In this digital era, many companies are making the switch from wet to digital signatures as they assure many advantages and more convenience to the user. But at the same time, in organizations that process special categories of (personal) data, it raises questions about the safety of the personal data being processed while signing digitally. For example, when active in the insurance, banking, governmental or medical sector you´ll probably deal with sensitive data on a daily basis. As you want to safeguard the signer´s identity and the documents´ content, signing such documents should be possible in a safe and secure way and in compliance with applicable legislation.
In this blogpost, we further highlight the key takeaways you should consider when choosing a digital signatures solution for signing documents with sensitive data.
Automatically generating insurance policies, digitally signing mortgage loans, digital patient onboarding at hospitals, all beautiful examples on how companies are digitizing their paper based processes. But at the same time, all examples of processing special categories of personal data.
But what do we exactly define as “special categories of personal data”? Well, we take a closer look to the General Data Protection Regulation (GDPR), and amongst others, the following categories of personal data should be considered:
- Biometric data (applicable when using biometric signing methods)
- Data concerning health (medical sector, financial sector, HR)
- Genetic data (medical sector, life insurance)
- Trade union membership (human relations)
- Political opinions (politics, public sector)
- Data concerning a natural person’s sex life or sexual orientation (financial and medical sector)
These categories of personal data are considered to be “special” and require additional attention when it comes to processing such data. Not only because we say so, but because applicable legislation makes it obligatory. Besides GDPR – which is a European regulation – several national states issued specific legislation related to processing special categories of personal data. This is also the case for Belgium and France. As data controller, you are responsible to make sure you process such kind of data in compliance with the applicable (data protection) legislation.
5 take aways to consider:
Take away 1: Identify the signer
The first topic which should have your attention is the person(s) having access to the documents to be signed. To make sure such access is only granted to the person you are truly addressing, we recommend to identify the signer on the other side. In an online environment this can easily be done in multiple secure ways. For example by using a national identity card or identity scheme, or any other source which offers identification services (e.g. itsme®).
Please note identification of the signer before access to the document is granted is not the same as using beID or itsme® for signing purposes.
As several types of special categories of personal data may – according to applicable legislation – be processed after explicit consent of the data subject, make sure to collect the necessary opt-ins where needed (article 9.2 (a) GDPR). Some digital signatures solutions offer consent opt-in management tools. Such functionalities give you – as a data controller – the possibility to obtain the necessary consent of the signer when needed.
Take away 3: Data retention periods
Retention periods (meaning how long you store personal data) are also a hot topic when it comes to processing special categories of personal data. When signing documents electronically, it is therefore important to take into account how long the documents you sign are being stored and where they are archived afterwards.
Of course, choosing for a cloud or on premise solution will have major impact on the actions you should take. Cloud solutions will store signed documents in the cloud, or will offer API integrations making it possible to connect the digital signatures software with your document management system (DMS) or other relevant software packages. From a data protection point of view, we believe the second option (API integration) is the most interesting one as it enables you to store signed documents within your own systems after the signing process was completed. However, do make sure the API integration was configured in such way that signed documents are deleted automatically at your provider’s servers as from the moment signing is done.
When opting for an on premise installation (or dedicated hosting), you will have the sole control of the data retention periods applicable, which could be an interesting approach for some specific business cases as well.
Take away 4: Encryption
Encryption is one of the security measures which is highlighted by the GDPR (article 32) as an adequate way to ensure safety of personal data. It means the information you have sent will be encoded in such a way that only authorized parties can access it, and those who are not authorized cannot. To ensure only authorized persons have access during the whole process, it is important to implement encryption at rest and in transit.
By choosing for a digital signatures solution having encryption, you ensure the confidentiality of the document’s content.
Take away 5: Cloud services and hosting providers
In case you choose for a cloud solution for signing your documents digitally, please consider taking a closer look to the hosting provider offering the hosting services. We identify two main reasons:
1. Adequate security measures
When processing special categories of personal data, the technical and organizational measures you take should be aligned to such processing activities. This means processing sensitive data might require additional security measures (article 32 GDPR). For such measures, you rely of course on the software provider you are working with, but also on the hosting provider engaged. Make sure the cloud solution you use is up with market standards (or even higher) when processing special categories of personal data in documents to be signed and perform a DPIA (Data Protection Impact Assessment) when necessary.
2. National legislation
Several countries issued specific legislation applicable to the processing of for example personal data related to health. One of the examples is France, which has taken extensive regulatory steps related to the processing of health data by making it mandatory for hosting providers to be certified as a Health Data Hosting (HDS) provider.
Summarizing, you should take into account several topics when signing documents including special categories of personal data in a digital way. Interested in how Connective ensures adequate security measures? Read on!
|Identification of the signer|
|Identification Services||Identify the signer before giving access to documents by integrating our Identity Hub into your eSignatures environment|
|Data Protection by Design|
|Opt-in button||Include opt-in buttons to obtain necessary consents|
|Consent management||Configure your own consent management policy|
|API integration||Configure our API as you prefer to ensure signed documents are securely stored in your internal systems|
|Auto deletion||Install auto-deletion to make sure documents aren’t stored after they were signed|
|Encryption||Documents (and the data included) are encrypted at rest and in transit|
|Cloud services and hosting providers|
|Hosting||Hosted on Microsoft Azure, implementing numerous technical and organizational measures (ISO 27001 certified) to ensure adequate security. More information via Microsoft’s Trust Center|
|HDS certification||Microsoft Azure is HDS certified|
|On premise||Microsoft Azure is HDS certified|
Internal measures we took to ensure safe processing of personal data
- Connective only grants access to “authorized personnel” on a need-to-know basis when it comes to our client’s production environments. Such authorized personnel shall only have limited access for specific purposes (e.g. support) and had extensive training related to data protection and confidentiality;
- Connective, as a Trust Service Provider, is certified by LSTI under ETSI;
- Connective maintains a register explicitly related to processing of medical health data and criminal data, as required under Belgian legislation;
- Connective extensively implements technical and organizational measures as set out in our Technical and Organisational Measures Statement;
Taking into account the above, we can ensure to understand projects involving special categories of personal data require additional attention. Our entire team, including the DPO Office, is at your disposal in case you would like to discuss the implementation of our solutions for your specific project.