The Council of Europe is an intergovernmental organization of 39 countries, head- quartered in Strasbourg. Compared with the E.U., it comprises 24 more countries (but includes all members of the E.U.), draws heavily upon expertise in its member countries and depends on a relatively smaller staff, and its actions are not formally enforceable.93 The two organizations coordinate their work. E.U. Commission staff represent the E.U. in all important activities of the Council of Europe, as they have done during the recent years' deliberations over data privacy in general and those over protection of health and medical data specifically.
In 1981 the Council of Europe passed an influential "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," which set out a number of principles.94 Within a few years most major European countries ratified the Convention. It was on the basis of this Convention, and the deliberations that had led up to it, that most European countries developed their own laws and set up data-protection regimes.
The 1981 Convention is not formally binding. But it has set the tone for much data- protection work, and has been referred to many times in judgments on such issues as international data transfer. Some countries require the obtaining of special permission, or the establishment of a contract surrounding a "data corridor," so to speak, between institutions, before allowing transfer of sensitive data from their country to an institution in a country that has not ratified the Convention or where the protections are deemed weak.
Countries which are not members of the Council of Europe have been encouraged to ratify or otherwise adopt the provisions of the Conventions. The U.S. is not in position to do so, because, among other reasons, it lacks Federal privacy law covering data in the private sector.
In February 1997, after five years' deliberation, the Council of Europe's Committee of Ministers—comprising the foreign ministers of all the Members—adopted a detailed "Recommendation on the Protection of Medical Data" (hereafter, Recommendation).95 Many observers believe that because this Recommendation is specific to medical data and is felt to be practicable, and also because it covers all of Europe, it may well become deferred to as the guiding document for Europe. Governments have already approved it in the Council of Europe, so they must expect to implement its principles. And it is thought that for this sector the E.U. eventually may amend its Directive and explicitly defer to the Council of Europe Recommend- ation.
Even though its title refers to "medical" data, the Recommendation in Article 1 makes clear that it covers health data broadly:
The expression "medical data" refers to all personal data concerning the health of an individual. It refers also to data which have a clear and close link with health as well as to genetic data.
The Recommendation's concerns are to protect personally identifiable data, but it notes (Article 1): "An individual shall not be regarded as 'identifiable' if identification requires an unreasonable amount of time and manpower."
Article 3 limits the circle allowed to process health data:
In principle, medical data should be collected and processed only by health-care professionals or by individuals or bodies working on behalf of health-care professionals. ... Controllers of files who are not health-care professionals should only collect and process medical data subject either to rules of confidentiality comparable to those incumbent upon a health-care professional or to equally effective safeguards provided for by domestic law.
Article 4.3 affirms: "Medical data may be collected and processed if provided for by law for public health reasons... or another important public interest."
The Recommendation includes the standard fair-practice requirements to inform subjects, seek informed express consent, allow data-subject access and rectification of data, and the like.
Article 12, "Scientific Research," lays out this series of conditions:
Whenever possible, medical data used for scientific research purposes should be anonymous. Professional and scientific organizations and public authorities should promote the development of techniques and procedures securing anonymity.
However, if such anonymization would make a scientific research project impossible, and the project is to be carried out for legitimate purposes, it could be carried out with personal data on condition that:
the data subject has given his/her consent for one or more research purposes;
[provision having to do with legally incapacitated subjects];
disclosure of data for the purpose of a defined research project concerning an important public interest has been authorized by the body or bodies designated by domestic law, but only if:
the data subject has not expressly opposed disclosure; and
despite reasonable efforts, it would be impracticable to contact the data subject to seek his consent; and
the interests of the research project justify the authorization;
the scientific research is provided for by law and constitutes a necessary measure for public health reasons.
Transfer of personally identifiable data from a country which has ratified the Convention of 1981 of the Council of Europe to countries which have not is to be prohibited—unless "equivalent protection" is ensured, perhaps by contract, "and the data-subject has the possibility to object to the transfer" (Article 11).
An important question for the coming period is how the considerations of this Council of Europe Recommendation on the Protection of Medical Data will intersect with those in the implementation of the E.U. Data Privacy Directive.
(93) The Members of the Council of Europe are Albania, Andorra, Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldavia, The Netherlands, Norway, Poland, Portugal, Romania, Russia, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, "the Former Yugoslav Republic of Macedonia," Turkey, Ukraine, and the United Kingdom.
(94) Council of Europe, "Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data," European Treaty Series No. 108 (January 28, 1981).
(95) Council of Europe, "Recommendation of the Committee of Ministers to Member States on the Protection of Medical Data," No. R (97) 5 (February 13, 1997). For context see also the "Explanatory Memoranda."