Legal Notice 107 of 2020 (the 'Legal Notice') has recently introduced important changes and clarifications to the Maltese 'Processing of Data Concerning Health for Insurance Purposes Regulations' (S.L. 586.10), which, in parallel with the EU General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta), regulate the processing of health data in the insurance sector.
S.L. 586.10 primarily sought to set out a lawful basis for entities involved in the "business of insurance" to process data concerning health. Particularly, Regulation 4 thereof had previously set out a number of requirements for the processing of health data by insurance entities to be considered 'lawful'.
The Legal Notice does away with the previous regime, and rather than setting out strict requisites in an abstract sense (which were subject to certain legal ambiguity), it simply provides guidance and interpretation for insurance entities on processing of health data under Article 9, GDPR and this under a specific legal ground for processing, that of 'Substantial Public Interest' (Article 9(g), GDPR).
The amended Regulation 4(1) now states "the processing of data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities."
Such processing must nevertheless (and as previously required) be subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects.
Finally, the Legal Notice also extends the application of the Regulations to 'insurance distribution activities' (as defined in the Insurance Business Act). This means that S.L 586.10 now also captures processing of data in the stages leading up to the conclusion of contracts of insurance, such as during negotiation.