HealthDataNavigator Learn from best practice examples to identify success factors and to improve data availability

Data Protection

The European Data Protection Directive 95/46/EC

The European Data Protection Directive 95/46/EC is one of the major instruments of EU data protection law. The initial purposes of the Directive is the “… the free flow of personal data within Europe…” and aims at achieving a minimum level of data protection in the Member States, which is expressed by six main principles:

  • legitimacy to collect data for,
  • limited purposes,
  • transparency for the data subject,
  • proportionality in relation to the purpose,
  • security of processing,
  • control by data protection authorities.

The Directive 95/46/EC adopted on 24 October 1995 for all Member States affirmed that “data processing systems are designed to serve man, …they must whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, in particular the right to privacy, and contribute to economic and social progress, …and the well-being of individuals” (various international conventions and national constitutions recognize privacy and the protection of personal data as a fundamental human right).

Data protection plays a significant role to reduce or even inhibit the processing of sensitive data (Art. 8 of Directive 95/46/EC), which encompasses personal health data. The processing of such data is prohibited also by the Convention for the Protection of Human Rights and Fundamental Freedoms. Read more

Patients’ rights with regard to personal health data

The OECD establishes that: …”Informed consent has become the pillar for protecting individual’s autonomy where research involves human subjects.” In particular, the European data protection legislation grants patients (as data subjects) a number of rights once identifiable data are processed. These rights are the following:

  • to be aware of the processing of their data, its purposes, the identity of the data controller, the identity of the possible recipients of the data;
  • to have access to a copy of the information comprised in their personal data;
  • to object to processing;
  • to prevent processing for direct marketing;
  • to object to decisions being taken by automated means;
  • in certain circumstances, to have inaccurate personal data rectified, blocked, erased or destroyed;
  • to claim compensation for damages caused by a breach of the Privacy Directive.

Member States are allowed to apply more stringent rules to legitimize the data subject’s consent, be it through the requirement of ‘written consent’ or preventing consent from being the sole basis to authorize the generally prohibited processing of personal health data.

The data subject may always revoke the given consent at any time and without justification. This will impede further processing, but not making past operations retrospectively unlawful. Read more

Processing of personal health data in research

According to Art. 8(1) of the Directive 95/46/EC, the processing of personal health data is, in general, prohibited. However, there is a list with a number of exemptions to the general prohibitions, of which the data subject’s consent can be seen as the most relevant.

There is much discussion on the meaning of explicit consent, which has to be given in advance to each processing of data. The informed consent supposes the capacity to inform the participants the use and the purpose of a particular research activity, for example to participate in a clinical trial or a survey (OECD, 2012). However, the problems arise when the researcher wants to work with data that was originally collected for other purposes as a former explicit consent needs to be renewed and can by no means be considered valid in a sense of an implied vague or broad consent.

To shift to the processing of anonymized data would be a perfect solution, as the Directive does not apply to data where “… the data subject is no longer identifiable …”. Additional information is provided by recital 26 of the Privacy Directive which states that “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. This implies that the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.

For health data however, anonymization is rarely feasible, as there can be many reasons for retaining the potential to re-identify data and nearly all characteristic data of interest for statistical research could be destroyed or even when it is necessary to link different sources of data.

In 2008, the International Standardization Organization (ISO) published Technical Specification (TS) No. 25237 which defines the basis concept of pseudonymization and includes technical and organizational aspects of de-identification as well as guidelines for re-identification risk-assessment.

The Article 29 Working Party defines this last concept as follows: "Pseudonymisation means transposing identifiers (like names and date of birth etc) into a new designation, preferably by encryption, so that the recipient of the information cannot identify the data subject".

In the latter, it shifts the border of ambiguity between identified, identifiable and anonymized data and favours replacing the term ‘anonymous data’ with the more realistic term ‘anonymized’ data, which reflects that all precautions relative to the threats have been taken to prevent identification. However, whereas the ‘anonymized data’ resulting from the ‘anonymization process’ will be excluded from the data protection requirements, the process of anonymization itself remains to be covered by data protection law like any other type of processing of personal data.

The various stakeholders of medical research

Medical research has many stakeholders with their own action. Each one deals with personal data and data subjects which raise legal issues.

Researcher: The researcher is the person who really works on the data, samples, etc. Before, the researcher was often used the data of his/her own patients. Nowadays, the researcher started to work with data coming from outside the team.

Data controller: Under Article 2, d) of the Privacy Directive, the “'controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”. Substantial questions which are essential to the core of lawfulness of processing - such as data to be processed, length of storage, access, etc. - are to be determined by the controller.

Data processor:  The processor is “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller”.

Data subject: The data subject might be defined as the natural person identified or identifiable linked to the personal data Read more

Transfer of health related data outside the European Economic Area (EEA)

The transfer of personal data outside the EEA, i.e the Members States of the European Union, Iceland, Liechtenstein and Norway, is regulated by the Privacy Directive.  The transfer is only permitted regarding countries which offer an adequate level of protection of personal data.  "The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the third country in question and the professional rules and security measures which are complied with in that country".

The European Commission establishes a so-called “white list” of countries which may be considered as offering an adequate level of protection. If a country is on the white list, the data controller may consider that the said country offers an adequate level of protection. In contrast, if a country is not on this list, the data controller must assess, in concrete terms, whether, or not, this country offers an adequate level of protection. Read more

icon plus References