pia-health-data
Installation
SKILL.md
Privacy Impact Assessment for Health Data
Overview
Health data processing triggers mandatory DPIA requirements under GDPR Article 35(3)(b) (processing on a large scale of special categories of data referred to in Article 9(1)). The EDPB in WP248rev.01 identifies health data processing as meeting multiple DPIA-triggering criteria: special category data (C5), vulnerable data subjects (C7), and often innovative use or applying new technological or organisational solutions (C8). This skill provides a structured PIA methodology specific to health data processing across clinical, research, wearable, and digital health contexts.
Regulatory Framework
GDPR Article 9 — Special Category Data
Health data falls within the special categories of personal data under Article 9(1). Processing is prohibited unless one of the Article 9(2) exceptions applies:
| Exception | Application to Health Data |
|---|---|
| Art. 9(2)(a) Explicit consent | Patient consent for clinical care beyond treatment necessity; health app consent |
| Art. 9(2)(b) Employment obligations | Occupational health assessments, fitness-to-work evaluations |
| Art. 9(2)(c) Vital interests | Emergency medical treatment when data subject cannot consent |
| Art. 9(2)(h) Health care provision | Medical diagnosis, treatment, health system management by health professionals under secrecy obligations |
| Art. 9(2)(i) Public health | Epidemiological surveillance, disease registries, pharmacovigilance |
Related skills