Well yes, being able to give priority to at-risk patients would fall under necessary use. I doubt the receptionist has your actual medical history, but they would certainly see an indicator of your risk category.
There is no such thing as “necessary use” and the GDPR does not specify that an organisation must restrict employee access to personal data to only those whose access is “strictly necessary” (the cookie law contains that phrase, but in a completely different context).
The only thing the GDPR says that would apply in this circumstance is this:
> processed in a manner that ensures appropriate security of the personal data
As I stated above, the EU provides exactly 0 guidance on what “appropriate security” is, and no form of standard at all that it expects you to comply with. To make matters more confusing, an organisation is allowed to take their own budget into account, against the cost of security controls, when deciding what is “appropriate”.
You could ask the question, was twitter appropriately secure? You might come to the conclusion that they weren’t, because they were breached and any system that is breached must not be appropriately secure. That wouldn’t be an unreasonable conclusion, and as far as anybody knows that could very well be the standard that any data protection authority may decide to uphold at any time of their choosing. But then that would lead you to consider that there is no such thing as a system that can not be breached, so in that case there would be no such thing as a GDPR compliant service.
GDPR Article 6 spends a lot of time defining ‘necessary’ use. It says that ‘processing data’ - which is defined very broadly and includes accessing it - is only legal if it is for a ‘necessary purpose’ - either necessary to accomplish contracted work for a customer, comply with the law, or some few other permitted categories.
Combined with, as you say, that GDPR also states as a matter of principle data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing” - I would take that as meaning you can’t just leave data openly accessible to people who don’t need to process it and rely on them not accessing data they don’t need, you are expected to protect the data against that risk. I.e. secure access to data so it can only be processed for necessary purposes.
It is possible for small organizations that ‘telling Janet she isn’t allowed to look in the customer accounts spreadsheet’ is an adequate control but as organizations get bigger obviously the expectation that technical controls should be in place expands.
