|
|
|
|
|
Updated: Sep 23, 98 |
Data Confidentiality and Security | |
An Overview Of Issues in Health Data Security and Confidentiality Under the New European Data Protection Legislation
(Dr Petra Wilson, Visiting Scientist, Health Telematics, European Commission)
If you handle the medical or health related data of an individual you have a number of key responsibilites. You may be personally liable as a health care service provider, vicariously liable for the actions of those employed by you to handle medical data and you will have certain public responsibilities to ensure that data are handled according to current data protection legislation.
By a series of Questions and answers this interview seeks to set out some of the key issues in the new European data protection legislation, which by October 1998 will have been translated into new or amended legislation in each of the fifteen European Union Member States. This article does not discuss the specific legislation of any one Member State, nor the wide range of legislation which may pertain to the gathering, handling and storing of medical data in a given Member State. Nor does the article discuss the legal consequences of failing to protect data properly, since the exact nature will vary in each Member State, it may be expected however that substantial fines will follow where an individual suffers loss as result of a breach of data protection legislation.
Q. Have we not always had European Data Protection Legislation?
A. The Council of Europe has protected 'respect for his private and family life, his home and his correspondence' since 1950 in the Convention for the Protection of Human Rights and Fundamental Freedoms.- The Convention is, of course, not part of European Community law and may only be used as the basis of action by an individual where the Member State has recognised the right of individual petition, and where all domestic legal remedies have been exhausted. However, the Convention and Recommendations made by the Council of Europe are important to the 38 Member States of the Council of Europe and adds much to the general issues covered by the Directive discussed below. In fact the interested reader who wants closer guidance on medical data handling should consult the Recommendation No. R (97)5 on the Protection of Medical Data which was signed on 13 February 1997.
Q. So what is the 'New ' European Data protection Legislation?
A. The New European Union Legislation - Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (Directive 95/46/EC) - As a result of the Directive each Member State of the European Union has been obliged to pass legislation to regulate the way in which personal data are gathered, handled and stored. The Directive is a framework directive requiring Member States to legislate to protect all personal data, of which ever nature, in order to promote an ever closer union among the people of Europe. The Directive addresses all types of data, not just medical data. The objective of the Directive is to harmonise data protection legislation so that concerns about standards of data protection in another Member State will not limit economic and social movement between States.
In the answers given below reference is made to both articles and recitals of the directive - the uninitiated, a recital is a paragraph from the preamble of a directive which gives further guidance as to the meaning of an article
Q. To what type of data processing does the Directive apply?
A. The Directive is addressed to both automatic and manual processing of all personal data of an identified or identifiable natural person - Where the data are processed manually the Directive shall apply only where the data are 'structured according to specific criteria relating to individuals' (recital 27). Therefore where notes about a given individual are recorded by another and maintained without being put into a filing system where they can be recalled through use of an indexing system of criteria, the Directive shall not apply - in short, a citizen's own address book shall not be regarded as a filing system, although the precise nature of filing systems is one which may be set by each member State.
Apart from this limitation the Directive is very wide indeed, addressing all forms of collection, recording, storage, organisation, adaptation, retrieval, consultation, transmission, dissemination, blocking, erasure or destruction of data (article 2b).
Q. What data does the Directive not apply to?
A. Anonymised Data - The key factor in deciding if data are subject to the laws developed in accordance with the Directive lies in deciding if the data identify or make identifiable an individual. Completely anonomysed epidemiological data, from which an individual cannot be identified, will not be covered by such laws.
The difficulty lies of course in defining the term 'identifiable'. It is not clear from the Directive what extremes of 'identity cracking' a data controller should envisage, as the recitals state simply that account should be taken of 'means reasonably likely to be used' (recital 26).
Q. Who is responsible for the protection of processed data?
A. The Controller - The individual responsible for ensuring that identifiable data are collected and stored in accordance with the legal reuirements shall be the natural or legal person or persons who determine the purposes and means of the processing of the data. This person is known as the controller and is responsible not only for his own behaviour but also for that of his staff.
In terms of medical data processing and transmission the situation may arise where a breach of confidentiality arises not because the controller or his agent has failed to collect or store the data properly, but because the media used for transmitting the data between two parties allows a breach to occur. The Directive suggests that normally the controller will be regarded as the person from whom the message originates, rather than the person offering the transmission services.
Q. Who can be a controller of medical data?
A. Only someone with the same duties of confidentiality as a medical professional - The Directive stipulates that medical data must be processed only by a health professional subject under national law, or nationally competent bodies, to an obligation of professional secrecy (8.3). Where the data are handled by someone who is not a health professional, such as a clerk or secretary, an equivalent obligation of secrecy must exist, one would expect therefore to find clauses for summary dismissal for inappropriate breach of confidentiality in the employment contracts of all such staff
Q. Who is responsible for the Controllers?
A. The Supervisory Authority - the controller has a duty to inform the Supervisory Authority in his or her Member State of his or her name and address, the purposes of data processing, the types of data that will be processed, the types of security procedures to be invoked, and of any transfers to a country outside the EU (article 18). The authority has a duty to ensure that only good data controllers operate in a Member State.
Q. What are the main Legal Duties of the Controller?
A. The data controller has the duty to ensure that all data are processed fairly and lawfully - The Directive specifies that this means the purposes for collection must be specified, explicit, and legitimate, and that processing must only be for the purposes declared to the data subject at the time of data collection, data may not be used for other purposes later (Article 6.1 (b)). In the medical setting it should be noted that further processing for scientific research purposes may be acceptable even if not originally declared to the data subject as long as appropriate care to ensure confidentiality is taken (recital 34).
The data collected must be adequate, relevant and not excessive for the purposes stated (article 6.1(c)). It must be accurate and kept up to date where that is relevant (article 6.1(d)), and must not be stored in an identifiable form for longer than necessary for the completion of the specified purpose (article 6.1(e)), and that all data are stored with adequate security.
Q. What is 'adequate' security in data storage?
A. 'Adequate' means state of the art - Whether or not the security measures used are adeQ. uate shall be judged on the basis of a balance of the current state of the art and the costs of implementing security measures, as well as the nature of the data and the processing. Where the data are particular sensitive, such as medical and health related data, the security standards will be high.
Q. Who is responsible for the security of the data?
A. The data controller - the controller is also duty bound to ensure that data are protected against accidental or unlawful destruction, loss, alteration or unauthorised access by use of appropriate organisational and technical security measures (article 17).
Q. What about the Consent of the patient or client?
A. The data subject has the right to give or withhold his consent to the processing of his data, and must give that consent unambiguously (article 7).- In accordance with other legal definitions of consent the Directive specifies that the consent must be given freely and on the basis of adeQ. uate information about the purposes of collection and the eventual recipients of the information (article 10 and 11).
The data subject must also be given access to information about the nature of data held about him and the purposes for which it is processed. Such access must be given at reasonable intervals and without undue delay or expense (article 12)..
Q. Can a hospital ever refuse access to a patient to his or her stored data?
A. If it is in the vital interest of the data subject or some greater public interest - article 7 acknowledges that it might be acceptable to argue that for the well-being of a patient or another person the patient's consent need not be sought before processing, nor should he be given access to his data.
Justifications for processing without the consent of the data subject will also arise where the data are processed in performance of a contract to which the data subject is party, or where a legal duty to process exists.
The Directive itself is, of course, limited to areas of EU competence, accordingly a Member State may choose to vary or abandon data protection principles in the interests of public security, defence and criminal law issues if it chooses to do so.
Q. When will the Directive apply here?
A By 24 October 1998 all EU member States must have new or amended legislation to make sure domestic legislation complies with the standards of the Directive. - The provisions of the Directive on Data Protection have provided the domestic legislator with a detailed framework for medical data protection legislation. The precise nature of that legislation, its twists and turns will of course become clear only with the passage of time. Whilst waiting for those nuances to become clear medical data controller and processors should become aware of their duties, both at a European and domestic level and begin the process of bringing their respective houses to good data protection order.
Q. So, what did you say my duties would be after 24 October 1998?
A. The Directive gives you new duties and your patients or clients new rights - the diagramme should help you to remember what those main rights are duties are - arrows from the controller to another entity indicate duties, while arrows to the Controller indicate rights the other entity has against the controller.
 |
|
 |
|
|
Copyright 1998 © EHTO All rights reserved This server is the only official EHTO WWW knowledge repository. Mail suggestions to: webmaster@ehto.org |