5 key aspects for the electronic signature of documents with sensitive data

Improper handling in the processing of an individual's sensitive data may entail significant risks to his or her rights and freedoms. For this reason, they are subject to specific processing conditions. For example, if you work in the insurance, financial, healthcare or public sector, it is likely that you process sensitive data on a daily basis and that you may have questions about the protection of this data when signing up.

In this post we highlight the main key aspects to consider when choosing an e-signature solution for documents with sensitive data.

Specially protected data in the GDPR

The electronic signature of medical reports, electronic patient records or the digital onbarding of employees are examples of how companies and institutions are digitising their paper-based processes. At the same time, they involve special attention because they contain sensitive or specially protected data, a category of data that needs greater protection than other personal data.

According to the General Data Protection Regulation (GDPR), the following categories of data should be considered as particularly sensitive:

- Personal data of ethnic or racial origin. 
- Political opinions. 
- Religious beliefs or philosophical convictions. 
- Trade union membership. 
- Genetic data. 
- Biometric data allowing the univocal identification of a natural person. 
- data relating to health 
- Data relating to life and sexual orientation. 

This type of data is part of a large number of everyday activities present in all areas. Here are some examples of documents or processes that include sensitive data:

- A person's medical report is sensitive data, as health-related data are considered sensitive data. 
- Medical examinations of employees are also considered as specially protected data.
- In employee onboarding, data relating to union membership, information on religion, race, ethnicity or marital status. Health or medical information is also sensitive data.  

Sensitive data need special protection, for which specific rules apply to avoid the risks arising from their processing. In the event that a company or institution must process data that is especially protected by the Data Protection Act, beyond complying with the duty to provide information under the GDPR regarding the processing of such data, certain aspects must be considered, the aim of which is to reinforce data protection. 

Key issues for the electronic signature of documents with sensitive data

In general, sensitive data may not be processed, subject to exceptions. When any of these exceptions occur, the responsible is entitled to process them by applying appropriate personal data security measures.

As responsible, companies and institutions should ensure that there are no gaps in systems. They should pay particular attention, because of the important role it plays, to the integrated electronic signature solution. 

1.- Confidentiality: The information must only be accessible to authorised persons or systems, and shall therefore be protected by means of user identification and authentication procedures, physical and logical access controls and strong passwords, which shall be changed from time to time.

In the case of signing documents containing one or more of the above-mentioned categories of sensitive data, one of the keys to guaranteeing their confidentiality is to avoid exposing them to unauthorised third parties. 

In this sense, Uanataca's electronic signature services guarantee the confidentiality of the documents that are sent for signature, not allowing them to be reconstructed outside the company's infrastructure. 

2.-Integrity: This is the guarantee that the information, in this case sensitive data, will not be manipulated, modified or altered. To this end, the electronic signature must be linked to the data signed by it, allowing changes in the document to be detected after the electronic signature.

According to Regulation (EU) No 910/2014 (eIDAS) only advanced and qualified electronic signatures guarantee the integrity of the signed documents, facilitating the detection of any modification.

> Related post 👉🏻 Simple, advanced and qualified electronic signature: know their differences.

3.- Non-repudiation: As we have already mentioned, sensitive data cannot be processed, except for exceptions regulated in the GDPR. There are a number of circumstances that justify the processing of sensitive data, such as reasons of public interest in the field of public health, protection of vital interests, fulfilment of obligations and exercise of rights, among others.

In addition to the above-mentioned circumstances, in order to process sensitive data, there must be explicit consent from the data subject. Due to its importance, it is essential that the explicit consent is signed with a qualified electronic signature. This type of electronic signature is the only one that guarantees non-repudiation and the reversal of the burden of proof. 

4.- Cloud services: The advantages of cloud-based signatures are key to guarantee agile and remote processes. If you choose a cloud solution, there are two reasons why you should evaluate the service provider:

- Secure and monitored server 🔒

Make sure that the cloud solution you use complies with this type of processing when dealing with special categories of personal data in the documents to be signed.

In the case of using signature solutions based on qualified digital certificates -those that offer greater guarantees than the rest- these must be generated and stored in the secure and supervised server ( HSM ) of the accredited trust service provider, which allows the organisation to improve the security in the custody of the certificates. 

- European regulatory framework ⚖️
The use of eIDAS trusted services guarantees compliance with regulations (RGPD, LOPD, LFE) and the main security standards (ISO 27001, ENS, ISO 9001).
It therefore entrusts the signing of documents containing sensitive data to a Qualified Trust Service Provider in accordance with the eIDAS.

5.- Particular safeguards of a QTSP: When dealing with sensitive data, appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risk.  Some of them refer to:

- Encryption of personal data.
- Ability to ensure confidentiality of systems.
- A process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures. 

In this sense, the set of conditions established for QTSP (Qualified Trust Service Providers) guarantees that, through their infrastructure and human team, they will develop services characterised by their legality and security.

Periodically, Uanataca, as a QTSP, undergoes an audit process that guarantees its reputation as a safe and reliable figure. 
In turn, it must be staffed by personnel with the necessary expertise, reliability, experience and qualifications. 

With regard to safety and security, Uanataca uses systems that are reliable, tamper-proof and secure. Furthermore, measures are taken against counterfeiting and data theft.

Start the digital transformation of your business today

Do you need advice? 📨 Contact us and a trusted service specialist will guide you on the best e-signature solution for your business. 

0 Comments Leave a Reply
Please, wait…
Leave a Reply
*This is a required field
McKinsey warns: half of global insurers are unprofitable First impressions counts: how to succeed in employee onboarding

If you want to stay up to date and discover new trends in digital identification, join us and you will receive our newsletter with exclusive articles on electronic signatures, digital certification and other current issues. And so you don’t miss a thing, we will keep you informed of relevant dates and events in the sector.