|
|
|
|
|
Updated: Feb 1, 97 |
LISAIM | |
| Contact: Caroline Laske Legal Consultant Wezembeekstraat 4A B-3080 Tervuren, Belgium Tel.: +32-2-767.00.81 Fax: +32-2-767.00.81 |
The study identified five main issues:
The LISAIM report outlines these five key aspects, describing the nature of the issues and the relevant law and case law or legal vacuum as it may be. It offers an overview of the legal issues debate in medical informatics and is somewhat exploratory in nature, since it is not intended to offer a critical analysis of existing pieces of legislation or case law. This would call for more fundamental legal research. Instead the study restricts itself to a general description of existing legal principles and their relevance in the health care sector.
Although data protection is probably the field with the highest legislative activity, since a considerable amount of work has been undertaken by national governments and international organisations, the recent adoption of the EU Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data will considerably shape the future of data protection in the EU and beyond. In meantime, the lack of basic data protection laws in some EU Member states on the one hand, and the lack of harmonisation between the existing laws on the other hand, is still problematic on transnational level, in particular in relation to transborder flow of personal data, especially particularly sensitive categories such as personal health data. Apart from the general data protection legislation, the imminent adoption of a new COE Recommendation on the Protection of Medical Data means that the regulation of medical data protection has its basis in an internationally recognised set of guidelines. In general it can be said that there is still the need for more dynamic sector specific tools that take into account the characteristics of the health care situation and are harmonised throughout the EU so as not to obstruct transborder flows of personal health data. This will allow, on the one hand, for more specific regulation of the handling of highly sensitive data such as health related data, and will, on the other hand, have the effect of raising the awareness among users about data protection in their particular field of work. International bodies such as the Commission of the EU should take the lead in promoting sector specific data protection tools in complementarity to basic data protection laws. This can be achieved in a forward looking way by making data protection a fundamental consideration in its R&D policies, making it mandatory for all R&D activity to consider data protection issues. Furthermore, specific data protection and legal expertise should be fostered, so as to have continuous availability of experts advice that can keep abreast with the technical development.
Security is as an underlying legal requirement relevant throughout the spectrum of the legal issues discussion. Security is an essential ingredient in the concept of data protection, since without the implementation of security the whole notion of protecting personal data and the privacy of the data subject is non-sensical. It is further relevant in questions of patient safety and thus liability since security flaws may not only compromise patient privacy but also their health and safety. Furthermore, security is an essential element in the matter of enhancing the reliability of the medical informatics environment and thus the legal recognition of the digital data and documents it generates. Maximum security and transparency minimises the unreliability of digital data and documents and thus the reluctance of the judiciary to recognise these for legal purposes. The issue of security is as such not subject to specific legislation, though there are a number of guidelines, codes of practice or similar security initiatives on various levels and security related provisions can be found in different types of legislation, such as data protection law, computer-related criminal law, intellectual property law etc.
These pieces of legislation deal primarily with matters such as privacy, hacking, misappropriation and copying, rather than with security as such. Security is less a matter for the legislature. The law may prescribe some basic security principles, but the actual application must be done on sectorial, local, institutional and individual level and there must be a commitment to security from the user and manufacturer. Therefore, codes of practice and security guidelines together with appropriate training and awareness raising is probably the most efficient means of implementing security. As with data protection, international institutions such as the Commission of the EU should be at the forefront by promoting security as a fundamental requirement in its R&D policies. It is well known that security considered at an early stage is far less laborious and costly than added-on security.
In the third instance this study dealt with the question of the legal vacuum that presently exists in relation to whether digital data and documents are acceptable for legal purposes, which is one of the major legal obstacle to the full implementation of medical informatics and telematics. The very nature of a paper-less digital environment puts into question some fundamental legal principles that have existed for centuries, such as the evidential weight of hand-signed paper documents. The question of legal recognition has not been addressed in either national or EU law, with the result that digital data and documents are neither outlawed nor legally approved and their legal status is thus uncertain. Considerably more legal research is needed that should result in solutions applicable on international level and should remove ambiguities as to the legal validity, acceptability and evidential cogency of digital data and documents. In view of the particular international dimension of this issue, the Commission of the EU has an important role to play in future developments. Some work in this direction has already been carried out by the TEDIS and INFOSEC programs but compared to other sectors it has been considered very little in relation to health care.
In an information technology environment issues of liability can no longer be simply considered in relation to conventional liability principles. Instead the specific characteristics of both information technology and the health care sector may give rise to other liabilities or a shift in existing concepts. The introduction of information technology adds a new element to the liability scenario, namely that of a relatively independent machine which can at times undertake fairly autonomous actions. Legal research needs to work towards adapting conventional liability concepts to cover these new type of situations. So far actions have been taken mainly in relation to product liability (see EU Product Liability Directive 85/374/EEC), but there is still much uncertainty about liability in complex situations such as long-distance diagnosis or the use of expert systems or robotic instruments.
The intellectual property debate is relevant in medical informatics as it is throughout the information technology sector in general. The main body of law applicable in this area is that of copyright. Under the EU Directive 91/250 on the Legal Protection of Computer Programs, software is protected as literary works in line with the Berne Convention. Furthermore, the new EU Directive on the Legal Protection of Databases extends the Berne Convention copyright protection to databases, including those with contents that are not protected through copyright or other intellectual property rights.
On a more global note it must be emphasised that European-wide harmonisation should be an underlying aim if medical informatics and telematics are to be developed on European level.
Across-the-board harmonisation may not be necessary, but it is essential to harmonise those elements, the diversity of which obstructs the transnationalism of pan-European health services. Technical standardisation efforts aim at technical harmonisation, but the legal aspect of the matter has as yet not been sufficiently addressed. Legal requirements are basic requirements that should be taken into account in standardisation, and there should be some co-operation between legal experts and those involved in standardisation.
| |
 |
 |
|
|
Copyright 1997 © EHTO All rights reserved This server is the only official EHTO WWW knowledge repository. Mail suggestions to: webmaster@ehto.org |