Return to the Data Council home page .In contrast to the U.S., most European countries have for some years had in effect broad data- protection laws, based on human rights principles. All focus on personally identifiable data. Most deal with legitimacy of need-to-know; with notification of data-subjects, and consent; with data-subject rights, such as the right to examine data about oneself; with data security; and so on. And they establish remedies and sanctions against violations. (78)
Usually the laws are administered through independent national "data protection commissions" or "registrars." These bodies investigate complaints, critique the privacy implications of government programs, mediate privacy disputes, perhaps audit organizations' privacy protections, and represent the country's privacy interests internationally. (79) In some countries, such as Germany, provincial, in addition to federal, data-protection laws and agencies also are important. (Australia, New Zealand, Canada and several of its provinces, South Africa, and Japan also have active data privacy laws and agencies.) Again: The U.S. has no equivalent bodies.
In Europe sensitivities about health data run very high. National healthcare systems of course process huge volumes of data about individuals. In Europe medical data increasingly are being processed via electronic media. Electronic "smart cards" are being tried for medical billing (in Germany) or to carry some health data (in France), but progress is slow, because of both medical objections and privacy concerns. A pan-European "electronic health passport" has been proposed which would carry at least emergency medical information such as blood type and allergy information, but movement toward such a system has met with much opposition on privacy grounds. In France the Health Ministry has announced that by 1999 doctors must submit all of their bills electronically; but the medical establishment is resisting. In the U.K., communication of medical data via a new "NHS-Net" Internet service has been promoted by the National Health Service (NHS); but protests by both doctors and the public, largely over security and confidentiality, have forced a standoff, which has not yet been resolved.
In the past few years most legislatures have been readdressing the issues of informational privacy, especially with respect to data processed electronically. Several have adopted, or are currently considering proposals for, new laws covering health data. Now the issues have gained Europe-wide dimensions. All of this has implications for the U.S. and other countries outside Europe.
On October 24, 1995, after five years of deliberation, the European Parliament and the Council of the European Union (E.U.) adopted a "Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data" (hereafter, Directive). (80)
The Directive is extremely broad, covering the processing of all information about individuals. Its dual purposes are aptly expressed in its title. It is not specifically oriented to health data, although at a few points it makes reference to public health and medical data. If enforced literally some of its provisions could be inimical to health research. (81)
The Directive is a "framework directive" establishing general principles, with which the fifteen E.U. Member States must bring their national "laws, regulations and administrative provisions" into congruence by October 1998 (Article 32). (82)
"Personal data" and "processing" are defined comprehensively (Article 2).
(a) "Personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
(b) "Processing of personal data" ("processing") shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
The Directive does not restrict the processing of data which are not personally identifiable. But for the processing of those that are, consent from the data-subject generally is required.
Article 7 stipulates that "Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary for protecting the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) [some other circumstances apply].
The data "controller" is "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data" (Article 2(d)).
As for consent, Article 2(h) defines it broadly but firmly:
"The data subject's consent" shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
Notice that the consent is to be "specific and informed." If applied literally, for some secondary research this would require solicitation of more-focused consent than is now sought.
The exception for "performance of contracts" presumably would apply to healthcare agreements between care-providers and patients. (But does this assume that consent is implicit, or, waived? Consent to what?) The exception for "protecting the vital interests of the data subject" presumably would apply to emergency medical treatment and some other situations where consent is not feasible. Tasks "carried out in the public interest" are treated further in Article 8 (see below).
The Directive addresses data-quality issues (Article 6), such as requiring that "every reasonable step... be taken" to ensure that inaccurate data are erased or rectified. It sets out general public-notification requirements. It notes that data should not be stored longer than is required for meeting the initial purposes of collection. This requirement is directly in opposition to many research needs for retaining data for many years even if later uses cannot be predicted. (Recent large-scale studies of several decades worth of data on the effects of oral contraceptives, and of estrogen replacement therapy, are among the many examples of the societal payback from retaining health research data.) Presumably in implementing the Directive national governments will recognize such requirements, which have long been embodied in regulations and good- practice guidelines covering research on medicines, vaccines, and medical devices.
In the interest of fair use, Articles 10 and 11 set out requirements for the notifying of data- subjects (whether the data have been collected from the subjects directly, or indirectly) as to the identity of the "data controllers," the purposes of the processing, and other circumstances. Article 11(2) provides, however, that the notification requirements "shall not apply where"
in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
Data-subject rights to inspect records about themselves, object to processing, request correction of erroneous data about themselves, and so on, are affirmed (Article 12). Public registration of processing operations is required (Article 21). The Directive covers all personally identifiable data processed in Europe, regardless of the origins of the data or the data-subject.
For administration and accountability, requirements are set for various supervisory authorities in the E.U. structure and in Member State governments. In most E.U. countries much of this apparatus already is in place, but more will have to be established, and duties will have to be adjusted. Judicial remedies, including compensatory liability, for individuals are required to be made available under Member States' laws for breach of the rights specified in the Directive.
Article 8, on "the processing of special categories of data," holds a number of provisions that could be problematic for health research.
¶ 1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
¶ 2. Paragraph 1 shall not apply where... the data subject has given his explicit consent to the processing of those data... [or where some special circumstances, listed, apply].
¶ 3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
¶ 4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.
What kinds of health research will be defined as being within the scope of "preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services"? (A systematic check should be made against categories of health research such as those described in Chapter 3 of this Report.)
Will governments realize the importance in health research of taking into account factors relating to "ethnic origin" and "health and sex life"? Surely they should. Much essential public- health research is conducted with the very purpose of aiding subpopulations. Because many health factors are related to origin, research often selects groups by such criteria as ethnic origin to study specific afflictions, causes, or interventions. In pharmaceutical risk and efficacy studies, regulators rightly mandate that ethnic and sexual factors be taken account of. Genetics, dietary habits relating to ethnic background, sexual contacts and practices, and other factors strongly determine how health phenomena differ among people.
How broadly will "substantial public interest" be construed? Possibilities are mentioned in the Directive for a variety of national exemptions and derogations; but exemptions will not be recognized unless Member States positively enact them into their national laws. E.U. leaders have been saying publicly that not many "public interest" exemptions should be expected, but that, rather, safeguards should be emphasized.
Who—for instance, epidemiological analysts performing processing tasks in database research—will be considered to be "health professionals" or others "subject to an equivalent obligation of secrecy"? Presumably analysts can be positioned under responsible "data controllers."
Article 6 requires that personally identifiable data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." But, no doubt to the relief of many researchers, it goes on to state:
¶ 1(b). Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards.
Article 25 deals with the movement of data, by whatever means, from E.U. Member States to other countries.
¶ 1. The Member States shall provide that the transfer to a [non E.U.] country of personal data which are undergoing processing or are intended for processing after transfer may take place only if ... the [recipient] country in question ensures an adequate level of protection.
How, in practice, will "adequate level of protection" be determined? What criteria will be applied? Article 25 continues:
¶ 2. The adequacy of the level of protection afforded by a [non E.U.] country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and the country of final destination, the rules of law, both general and sectoral, in force in the [non E.U.] country in question and the professional rules and security measures which are complied with in that country.
By whom and by what process will the determination be made? Article 29 establishes an independent Working Party on the Protection of Individuals with regard to the Processing of Personal Data, comprising representatives from all of the Member States (usually, in practice, their privacy commissioners) and representatives from the Commission structure itself. The Working Party has elected as its first chair Peter J. Hustinx, the President of the Registratiekamer of The Netherlands. The "adequacy" question is among the first topics the Working Party is addressing.(83), (84)
Will the transferability determination be made institution-by-institution (medical clinic, pharmaceutical company, university, contract research firm, government agency)? More likely, E.U. officials suggest, the determination will be made on a country-by-country basis, probably sector-by-sector.
Such assessments surely will be more straightforward for non-E.U. recipient countries having strong national or provincial data-protection laws and authority to enforce them. For this reason, E.U. officials strongly encourage the U.S. to pass a such a law. Although no overall data- protection law is under contemplation in the U.S., no doubt a sound Federal medical-records confidentiality law would go a long way toward meeting the E.U.'s concerns and keeping health- research data flowing.
The Directive leaves doors open for Member States to allow data-transfers to recipients in countries not certified as having adequate protection. Article 26(1)(d) mentions "important public interest grounds," for example, and Article 26(2) holds that a Member State may authorize data transfers "where the controller adduces adequate safeguards" in the recipient country, suggesting that "such safeguards may in particular result from appropriate contractual clauses." This seems to encourage parties wishing to transfer data to establish contractual undertakings regarding data protections.
According to the Treaty of Rome, under which the E.U. operates, the Member States thus have obligated themselves to bringing their national laws into conformance with the principles of the Directive within three years of adoption (i.e., by October 1998). In this "transposing" they can employ whatever instruments of law—statutes, regulations, decrees, and so on—they deem sufficient. Some believe that their protections already meet most of the Directive's requirements. Others are revising their laws substantially.
The Working Party is to coordinate the implementation with respect to uniform application throughout the E.U., periodically report to the Commission on progress, and eventually give the Commission its opinion on the level of protection in the E.U. and in various non-E.U. countries and "on any codes of conduct drawn up at Community level" (Article 30). A variety of Community implementation requirements are specified.
Some European countries that are not members of the E.U., such as Switzerland, have said that they intend to establish equivalent standards.
A special provision, which recognizes the sector-specific nature of data, may provide an opening for health professionals to set guidelines to which public authorities could defer
(Article 27).
¶ 1. The Member States and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper implementation of the national provisions adopted by the Member States pursuant to this Directive, taking account of the specific features of the various sectors.
Some professional societies are considering drafting codes of practice, as are some industry associations. Such codes would have to be adopted by the practitioners in E.U. countries; eventually recognition could be sought from the E.U.
A Dutch example of the usefulness of such a code may be instructive. During the first years of the 1990s the Council for Medical Research, a medical society, voluntarily established a "Code of Conduct for Medical Research" covering research on pre-existing medical data. (85) The Privacy Commission (Registratiekamer) was invited to monitor its implementation. Over several years the government found the Code to be effective, and in 1995 adopted the Code as national law.
The following sketches of the situations in six European countries are meant simply to illustrate the kinds of legal activities that are taking place now. All European countries have some protections in operation, and all are now evaluating whether they must make adjustments to comply with the E.U. Directive. 1998 is expected to be a busy year in privacy legislation.
Basic privacy law: "Law on the Protection of Privacy with Respect to the Treatment of Personal Data" (Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel) (1992). Authority: Commission for the Protection of Private Life (La Commission de Protection de la Vie Privée / Commissie voor de bescherming van de persoonlijke levenssfeer).
At present a law amending the basic privacy law is being drafted, with the E.U. Directive in mind. The Conseil d'Etat has received the draft. The Minister of Justice has said that he plans to send the draft to the Parliament by the end of 1997.
Also, a draft "Royal Decree relating to the protection of individuals in relation to the processing of data of a personal nature for scientific research in the field of medicine or public health" is being considered. Such a Decree would be subsidiary to the revised omnibus privacy law, and so could not have full legal force until that law is passed; but if adopted it would provide interim guidance.
Basic privacy law: "Law on Informatics, Records, and Freedoms" (Loi relative à l'informatique, aux fichiers et aux libertés) (January 6, 1978) (Law No. 78-17). Authority: National Commission on Informatics and Freedoms (Commission Nationale de l'Informatique et des Libertés (CNIL)).
Most French commentators say that the French safeguards in place are sufficiently protective that they meet the requirements of the E.U. Directive, and that no changes in the basic law will be required.
In 1994 an Amendment to the basic law was adopted, on "Computerized Processing of Name-Linked Data for the Purpose of Research in the Health Sector" (Loi du 1er juillet relative au traitement des données nominatives ayant pour fin la recherche dans le domaine de la santé) (Law No. 94-548). There is some controversy about implementation of the Amendment, which probably will be brought into effect during the course of 1997. A national committee has been appointed to give the CNIL its opinion on the scientific aspects of protocols that have been submitted (Comité Consultatif sur le Traitement de l'Information en Matière de Recherche dans le Domaine de la Santé). One aspect at issue is whether each research protocol must be submitted for approval in advance by the Comité Consultatif. Among others involved in discussions over implementation, the pharmaceutical industry association is negotiating for a streamlined process which might involve approval of some general research-protocol provisions, and perhaps for annual or other periodic review rather than study-by-study, to simplify and speed the approval process. (86)
Basic privacy law: Federal Data Protection Act (Bundesdatenschutzgesetz) (1990). Authority: Federal Data Protection Commissioner (Bundesdatenschutzbeauftragter). State (Länder) data protection laws and agencies also are important.
The German privacy laws are already strict—too strict for health research, some believe— and the general opinion seems to be that they will not need to be deeply modified to conform to the E.U. Directive.
However, several detailed amendments to the basic privacy law are being considered that would better meet the special requirements of health research and public-health activities, such as secondary research use of health data. The Ministries of Justice, Health, Research, Labor, Commerce, and Finance are involved in the discussions, which are being led by the Ministry of the Interior (Innenministerium). Part of the background is a 1995 petition from a working group of 100 German medical societies, which, stating that the Federal Data Protection Act over- emphasizes patients' privacy and impedes health research, urged the Minister of Research to seek changes in law so that health research, with its associated informed consent and ethics review, would be controlled separately and its special dimensions accommodated. (87)
Much activity in Germany now concerns implementation of a 1994 Law on Cancer Registries (Gesetz über Krebsregister), which requires that by the beginning of 1999 all of the Länder must maintain registries of cancer cases, mainly for epidemiological research.(88)
Basic privacy law: Data Protection Act (Wet Persoonsregistratie) (1988). Authority: Registration Chamber (Registratiekamer).
In 1995 a new "Code of conduct for medical research," covering research on existing medical data, was adopted by the Registration Chamber after years of development. The Code originated from "the desire to achieve a good balance between the requirements of privacy protection on the one hand and those of scientific research on the other." Under this Code, the conditions on processing data in research are guided strongly by whether the data involved are anonymous, key-coded, or identifiable. Data-subject consent is emphasized, as is working with data in non-identifiable form as much as possible. (89)
Basic privacy law: Data Protection Act (Datalagen) (1973). Authority: Data Inspection Board (Datainspektionen).
A special Governmental Data Act Committee has reviewed the shortcomings of the 1973 Act, which was judged to be inadequate for today's needs. In April 1997 the Committee proposed a total revision of the Data Protection Act, embodying many of the principles of the E.U. Directive but respecting Swedish concerns and the protections guaranteed by the Swedish Constitution. (90)
The proposed new national law would allow processing of personally identifiable data "for scientific research and statistics purposes where a research ethics committee has approved the project or where the public interests clearly override the risks to integrity."
The proposed new law now will be considered by the Minister of Justice, who, after consultations and revisions, may submit it to the Parliament, perhaps in the autumn of 1997.
Basic privacy law: Data Protection Act (1984), and Access to Health Records Act (1990). Authority: Data Protection Registrar.
Regarding implementation of the E.U. Directive, early in 1996 the Home Office circulated a "consultation document" inviting input on a range of issues from interested parties. The Home Office has been taking consideration of all of the responses and preparing to propose a strategy.
In April 1996 the Data Protection Registrar published a thought-provoking document comparing the E.U. Directive and U.K. law., and raising many questions.(91) In her recommend- ation to the Home Office a few months later, the Registrar argued that "we need the seamless approach which only new primary legislation can offer."(92)
A "Disclosure and Use of Personal Health Information Bill," developed by an interprofessional working party led by the British Medical Association, was introduced into the House of Lords in March 1996 by Lord Walton. But it seems not to have progressed very far.
Of course, now the new Labour government will have to develop its policies in this area.
The Council of Europe is an intergovernmental organization of 39 countries, head- quartered in Strasbourg. Compared with the E.U., it comprises 24 more countries (but includes all members of the E.U.), draws heavily upon expertise in its member countries and depends on a relatively smaller staff, and its actions are not formally enforceable. (93) The two organizations coordinate their work. E.U. Commission staff represent the E.U. in all important activities of the Council of Europe, as they have done during the recent years' deliberations over data privacy in general and those over protection of health and medical data specifically.
In 1981 the Council of Europe passed an influential "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," which set out a number of principles. (94) Within a few years most major European countries ratified the Convention. It was on the basis of this Convention, and the deliberations that had led up to it, that most European countries developed their own laws and set up data-protection regimes.
The 1981 Convention is not formally binding. But it has set the tone for much data- protection work, and has been referred to many times in judgments on such issues as international data transfer. Some countries require the obtaining of special permission, or the establishment of a contract surrounding a "data corridor," so to speak, between institutions, before allowing transfer of sensitive data from their country to an institution in a country that has not ratified the Convention or where the protections are deemed weak.
Countries which are not members of the Council of Europe have been encouraged to ratify or otherwise adopt the provisions of the Conventions. The U.S. is not in position to do so, because, among other reasons, it lacks Federal privacy law covering data in the private sector.
In February 1997, after five years' deliberation, the Council of Europe's Committee of Ministers—comprising the foreign ministers of all the Members—adopted a detailed "Recommendation on the Protection of Medical Data" (hereafter, Recommendation).(95) Many observers believe that because this Recommendation is specific to medical data and is felt to be practicable, and also because it covers all of Europe, it may well become deferred to as the guiding document for Europe. Governments have already approved it in the Council of Europe, so they must expect to implement its principles. And it is thought that for this sector the E.U. eventually may amend its Directive and explicitly defer to the Council of Europe Recommend- ation.
Even though its title refers to "medical" data, the Recommendation in Article 1 makes clear that it covers health data broadly:
The expression "medical data" refers to all personal data concerning the health of an individual. It refers also to data which have a clear and close link with health as well as to genetic data.
The Recommendation's concerns are to protect personally identifiable data, but it notes (Article 1): "An individual shall not be regarded as 'identifiable' if identification requires an unreasonable amount of time and manpower."
Article 3 limits the circle allowed to process health data:
In principle, medical data should be collected and processed only by health-care professionals or by individuals or bodies working on behalf of health-care professionals. ... Controllers of files who are not health-care professionals should only collect and process medical data subject either to rules of confidentiality comparable to those incumbent upon a health-care professional or to equally effective safeguards provided for by domestic law.
Article 4.3 affirms: "Medical data may be collected and processed if provided for by law for public health reasons... or another important public interest."
The Recommendation includes the standard fair-practice requirements to inform subjects, seek informed express consent, allow data-subject access and rectification of data, and the like.
Article 12, "Scientific Research," lays out this series of conditions:
- 12.1.
- Whenever possible, medical data used for scientific research purposes should be anonymous. Professional and scientific organizations and public authorities should promote the development of techniques and procedures securing anonymity.
- 12.2.
- However, if such anonymization would make a scientific research project impossible, and the project is to be carried out for legitimate purposes, it could be carried out with personal data on condition that:
- a.
- the data subject has given his/her consent for one or more research purposes;
- or
- b.
- [provision having to do with legally incapacitated subjects];
- or
- c.
- disclosure of data for the purpose of a defined research project concerning an important public interest has been authorized by the body or bodies designated by domestic law, but only if:
- i.
- the data subject has not expressly opposed disclosure; and
- ii.
- despite reasonable efforts, it would be impracticable to contact the data subject to seek his consent; and
- iii.
- the interests of the research project justify the authorization;
- or
- d.
- the scientific research is provided for by law and constitutes a necessary measure for public health reasons.
Transfer of personally identifiable data from a country which has ratified the Convention of 1981 of the Council of Europe to countries which have not is to be prohibited—unless "equivalent protection" is ensured, perhaps by contract, "and the data-subject has the possibility to object to the transfer" (Article 11).
An important question for the coming period is how the considerations of this Council of Europe Recommendation on the Protection of Medical Data will intersect with those in the implementation of the E.U. Data Privacy Directive.
For the U.S., it will be very important over the next few years to engage in high-level, broadly based dialogue with European leaders over the implementation of the E.U. Directive and the Council of Europe Recommendation. Discussions will have to be held with national governments and with intergovernmental organizations. Health data and health research must be addressed specifically; they simply cannot be dealt with in the same way as banking, credit, tax, education, transport, or criminal data.
In these discussions private-sector organizations involved with health research should participate fully. So should regulatory agencies that require international transfer of health data.
Focal issues regarding health research will be:
In all of this, the U.S. government and other American organizations should not only be asking for concessions and exemptions, but also taking the opportunity of this period of reform to improve the ways they themselves handle these matters, and exerting international leadership.
| [Previous] | [Next] |
Return to the Data Council home page .
Last updated 7/23/97.