A stricter regime for profiling07 June 2016
The Treatment of Health Data Under the EU Data Protection Regulation – Cause for Hope?
The main points of the Council's position on Chapter II relating to health data are:
- Individuals can provide consent to their data being used for scientific research even if it is not possible for the controller to fully identify the purposes at the time of data collection so long as such scientific research is in keeping with recognised ethical standards – this recognises the concept of obtaining a broad consent for research generally rather than having to seek further consents from individuals for each new processing purpose;
- The further processing of personal data for scientific purposes is considered to be lawful processing compatible with the purposes for which the data was initially collected – since research purposes are deemed compatible, this permits further data processing for research without the need to obtain consent;
- Health data may be used in the context of the management of health or social care services including the use of such data for quality control, management information and national and local supervision of health or social care systems – this helps facilitate the management and sharing of health data making integration amongst care providers easier and should, for instance, enable data sharing initiatives of health bodies to better understand healthcare provision across all delivery methods;
- Health data may be used for public interest reasons in the area of public health without the consent of individuals but such data use should not result in data being used for other purposes by third parties such as employers, insurance and banking companies – this permits the use of health data for public health purposes while providing protections against use by third parties;
- Health data may be stored beyond the normal retention period (for that data) if it is being used for scientific purposes – this gives researchers comfort that they can retain and use health data in the long-term; and
- Health data used for healthcare purposes (preventive or occupational medicine, employer assessments of the working capacity of employees, medical diagnosis, provision of health or social care or treatment or management of health or social care, or under a contract with a health professional) should be processed by or under the responsibility of a professional or other person subject to an obligation of secrecy – this ensures that only individuals who are subject to confidentiality obligations can use the data in these circumstances.
In a number of places where the use of data for research is mentioned, the drafting refers to conditions and safeguards in Article 83 of the Regulation which, according to the Council draft of December 2014, allows Member States to provide derogations from certain obligations under the Regulation so long as these are subject to appropriate safeguards for individuals' rights and freedoms. Although this outlook is more favourable to those engaged in health research, certain Member States still have reservations. For instance, the notes to the Council's draft reveals that France's delegation considers that health data should only be processed in the public interest or with the individual's consent.
Furthermore there are signs that the Council's approach to health data may not necessarily sail effortlessly through the trilogue stage. The Article 29 Working Party indicated in a February letter to a key European Commission official (responding to a Commission request) that it supports the European Parliament's position on the Regulation requiring consent (in most cases) before individuals' personal data can be used for scientific research purposes. The European Parliament's draft Regulation (voted on in March 2014) establishes a much stricter regulatory environment for the use of health data for research purposes.
It is important to remember that the latest text from the Council is not set in stone. The background to the proposed text is clear that nothing is agreed until everything is agreed meaning that future changes are not excluded. But for those organisations that have campaigned to inject greater flexibility into the Regulation's treatment of health data, these latest proposals are reassuring.
This article was first published in e-Health Law and Policy in April 2015.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016