerating medical research.

However, such widespread use of health data in the digital environment has also raised serious concerns about privacy rights and data security. Digital health data not only enhances communication between patients and doctors but also becomes accessible to insurance companies, pharmaceutical companies, and other third parties. This poses the risk of unauthorized interception, unauthorized use, or misuse of health data for commercial purposes.

Protecting health data is critical to safeguarding the privacy rights of individuals and ensuring the integrity of health systems. When health data is compromised, this can have a wide range of negative consequences, from identity theft of individuals to damage to the integrity of health systems. Health data protection is, therefore, an indispensable requirement for the sustainability and reliability of modern health systems.

Individual Rights and Privacy

Individuals’ health data is considered one of the most important elements of privacy. This data includes highly personal information such as a person’s physical and mental state, medical history, and genetic information. The acquisition or unauthorized sharing of health data by unauthorized persons can seriously violate individuals’ privacy rights and, therefore, requires special protection.

Regulations such as the European Union’s General Data Protection Regulation (GDPR) protect individuals’ rights over their health data, requiring that such data be processed only with their explicit consent. The GDPR classifies health data as “special category data” and imposes strict rules for its processing. These regulations aim to increase individuals’ control over their health data and ensure the protection of this data.

In Turkey, a similar regulation entered into force with Law No. 6698 on the Protection of Personal Data (KVKK). The KVKK was enacted to ensure the protection of personal data and to determine the rules regarding the processing of such data. The Law defines health data as “special categories of personal data” and stipulates strict regulations on the processing of such data.

According to the KVKK, health data may only be processed with the explicit consent of the data subject or for the protection of public health, medical diagnosis, treatment, and care services.
The KVKK also requires organizations that process health data to take the necessary technical and administrative measures to protect the confidentiality and integrity of such data. In Turkey, these regulations on the protection of health data aim to protect the privacy rights of individuals and ensure trust in the health system.

The protection of health data in Turkey is secured by Law No. 6698 on the Protection of Personal Data (KVKK). Enacted in 2016, this law sets out the rules on the processing, storage, and sharing of personal data and classifies health data as “special categories of personal data“. The KVKK stipulates strict rules on the processing of health data and permits the processing of such data only with the explicit consent of the data subject or for the protection of public health, medical diagnosis, and treatment services. In addition, serious regulations have been introduced on data security. Institutions that process health data are obliged to take the necessary technical and administrative measures to protect the confidentiality and integrity of such data.

In a recent decision of the 12th Criminal Chamber of the Court of Cassation, the definition of personal data was elaborated in detail.

Identity number, name, surname, place and date of birth, mother and father’s names, criminal record, place of residence, educational status, occupation, bank account information, telephone number, e-mail address, blood type, marital status, fingerprints, DNA, biological samples, sexual and moral orientation, health information, ethnic origin, political, philosophical and religious views, trade union affiliations, etc., which identify or make identifiable the identity of the person, distinguish the person from other individuals in the society and are suitable for revealing his/her qualities.

This definition emphasizes that health data is also considered personal data and the importance of protecting such data. This decision of the Court of Cassation shows how strong the legal basis for the protection of health data is in Turkey and that such violations may face serious sanctions.

The Personal Data Protection Board Decision dated 05/12/2018 and numbered 2018/1436 was taken against a data controller who transferred health data to a third party without relying on one of the processing conditions specified in Article 6 of the Personal Data Protection Law No. 6698 (KVKK). The decision was made as a result of a complaint filed by a person who uses medication under the supervision of a doctor upon the sharing of this private health data with a third party without any processing conditions by the pharmacy where the medication is provided.

In the decision, it is stated in paragraph 1 of Article 6 of the KVKK that health data is defined as special categories of personal data, and it is prohibited to process such data without the explicit consent of the data subject. In addition, paragraph 3 of the same article stipulates that health data may be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing, without seeking explicit consent.

On the other hand, paragraph 1 of Article 12 of the KVKK stipulates that the data controller is obliged to take the necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure the preservation of data. Paragraph 4 of the same article stipulates that data controllers may not disclose the personal data they have learned to anyone else and may not use them for purposes other than processing. In this context, since the transfer of the health data of the data subject to a third party by the pharmacy without meeting the conditions specified in Article 8 constitutes a violation of paragraph 4 of Article 12 of the KVKK, it was decided to impose an administrative fine on the data controller pharmacy in accordance with Article 18 of the KVKK.

This decision emphasizes how sensitive and important the protection of health data is. Health data is considered to be one of the most private types of personal data that needs to be protected. This decision of the Personal Data Protection Board clearly demonstrates how meticulous data controllers must be in protecting health data and that such data can only be processed under the conditions specified in the Law.

The decision also emphasizes the importance of the principle of “explicit consent” in the processing and transfer of personal data and shows that sharing health data without the explicit consent of the data subject is considered a serious violation, and criminal sanctions are applied accordingly. This decision serves as a warning for data controllers and emphasizes that obligations regarding data security must be taken seriously.

Rights of Data Subjects and Obligations of Data Controllers in Protecting Personal Health Data

In the protection of personal health data, both the data subject and the data controller have various rights and obligations. The rights of the data subject include fundamental entitlements such as requesting information about the processing of health data and demanding the correction or deletion of such data. The data subject has the right to be informed about the purposes for which health data is collected, how it is processed, and with whom it is shared. Additionally, they may challenge the accuracy of processed data and request updates or corrections. These rights, which are crucial for protecting personal health data, aim to safeguard individual privacy. Furthermore, the data subject has the right to claim compensation for damages if the data is unlawfully processed or its security cannot be ensured.

Data controllers, as key actors in this process, are required to fulfill specific obligations. Among these, the obligation to inform is one of the primary and most important responsibilities of data controllers. This obligation entails providing the data subject with clear, comprehensible, and accessible information regarding data processing activities during the collection of personal health data. From the moment data is collected, controllers must inform the data subject about the purpose of processing, with whom the data will be shared, and the legal basis for the processing activity. Furthermore, in cases where personal data is not directly obtained from the data subject, data controllers must communicate this information to the data subject within a reasonable period. During this process, all information-sharing procedures, including details about the security measures in place for data processing, must comply with established rules and principles.

Another critical obligation of data controllers is to ensure data security. In this context, data controllers must take all necessary technical and administrative measures to protect personal health data against unauthorized access, disclosure, alteration, or deletion. These measures aim to minimize security vulnerabilities that may arise during data processing and ensure the integrity of the data. In the event of a data breach, data controllers are required to promptly notify the affected individuals and the Personal Data Protection Authority. Quick and effective reporting of data breaches is among the measures taken to minimize harm to the affected individuals.

Lastly, data controllers are mandated to register with the Data Controllers Registry (VERBIS) maintained by the Personal Data Protection Authority. This registry is established to ensure transparency and supervision of the processing activities of data controllers. The obligation to register with VERBIS requires data controllers to document and regularly update all processes related to the health data they process. Although certain exceptions to this registration requirement exist, these exemptions are highly limited for organizations processing health data and must be carefully evaluated to ensure data security. Adherence to these rights and obligations by both data controllers and data subjects ensures the secure processing and protection of personal health data. The legislation and practices regarding the protection of personal data aim to safeguard individual privacy as well as societal security. Therefore, it is of utmost importance for both data controllers and data subjects to act consciously and responsibly.

Impact of Security Breaches

The security of health data is critical not only for individual privacy but also for the security of healthcare systems. Health data breaches can lead to the exposure of personal information and cause significant security issues within healthcare systems. In the event of a data breach, the leaked information can be exploited by malicious actors for identity theft, fraud, or extortion. Such incidents can result in financial and emotional harm to individuals and erode public trust in the healthcare system.

For instance, the 2015 data breach at Anthem Inc. in the United States is known as one of the largest health data breaches in history. In this case, the personal health information of approximately 78.8 million individuals (including names, dates of birth, Social Security numbers, and addresses) was accessed by unauthorized individuals. As a result, Anthem faced significant legal challenges and was required to pay millions of dollars in compensation. This incident highlighted the critical importance of protecting health data and underscored the need for healthcare providers to adopt stringent data security measures.

A similar incident occurred in Turkey in 2020, where an employee at a private hospital accessed patient health data without authorization and shared it with third parties without consent. This incident underscored the significance of security measures for protecting health data in Turkey. The Personal Data Protection Authority identified this breach and imposed a substantial administrative fine on the hospital. This case demonstrated that technical security measures alone are insufficient; a robust legal and ethical framework is also necessary. Such data breaches not only violate individuals’ privacy rights but also threaten the integrity of healthcare systems.

References

  • Akinci, Ayse Nur. The Innovations Brought by the European Union General Data Protection Regulation and Its Evaluation in Terms of Turkish Law: Study Report-6. T.C. Ministry of Development, Department of Information Society, Publication No: 2968, June 2017.
  • Orak, Besir. The Protection of Personal Health Data. Hacettepe University, Social Sciences Institute, Department of Private Law, Ankara, 2019.
  • Er, Umit. Health Law. Savas Publishing, Ankara, 2008.
  • Tastan, Fatma Gul. The Protection of Personal Data in Turkish Contract Law. 12 Levha Publishing, Istanbul, 2017.
  • Dilek, Erdogan Can. Personal Health Data. Seckin Publishing, Istanbul, 2024.
  • Akinci, Ayse Nur. “The Innovations Brought by the European Union General Data Protection Regulation and Its Evaluation in Terms of Turkish Law.” T.C. Ministry of Development Study Report-6, June 2017, p. 159.
  • Dulger, Murat Volkan. “Amendments to the Regulation on the Processing and Protection of Personal Health Data and Issues to Be Considered.” Academia.edu, accessed on 14.07.2023.
  • Simsek, Ugur. “Informed Consent in Health Law.” Dokuz Eylul University Faculty of Law Journal, Vol. 16, Special Issue, 2014, pp. 3535-3556 (Publication Year: 2015).
Previous PostNext Post
Ebrar Ceren ISLEYEN is a student at Istanbul Kultur University Faculty of Law. She has presented Individual Complaints to the Constitutional Court at Leipzig University in Germany in her academic pursuits through the DAAD German Academic Exchange Service. She has expanded her knowledge of law and the European Union by participating in the Konrad-Adenauer-Stiftung EU Symposium and enhanced her expertise in international law by presenting on European Court of Human Rights (ECHR) decisions at the 2024 International Summer Workshop. Proficient in English, Ebrar Ceren ISLEYEN has strong communication skills, teamwork, leadership, and adaptability.
Subscribe to Our Newsletter!You can subscribe to our newsletter. We send legal updates in Turkey and our new publications directly to your inbox weekly. Don't worry — we do not spam.
Open Chat!
Scan the code
CKAY Law Firm's WhatsApp Line.
Hello 👋 Can we help you? Contact us now!
I have read the Clarification Text.