Privacy and Health Research. Elements of the Directive

05/01/1997

The Directive does not restrict the processing of data which are not personally identifiable. But for the processing of those that are, consent from the data-subject generally is required.

Article 7 stipulates that "Member States shall provide that personal data may be processed only if:

(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary for protecting the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) [some other circumstances apply].

The data "controller" is "the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data" (Article 2(d)).

As for consent, Article 2(h) defines it broadly but firmly:

"The data subject's consent" shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

Notice that the consent is to be "specific and informed." If applied literally, for some secondary research this would require solicitation of more-focused consent than is now sought.

The exception for "performance of contracts" presumably would apply to healthcare agreements between care-providers and patients. (But does this assume that consent is implicit, or, waived? Consent to what?) The exception for "protecting the vital interests of the data subject" presumably would apply to emergency medical treatment and some other situations where consent is not feasible. Tasks "carried out in the public interest" are treated further in Article 8 (see below).

The Directive addresses data-quality issues (Article 6), such as requiring that "every reasonable step... be taken" to ensure that inaccurate data are erased or rectified. It sets out general public-notification requirements. It notes that data should not be stored longer than is required for meeting the initial purposes of collection. This requirement is directly in opposition to many research needs for retaining data for many years even if later uses cannot be predicted. (Recent large-scale studies of several decades worth of data on the effects of oral contraceptives, and of estrogen replacement therapy, are among the many examples of the societal payback from retaining health research data.) Presumably in implementing the Directive national governments will recognize such requirements, which have long been embodied in regulations and good- practice guidelines covering research on medicines, vaccines, and medical devices.

In the interest of fair use, Articles 10 and 11 set out requirements for the notifying of data- subjects (whether the data have been collected from the subjects directly, or indirectly) as to the identity of the "data controllers," the purposes of the processing, and other circumstances. Article 11(2) provides, however, that the notification requirements "shall not apply where"

in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.

Data-subject rights to inspect records about themselves, object to processing, request correction of erroneous data about themselves, and so on, are affirmed (Article 12). Public registration of processing operations is required (Article 21). The Directive covers all personally identifiable data processed in Europe, regardless of the origins of the data or the data-subject.

For administration and accountability, requirements are set for various supervisory authorities in the E.U. structure and in Member State governments. In most E.U. countries much of this apparatus already is in place, but more will have to be established, and duties will have to be adjusted. Judicial remedies, including compensatory liability, for individuals are required to be made available under Member States' laws for breach of the rights specified in the Directive.