Updates to Argentina’s health privacy laws

Recently and in the context of the COVID-19 pandemic, the Argentine Congress passed Law No. 27.553 on Electronic or Digital Prescriptions.

The EoD Prescriptions Law provides for certain measures to modernize the Argentine health system. Among others, it allows health care providers to prescribe medicines through electronic or digital prescriptions and sign them by hand, electronically or digitally.

The law also states the implementation of electronic and digital signatures on electronic or digital prescriptions and/or on the digital records or files that pharmacies must keep to comply with the provisions of current legislation, in particular Law No. 25,506 on Digital Signatures.

Moreover, the EoD Prescriptions Law is not limited to prescribing medicine by electronic means but also stipulates the possibility of using health care teleassistance platforms throughout the Argentine territory, in accordance with Law No. 25,326 on the Protection of Personal Data and Law No. 26,529 on the Rights of the Patient. 

It is worth noting that under local law, health data is considered sensitive data, in respect of which public or private health care institutions and professionals related to the health sciences are authorized to collect and process regarding the physical or mental health of their patients. Sensitive data is subject to stricter obligations, including security and confidentiality obligations subject to recommended security measures based on Regulation No. 47/2018 of the Argentina Data Protection Authority.

Further regulation of the EoD Prescriptions Law is still pending. Such further regulation could bring more certainty as to certain aspects of the implementation of the law in regards to privacy and data protection.

In that sense, the EoD Prescriptions Law also sets forth that the Enforcement Authority is responsible for the custody of the databases associated with the electronic systems of electronic or digital prescriptions and health care teleassistance platforms.

Likewise, the Enforcement Authority is responsible for outlining the criteria pertaining to the access to such databases and for ensuring strict compliance with Data Protection Law, among other regulations.

Last but not least, regarding data retention the EoD Prescriptions Law provides that in connection with the prescription of certain medicines, pharmacies should retain the prescriptions for a term no shorter than three years, after which they could be deleted with prior communication to the corresponding health authorities. 

DPA releases guidelines on temperature checks during COVID-19

While Congress was working on the passage of the EoD Law, in September, Argentina’s data protection authority, the Agency of Access to Public Information, issued guidelines for implementation — by public and private entities — of temperature checks within the context of the COVID-19 pandemic.

The DPA acknowledged that during the pandemic of COVID-19, temperature checks are reasonable measures that both public and private entities could put in place to prevent the dissemination of the virus.

However, temperature checks have the potential to impact privacy and data protection and, therefore, the data controller should pay special attention to the Argentine Data Protection Law.

In this regard, the guide recognizes that when any public or private entity performs temperature checks — be it using a digital thermometer, thermal cameras or similar means — they are processing personal data protected by the law.

In that connection and showing a different criterion from that of some European data protection authorities, the guide provides that the Data Protection Law applies irrespective of whether the recorded temperature is registered in a database or not.

As to specific recommendations, the guide provides that retail stores and employers, in general, are both authorized by law to perform temperature checks and that they are entitled to deny access to its premises if the temperature is beyond the limits authorized by the corresponding health authorities.

The same applies to visitors of public agencies if the public agency has in place a specific protocol following the corresponding local sanitary and health regulations.

Regarding the use of thermal cameras or similar equipment allowing automated processing of personal data, the guide provides that human revision should be guaranteed (even more in cases in which the processing could entail significative consequences for the data subject). In that connection, even though it is not yet a formal requirement under Argentine law, the guide suggests conducting a privacy impact assessment before putting in place a system enabling automating processing, which could follow the principles established in the joint Privacy Impact Assessment Guide passed by the Argentine and Uruguayan Data Protection Authorities (more information here).

According to the guidelines the data controller should take into consideration, all applicable general principles concerning lawful data processing, including quality of the data, minimization, information to the data subject, deletion and purpose, no personal data should be processed for purposes different or incompatible with those on the basis of which it was collected. 

The guide lists essential information regarding what information should be provided to the data subject. The information is dependent on whether the data subject’s personal data is registered in a database or not and includes clear information regarding an individual’s rights. Data subjects can file claims with the Agencia de Acceso a la Información Pública, the controlling authority of the Argentine Data Protection Law.

Photo by Fernando Tavora on Unsplash