The Health DPO's consultation to the APDCAT on the use of electronic signature

The Health DPO  has obtained a pronouncement from the Catalan Data Protection Authority (APDCAT) regarding the legal viability of implementing electronic signatures. This pronouncement relates to the use of electronic signatures in various cases within the scope of public health administration. The use of electronic signatures has always sparked legal debate regarding the necessary requirements for its admissibility, and until now, there hasn’t been a pronouncement from this supervisory authority.

In this regard, the pronouncement from APDCAT is relevant as it provides answers to various situations that previously hindered certain projects due to the legal uncertainty surrounding the use of electronic signatures. Based on the scenarios presented by the Office of the Health DPO, APDCAT legally argues the following acceptable terms of use for electronic signatures by individuals not obliged to have an electronic certificate.

It also highlights the distinction between identification and authentication, which it considers crucial for the scenarios presented by the Office of the DPD de Salut.

Signing of informed consent documents through La Meva Salut (LMS)

If in LMS, we find ourselves in a high identification and authentication environment, the electronic signature must guarantee the integrity and preservation of what is being signed. This implies that, at the time of signing the CI, a legally and technically strong signature system will be necessary.

It is possible to sign an informed consent document using a one-time code (OTP), provided it meets the necessary security requirements, such as the code’s validity period or the establishment of additional security requirements in line with Regulation (EU) 910/2014, of July 23, 2014. The opinion determines that it is within the authority of the Administration to assess its implementation, conduct the corresponding risk analysis, and implement additional mechanisms to ensure the integrity of the signed document.

It adds that the articulation of the CI signature process must be done in a way that allows verifying that the citizen has all the information regarding the signature process and has effectively accessed it.

Signing of informed consent documents using in-person electronic signature

This scenario refers to the use of tablets for signing when a person carries out procedures in person, either as users of the public health system or as donors.

APDCAT analyzes the nature of this type of signature, which involves processing biometric data and is considered a specially protected data under data protection regulations. This implies a limitation on its use.

On the other hand, it should be considered that in these cases, the identification and authentication of the user have been done in person by the attending personnel. The biometric signature is solely for the purpose of incorporating the electronic signature into the CI, so the signature itself does not authenticate.

Based on these premises, APDCAT considers that, in this scenario, there are two data processing activities with differentiated legal bases:

First processing: derived from the collection and deposit of the signature only for this purpose because the identification and authentication of the person have been done in person, and only for the purpose of securely preserving it for the future in case of potential discrepancies. That is, there is no previously registered biometric template of the signature. The legal basis would be the consent of the data subject, who must have the alternative to sign manually (Art. 9.2.a. GDPR).

Second processing: in case of future discrepancies where a contradictory technological expert report would be carried out, and the person would have to sign again and make a comparison. The legal basis would be the formulation, exercise, or defense of claims (Art. 9.2.f. GDPR).

APDCAT concludes that it considers the use of this type of signature viable as long as it is accompanied by a series of additional requirements such as offering an alternative signature system, applying the necessary security measures, complying with the duty of information regarding data processing, and conducting a DPIA.

These arguments and conclusions apply whether the signatories are patients or donors.


Remote electronic signature for the signing of employment contracts

This scenario refers to signing with a finger on the screen of a device. APDCAT considers that if the signature consists only of pressure on the device’s screen, it would not be considered biometric data. Therefore, it would not fall under the regime of special categories of data.

In this case, APDCAT considers it a legally valid signature system (Article 25 of eIDAS recognizes legal effects depending on the specific case), without prejudice to the fact that its probative value would be lower than other signature systems that involve security measures corresponding to a higher level.

In these circumstances, and considering that it is not considered specially protected data, it would not be necessary to carry out a DPIA. However, compliance with transparency requirements and the adoption of appropriate security measures would be necessary.

We attach the opinion for your knowledge and recommend a full reading to take into account all the nuances it indicates for the correct implementation of the different electronic signature systems it analyzes.

  • Dictamen en relació amb la consulta formulada per l’Oficina del Delegat de Protecció de Dades de Salut a l’Autoritat Catalana de Protecció de Dades sobre la signatura de documents en format electrònic

  • The pronouncement from APDCAT is significant as it provides answers to various situations that previously halted certain projects due to the legal uncertainty surrounding the use of electronic signatures