Deadman’s Data: Personal data relating to the deceased under GDPR

/ Categories Compliance and Regulations / by

In effect since May 25th, 2018 the General Data Protection Regulation (GDPR), is a landmark piece of legislation in data protection. GDPR has revolutionized how personal data is managed across the European Union (EU). The central purpose of the legislation is to protect data belonging to citizens and residents of EU member states. This means that the law applies to organizations that handle and process such data whether or not they are EU-based organizations. This is known as the GDPR’s “extra-territorial effect.” 

US companies that have European or global interests are by now well aware of their basic GDPR compliance requirements, not least because of more recent domestic privacy laws which appear to have been inspired by GDPR. Indeed, the California Consumer Privacy Act (CCPA) has been nicknamed the “GDPR lite” by many within the data security industry.  

An interesting exception, or ‘loophole’, which appears to exist within both CCPA and GDPR is that data relating to dead persons is not in fact considered to be “personal data” for legal purposes. This seems to present a unique opportunity that organizations dealing with large quantities of personal data may wish to exploit. Nonetheless, systematically retaining data of this nature without a clear purpose could raise significant risks, particularly in sensitive environments such as elderly care facilities. For the U.S. audience, drawing a comparison with HIPAA (Health Insurance Portability and Accountability Act) can shed light on these implications.

The relevant clause: Recital 27

Recital 27 of GDPR regulations states: “(27) This Regulation [GDPR] does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.” 

‘Personal data’ therefore, should be understood to mean any information relating to an identified or identifiable living individual. Clearly, deceased persons are not covered under this definition, and as such their data does not fall under GDPR’s protective umbrella. The distinction effectively means that companies or organizations are not bound by GDPR regulations when processing or retaining data of individuals who have died.

At first glance, this could be seen as an opportunity to maintain extensive databases without the stringent compliance requirements of GDPR. While it does present a certain flexibility, however, this loophole is fraught with potential pitfalls, most notably in those sectors where large quantities of sensitive information is handled.

Potential risks of retaining the data of the deceased

First of all, bear in mind the wording of Recital 27 referred to previously ; “…Member States may provide for rules regarding the processing of personal data of deceased persons.” 

Bluntly, we must recall that GDPR is not the only applicable legislation when it comes to data privacy in Europe. The regulation leaves the question of data relating to the deceased up to the 27 individual member states of the EU; meaning that the law on this precise issue can vary greatly across Europe. This article will not examine those individual state laws, but clearly this should be cause for great caution.

If we take the general proposition that  the data of deceased individuals is largely unprotected throughout the EU, it is still unwise to hoard large quantities of said data for a number of reasons.

The example of elder care

The appeal, and risks, of regularly retaining deceased persons’ data can perhaps be best illustrated in the healthcare sector, more particularly in elderly care. As a matter of necessity, institutions such as nursing or retirement homes collect extensive personal information about their residents. The death of each resident may seem like an opportunity to process such data without risk, however this approach ignores the bigger picture. If a nursing home was to systematically retain the data of all of the residents who die while in its care, it could also inadvertently hold data that relates to living persons as well. Primarily, this would normally relate to the next of kin of the deceased and could include:

  1. Emergency contact details: Quite obvious on reflection, but the file of almost every care home resident will usually contain contact details, including names, phone numbers, addresses and relationship to the resident. 
  2. Financial details: Many care home residents are not in a condition to manage their personal financial affairs. The payment information or insurance details on file can often relate to a living next of kin or family member and may still be valid.
  3. Medical histories: The medical history of each patient may include information relating to hereditary illnesses; it is quite possible that such illnesses directly concern living relatives of the deceased. This would in fact mean that such personal data is classified as ‘sensitive’ under Article 9 of GDPR. 

The routine retention of the data of deceased persons can create risks of data breaches, unauthorized access, and the potential for misuse. Even in circumstances where GDPR does not in fact apply to any of the retained data, there remains a danger that other legislation applies. More generally, organizations should remain wary that the data might not be handled with the necessary care, leading to security vulnerabilities and reputational damage.

Comparing GDPR to HIPAA

For an American audience, the Health Insurance Portability and Accountability Act (HIPAA) may serve as a helpful comparison. Unlike Europe’s GDPR, HIPAA does, in specific contexts, offer data privacy protections that extend beyond death. Under HIPAA, the health information of a deceased person is protected for fifty years post-death. This regulation is intended to underscore the importance of maintaining security and confidentiality for a significant period, recognizing the potential implications for living relatives.

On the contrary, GDPR’s lack of protection for the data of deceased persons could be perceived as a significant gap. Although GDPR is quite stringent in its protection of living individuals’ data, this apparent omission leaves a gray area that may be exploited. Ultimately a balanced approach to data retention and security is best.

Data processing best practices 

Every organization should adopt best practices to mitigate the risks that are associated with retaining the data of the deceased. Basic recommendations include:

  1. Adequate security measures: Strong security protocols to protect all data to prevent unauthorized access and breaches must be implemented.
  2. Transparency: Where applicable, routinely inform next of kin about your data retention policies, this ensures clarity and builds trust.
  3. Purpose limitation: Do you actually need the data? What are your plans for it? Does retaining it serve any purpose? Periodically review the necessity of retaining data. If there is no obvious benefit to storing it, data should be anonymized or securely deleted.
  4. Minimization of data: In order to retain data, it must first be collected. Gathering unnecessary information about relatives or contacts, particularly sensitive data that is not essential for the organization’s operations, should be avoided.

At first sight, the GDPR’s exclusion of deceased persons’ data from its purview may seem like a loophole that can be leveraged by data processors, and it is true that it does offer some such opportunities. This loophole is, however, accompanied by significant risks. The retention of large quantities of such data without a clear purpose can expose organizations to security vulnerabilities and to potential prejudice to living persons related to the deceased. For American businesses and audiences more familiar with HIPAA’s protections, understanding this gap in GDPR underlines the importance of vigilant data management practices. Cybersecurity professionals must ensure the ethical and secure handling of all data, even in areas where regulatory oversight is somewhat limited.

By the adoption of best practices and the maintenance of a proactive approach to data security, organizations may navigate this loophole responsibly, ensuring the trust and privacy of all individuals, living or deceased.

Photo credits: onephoto, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions