The IBA’s response to the war in Ukraine  

Confidentiality of personal data related to health in the framework of an employment relationship in the context of Covid-19

Back to Healthcare and Life Sciences Committee publications

Maritza Reátegui Valdiviezo

Rodrigo, Elías & Medrano, Lima



Daniela Supo Calderón

Rodrigo, Elías & Medrano, Lima



All users of health services have the right to claim confidentiality of the information related to medical procedures and their health record. This is a commonly recognised concept which has had no major implications or debate before the Covid-19 pandemic. 

In Peru, confidentiality and protection of information related to people’s health is guaranteed by the fundamental rights to personal privacy and secrecy of private documents provided for in the 1993 Political Constitution of Peru.[1]

Likewise, at a legal level, the General Health Law – Law No. 26842 (Health Act), Article 25[2] – defines the information related to medical procedures as confidential information. This article establishes that health professionals (including technicians and assistants) who provide or disclose information regarding the medical procedures in which they were involved or are privy to, are criminally or civilly liable. 

The Personal Data Protection Law – Law No. 29733 (Personal Data Law) defines sensitive data as the ‘personal data[3] consisting of biometric data that can identify the owner, data concerning the racial and ethnic origin; economic income, political, religious, philosophical or moral opinions or convictions, union membership and information related to healthor sexual life’.The fundamental rule in personal data protection matters is that the processing[4]of personal data must be done with the consent of the owner or have a legal basis that legitimises it. Furthermore, the Personal Data Law regulates the correct processing of sensitive data, specifies which information is related to people’s health (including diagnosis, treatment and medical conditions) and establishes that the data cannot be disclosed without the prior consent of the owner.

The generally accepted concept regarding confidentiality of health-related information is supported by these three regulations. However, the spread of Covid-19 in the world has shown that this concept is not absolute. Although there is almost no academic development in this regard, the laws on health and personal data establish exceptions to confidentiality and protection of health-related information.   

Indeed, although the Health Act recognises the fundamental right of every person to privacy and provides for maintaining the confidentiality of health-related information, it also establishes several exceptions to the confidentiality of such information, as detailed below.

‘Article 25. - All information regarding medical procedures being performed is designated confidential […] The following cases are exempted from the confidentiality of information related to medical procedures:

a) when the patient has given his written consent;

b) when required by the competent judicial authority;

c) when the information is used for academic or scientific research purposes, provided that the information obtained from the clinical history is recorded in an anonymous manner;

d) when the information is provided to the family members or relatives of the patient with the purpose of benefiting him, provided that the patient has not expressly prohibited it;

e) when the information relates to diseases and damages of mandatory notification and declaration, provided that the information is submitted to the Health Authority; 

f) when the information is provided to the insurance company or financing administration entity in relation to the medical care provided to the patient, and for purposes of reimbursement, payment of benefits, control or audit; and, 

g) when continuity of the patient's medical care requires it.

h) when it is strictly necessary to exercise the functions of supervision and protection of health rights of the National Health Superintendency.’

In the same way, the Personal Data Law also provides for limitations to the requirement for consent for the processing of personal data. To this regard, we cite the most relevant exceptions:  

‘Article 14. Limitations to consent for the processing of personal data

Consent from the personal data owner will not be required for processing purposes in the following cases:[…]

5. when the personal data is required for the preparation, execution and performance of a contractual relationship to which the personal data owner is a party, or in the case of personal data arising from a scientific or professional relationship of the owner and that are required for its development or fulfilment.

6. In case of personal data related to health and, if they are necessary, under risk circumstances, for the prevention, diagnosis and medical or surgical treatment of the data owner, provided that such treatment is carried out by health establishments or health science professionals, observing professional secrecy; or in case of reasons of public interest provided by Law; or if they must be processed for reasons of public health, both reasons being qualified as such by the Ministry of Health; or to conduct epidemiological or similar studies, provided that adequate dissociation procedures are applied. […]

8. In case of application of an anonymization or dissociation procedure.

9. when the processing of personal data is required to safeguard the legitimate interest of the personal data owner by the personal data owner or the person in charge of personal data processing. […]

13. Others arising from the exercise of competencies expressly established by Law.’

Several countries have started to use surveillance systems to track people and their physical contacts, which means that millions of personal data are being used to fight the Covid-19 contagion curve. This has inevitably required the adoption of measures that involve the lifting of certain restrictions on the processing of personal data. Thus, the current situation has raised doubts about how to comply with the obligations regarding health-related personal data protection, creating a ‘dilemma’ between public health and privacy.

In Peru, the highest authority on personal data has prepared a duly supported document in relation to the processing of personal data related to health (sensitive data) within the framework of an employment relationship. Through Advisory Opinion No. 32-2020-JUS/DGTAIPD (Advisory Opinion), dated 5 May 2020, the General Directorate of Transparency, Access to Public Information and Personal Data Protection of the Ministry of Justice and Human Rights, in its capacity as national data protection authority, has stated that the right to the protection of personal data is not absolute and the exercise of this right must be aligned with the exercise of other rights. Although the principle of consent is a guiding principle of the personal data law, the exceptions established in Article 14 of the law must be taken into consideration in the context of an employment relationship. 

According to the Advisory Opinion, in the context of an employment relationship and in the framework of the health emergency, the processing by the employers of sensitive data related to possible Covid-19 diagnosis of workers is legally justified by the employer’s obligation to prevent occupational risks to which workers may be exposed.

It is appropriate to refer to the following excerpt from the Advisory Opinion:

‘Data protection legislation expressly refers to public interest and health as factors that enable the processing of personal data relating to people’s health; which covers the processing of these data when there is a correspondence with the diagnosis or symptoms of Covid-19 and so that appropriate measures are taken to prevent the spread of the virus within and outside the workplace.’[5]

On the basis of the above consideration, the national data protection authority concludes that, in the framework of an employment relationship, the exceptions provided for in Article 14, subparagraphs 5, 6 and 9 of the Personal Data Law take place, since the following elements are present:

  • there is a contractual employment relationship between employer and worker;
  • the employer has the obligation to ensure the safety and health of all workers and take measures to prevent occupational risks; and
  • we are in a state of national emergency and in a health emergency declared as a consequence of a pandemic.

In this context, employers are authorised to carry out the processing of sensitive data of their workers without their prior written consent. However, as stated by the national data protection authority , the data processing must be carried out with due respect paid to the Personal Data Law and its Regulation, and must be intended to ensure health and safety at the workplace in order to prevent the spread of Covid-19 contagion. It states: ‘the processing of personal data of the workers carried out by the employer in order to prevent the spread of Covid-19 must comply with the provisions of the Personal Data Protection Law and its regulation, in particular the principles of purpose, quality, proportionality and security’.

Although the Advisory Opinion refers only to the processing of personal data in the context of an employment relationship, we consider that the statements made by the national data protection authority provide a clear example of the fact that, even in times when public health undoubtedly requires it, balance between individual privacy and collective interest of health should be maintained.

Thus, although the processing of sensitive data is possible without the consent of the data owner, this data processing must be limited to the parameters provided for in the Personal Data Law and must be oriented towards a specific purpose.

[1] These rights are recognised in the subparagraphs of article 2 of the Political Constitution of 1993:

‘Article 2.- Every person has the right:


6. to the assurance that information services, whether computerized or not, whether public or private, will not provide information affecting personal and family privacy.

7. To his honor and good reputation, to personal and family privacy, as well as to his own voice and image.


10. To the secrecy and inviolability of private communications and documents.’

[2] Article 25: ‘All information regarding medical procedures being performed is designated confidential. Health professionals, technicians and assistants who provide or disclose, by any means, information regarding the medical procedure in which they are involved or to which they are privy, are criminally or civilly liable, as applicable, notwithstanding any penalties that may be applicable under the Professional Code of Ethics.’

[3] Article 2, subparagraph 4, of the Personal Data Protection Law defines personal data as the ‘information concerning natural persons that identifies them or makes them identifiable through means that may be reasonably used.’

[4]  Article 3 of the Personal Data Protection Law defines processing as ‘any operation or technical procedure, whether automated or not, that allows compilation, registration, organization, storage, conservation, preparation, modification, extraction, consultation, utilization, blockage, suppression, communication by transfer or distribution or any other form of processing that facilitates the access, correlation or interconnection of personal data.’

[5] Paragraph 32 of the Advisory Opinion.