Strasbourg, 28 January 1997    Restricted

    CM(97)18

    Addendum II

    For consideration at the 584th meeting

    of the Ministers' Deputies

    (10-13 February 1997, A level, item 10.1)

EUROPEAN COMMITTEE ON LEGAL CO-OPERATION (CDCJ)

Draft Recommendation No. R (97) ...

of the Committee of Ministers to member States on

the protection of medical data

and

Explanatory memorandum

    Draft Recommendation No. R (97) ...

    of the Committee of Ministers to member States on

    the protection of medical data

    The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

    Considering that the aim of the Council of Europe is to achieve a greater unity between its members;

    Recalling the general principles on data protection in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (European Treaty Series, No. 108) and in particular its Article 6 which stipulates that personal data concerning health may not be processed automatically unless domestic law provides appropriate safeguards;

    Aware of the increasing use of automatic processing of medical data by information systems, not only for medical care, medical research, hospital management and public health but also outside the health-care sector;

    Convinced of the importance of the quality, integrity and availability of medical data for the health of the data subject and his family;

    Aware that progress in medical science is dependent to a great extent on the availability of medical data on individuals;

    Convinced that it is desirable to regulate the collection and processing of medical data, to safeguard the confidentiality and security of personal data regarding health, and to ensure that they are used subject to the rights and fundamental freedoms of the individual, and in particular to the right to privacy;

    Aware that progress made in medical science and developments in information technology since 1981 have made it necessary to revise various provisions in Recommendation No. R (81) 1 on regulations for automated medical data banks;

    Recommends that the governments of member states:

    - take steps to ensure that the principles contained in the appendix to this recommendation are reflected in their law and practice;

    - ensure wide circulation of the principles contained in the appendix to this recommendation among persons professionally involved in the collection and processing of medical data;

    Decides that this recommendation will replace Recommendation No. R (81) 1 on regulations for automated medical data banks.

    Appendix to Recommendation N° R (97) ...

1. Definitions

    For the purposes of this recommendation:

    - the expression "personal data" covers any information relating to an identified or identifiable individual. An individual shall not be regarded as "identifiable" if identification requires an unreasonable amount of time and manpower. In cases where the individual is not identifiable, the data are referred to as anonymous;

    - the expression "medical data" refers to all personal data concerning the health of an individual. It refers also to data which have a clear and close link with health as well as to genetic data;

    - the expression "genetic data" refers to all data, of whatever type, concerning the heritable characteristics of an individual or concerning the pattern of inheritance of such characteristics within a related group of individuals.

    It also refers to all data on the carrying of any genetic information (genes) in an individual or genetic line relating to any aspect of health or disease, whether present as identifiable characteristics or not.

    The genetic line is the line constituted by genetic similarities resulting from procreation and shared by two or more individuals.

2. Scope

2.1.    This recommendation is applicable to the collection and automatic processing of medical data, unless domestic law, in a specific context outside the health-care sector, provides other appropriate safeguards.

2.2.    A member state may extend the principles set out in this recommendation to cover medical data not processed automatically.

3. Respect for privacy

3.1.    The respect of rights and fundamental freedoms, and in particular of the right to privacy, shall be guaranteed during the collection and processing of medical data.

3.2.    Medical data may only be collected and processed if in accordance with appropriate safeguards which must be provided by domestic law.

    In principle, medical data should be collected and processed only by health-care professionals or by individuals or bodies working on behalf of health-care professionals. Individuals or bodies working on behalf of health-care professionals who collect and process

medical data should be subject to the same rules of confidentiality incumbent on health-care professionals, or to comparable rules of confidentiality.

    Controllers of files who are not health-care professionals should only collect and process medical data subject either to rules of confidentiality comparable to those incumbent upon a health-care professional or to equally effective safeguards provided for by domestic law.

4. Collection and processing of medical data

4.1.    Medical data shall be collected and processed fairly and lawfully and only for specified purposes.

4.2.     Medical data shall in principle be obtained from the data subject. They may only be obtained from other sources if in accordance with Chapters 4, 6 and 7 and if this is necessary to achieve the purpose of the processing or if the data subject is not in a position to provide the data.

4.3 Medical data may be collected and processed:

a. if provided for by law for:

    i. public health reasons; or

    ii. subject to Principle 4.8, the prevention of a real danger or the suppression of a specific criminal offence; or

    iii. another important public interest, or

b. if permitted by law:

    i. for preventive medical purposes or for diagnostic or for therapeutic purposes with regard to the data subject or a relative in the genetic line; or

    ii. to safeguard the vital interests of the data subject or of a third person; or

    iii. for the fulfilment of specific contractual obligations; or

    iv. to establish, exercise or defend a legal claim; or

c. if the data subject or his/her legal representative or an authority or any person or body provided for by law has given his/her consent for one or more purposes, and insofar as domestic law does not provide otherwise.

4.4    If medical data have been collected for preventive medical purposes or for diagnostic or for therapeutic purposes with regard to the data subject or a relative in the genetic line, they may also be processed for the management of a medical service operating in the interest of the patient, in cases where the management is provided by the health-care

professional who collected the data, or where the data are communicated in accordance with principles 7.2 and 7.3.

    Unborn children

4.5.     Medical data concerning unborn children should be considered as personal data and

enjoy a protection comparable to the protection of the medical data of a minor.

4.6.     Unless otherwise provided for by domestic law, the holder of parental responsibilities may act as the person legally entitled to act for the unborn child as a data subject.

    Genetic data

4.7    Genetic data collected and processed for preventive treatment, diagnosis or treatment of the data subject or for scientific research should only be used for these purposes or to allow the data subject to take a free and informed decision on these matters.

4.8.     Processing of genetic data for the purpose of a judicial procedure or a criminal investigation should be the subject of a specific law offering appropriate safeguards.

    The data should only be used to establish whether there is a genetic link in the framework of adducing evidence, to prevent a real danger or to suppress a specific criminal offence. In no case should they be used to determine other characteristics which may be linked genetically.

4.9.    For purposes other than those provided for in Principles 4.7 and 4.8, the collection and processing of genetic data should, in principle, only be permitted for health reasons and in particular to avoid any serious prejudice to the health of the data subject or third parties.

    However, the collection and processing of genetic data in order to predict illness may be allowed for in case of an overriding interest and subject to appropriate safeguards defined by law.

5. Information of the data subject

5.1.     The data subject shall be informed of the following elements:

a. the existence of a file containing his/her medical data and the type of data collected or to be collected;

b. the purpose or purposes for which they are or will be processed;

c. where applicable, the individuals or bodies from whom they are or will be collected;

d. the persons or bodies to whom and the purposes for which they may be communicated;

e. the possibility, if any, for the data subject to refuse his consent, to withdraw it and the consequences of such withdrawal;

f. the identity of the controller and of his/her representative, if any, as well as the conditions under which the rights of access and of rectification may be exercised.

5.2.    The data subject should be informed at the latest at the moment of collection. However, when medical data are not collected from the data subject, the latter should be notified of the collection as soon as possible as well as, in a suitable manner, of the information listed under Principle 5.1, unless this is clearly unreasonable or impracticable, or unless the data subject has already received the information.

5.3.     Information for the data subject shall be appropriate and adapted to the circumstances. Information should preferably be given to each data subject individually.

5.4.    Before a genetic analysis is carried out, the data subject should be informed about the objectives of the analysis and the possibility of unexpected findings.

    Legally incapacitated persons

5.5.     If the data subject is a legally incapacitated person, incapable of free decision and domestic law does not permit the data subject to act on his/her own behalf, the information shall be given to the person recognised as legally entitled to act in the interest of the data subject.

    If a legally incapacitated person is capable of understanding, he/she should be informed before his data are collected or processed.

    Derogations

5.6.    Derogations from Principles 5.1, 5.2 and 5.3 may be made in the following cases:

a. information of the data subject may be restricted if the derogation is provided for by law and constitutes a necessary measure in a democratic society:

    i. to prevent a real danger or to suppress a criminal offence.

    ii. for public health reasons.

    iii. to protect the data subject and the rights and freedoms of others;

b. in medical emergencies, data considered necessary for medical treatment may be collected prior to information.

6. Consent

6.1.     Where the data subject is required to give his/her consent, this consent should be free, express and informed.

6.2.    The results of any genetic analysis should be formulated within the limits of the objectives of the medical consultation, diagnosis or treatment for which consent was obtained.

6.3.     Where it is intended to process medical data relating to a legally incapacitated person who is incapable of free decision, and when domestic law does not permit the data subject to act on his/her own behalf, the consent of the person recognised as legally entitled to act

in the interest of the data subject or an authority or any person or body provided for by law is required.

    If, in accordance with Principle 5.5 above, a legally incapacitated person has been informed of the intention to collect or process his/her medical data, his/her wishes should be taken into account, unless domestic law provides otherwise.

7. Communication

7.1.     Medical data shall not be communicated, unless on the conditions set out in this chapter and in Chapter 12.

7.2.    In particular, unless other appropriate safeguards are provided by domestic law, medical data may only be communicated to a person who is subject to the rules of confidentiality incumbent upon a health-care professional or to comparable rules of confidentiality and who complies with the provisions of this recommendation.

7.3 Medical data may be communicated if they are relevant and:

a. if the communication is provided for by law and constitutes a necessary measure in a democratic society for:

    i. public health reasons; or

    ii. the prevention of a real danger or the suppression of a specific criminal offence; or

    iii. another important public interest; or

    iv. the protection of the rights and freedoms of others; or

b. if the communication is permitted by law for the purpose of:

    i. the protection of the data subject or a relative in the genetic line;

    ii. safeguarding the vital interests of the data subject or a third person; or

    iii. the fulfilment of specific contractual obligations; or

    iv. establishing, exercising or defending a legal claim; or

c. if the data subject or his/her legal representative or an authority or any person or body provided for by law has given his/her consent for one or more purposes, and insofar as domestic law does not provide otherwise; or

d. provided that the data subject or his/her legal representative or an authority or any person or body provided for by law has not explicitly objected to any non-mandatory communication, if the data have been collected in a freely chosen preventive, diagnostic or therapeutic context, and the purpose of the communication, in particular the provision of care to the patient or the management of a medical service operating in the interest of the patient, is not incompatible with the purpose of the processing for which they were collected.

8. Rights of the data subject

    Rights of access and of rectification

8.1.    Every person shall be enabled to have access to his/her medical data, either directly or through a health-care professional or, if permitted by domestic law, a person appointed by him/her. The information must be accessible in understandable form.

8.2.    Access to medical data may be refused, limited or delayed only if the law provides for this and if:

a. this constitutes a necessary measure in a democratic society in the interests of protecting state security, public safety, or the suppression of criminal offences; or

b. knowledge of the information is likely to cause serious harm to the data subject's health; or

c. the information on the data subject reveals also information on third parties or, in respect of genetic data, this information is likely to cause serious harm to consanguine or uterine kin or to a person who has a direct link with this genetic line; or

d. the data are used for statistical or for scientific research purposes where there is clearly no risk of an infringement of the privacy of the data subject, notably the possibility of using the data collected in support of decisions or measures regarding any particular individual.

8.3.     The data subject may ask for rectification of erroneous data concerning him/her and, in case of refusal, he/she shall be able to appeal.

    Unexpected findings

8.4.    The person subjected to genetic analysis should be informed of unexpected findings if the following conditions are met:

a. domestic law does not prohibit the giving of such information;

b. the person himself has asked for this information;

c. the information is not likely to cause serious harm:

    i. to his/her health; or

    ii. to his/her consanguine or uterine kin, to a member of his/her social family, or to a person who has a direct link with his/her genetic line, unless domestic law provides other appropriate safeguards.

    Subject to sub-paragraph a, the person should also be informed if this information is of direct importance to him/her for treatment or prevention.

9. Security

9.1.     Appropriate technical and organisational measures shall be taken to protect personal data processed in accordance with this recommendation against accidental or illegal destruction, accidental loss as well as against unauthorised access, alteration, communication or any other form of processing.

    Such measures shall ensure an appropriate level of security taking account, on the one hand, of the technical state of the art and, on the other hand, of the sensitive nature of medical data and the evaluation of potential risks.

    These measures shall be reviewed periodically.

9.2.     In order to ensure in particular the confidentiality, integrity and accuracy of processed data, as well as the protection of patients, appropriate measures should be taken:

a. to prevent any unauthorised person from having access to installations used for processing personal data (control of the entrance to installations);

b. to prevent data media from being read, copied, altered or removed by unauthorised persons (control of data media);

c. to prevent the unauthorised entry of data into the information system, and any unauthorised consultation, modification or deletion of processed personal data (memory control);

d. to prevent automated data processing systems from being used by unauthorised persons by means of data transmission equipment (control of utilisation);

e. with a view to, on the one hand, selective access to data and, on the other hand, the security of the medical data, to ensure that the processing as a general rule is so designed as to enable the separation of:

    _ identifiers and data relating to the identity of persons,

    _ administrative data,

    _ medical data,

    _ social data,

    _ genetic data (access control);

f. to guarantee the possibility of checking and ascertaining to which persons or bodies personal data can be communicated by data transmission equipment (control of communication);

g. to guarantee that it is possible to check and establish a posteriori who has had access to the system and what personal data have been introduced into the information system, when and by whom (control of data introduction);

h. to prevent the unauthorised reading, copying, alteration or deletion of personal data during the communication of personal data and the transport of data media (control of transport);

i. to safeguard data by making security copies (availability control).

9.3.    Controllers of medical files should, in accordance with domestic law, draw up appropriate internal regulations which respect the related principles in this recommendation.

9.4.     Where necessary, controllers of files processing medical data should appoint an independent person responsible for security of information systems and data protection and competent for giving advice on these issues.

10. Conservation

10.1.     In general, medical data shall be kept no longer than necessary to achieve the purpose for which they were collected and processed.

10.2.     When, in the legitimate interest of public health or medical science, or of the person in charge of the medical treatment or the controller of the file in order to enable him/her to defend or exercise a legal claim, or for historical or statistical reasons, it proves necessary to conserve medical data that no longer have any use for the original purpose, technical arrangements shall be made to ensure their correct conservation and security, taking into account the privacy of the patient.

10.3.     On the request of the data subject, his/her medical data should be erased, unless they have been made anonymous or there are overriding and legitimate interests, in particular those stated in Principle 10.2 not to do so, or there is an obligation to keep the data on record.

11. Transborder flows

11.1.     The principles of this recommendation are applicable to the transborder flow of medical data.

11.2.     The transborder flow of medical data to a state which has ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and which disposes of legislation which provides at least equivalent protection of medical data, should not be subjected to special conditions concerning the protection of privacy.

11.3.     Where the protection of medical data can be considered to be in line with the principle of equivalent protection laid down in the convention, no restriction should be placed on the transborder flow of medical data to a state which has not ratified the convention but which has legal provisions which ensure protection in accordance with the principles of that convention and this recommendation.

11.4.     Unless otherwise provided for by domestic law, the transborder flow of medical data to a state which does not ensure protection in accordance with the convention and with this recommendation, should not as a rule occur unless:

a. necessary measures, including those of a contractual nature, to respect the principles of the convention and this recommendation, have been taken, and the data subject has the possibility to object to the transfer; or

b. the data subject has given his consent.

11.5.     Unless in the case of emergency or of a transfer to which the data subject has given his informed consent, appropriate measures should be taken to ensure the protection of medical data transferred from one country to another, and in particular:

a. the person responsible for the transfer should indicate to the addressee the specified and legitimate purposes for which the data have been originally collected, as well as the persons or bodies to whom they may be communicated;

b. unless otherwise provided for by domestic law, the addressee should undertake in respect of the person responsible for the transfer to respect the specified and legitimate purposes which he/she has accepted, and not to communicate the data to persons or bodies other than those indicated by the person responsible for the transfer.

12. Scientific research

12.1.     Whenever possible, medical data used for scientific research purposes should be anonymous. Professional and scientific organisations and public authorities should promote the development of techniques and procedures securing anonymity.

12.2.     However, if such anonymisation would make a scientific research project impossible, and the project is to be carried out for legitimate purposes, it could be carried out with personal data on condition that:

a. the data subject has given his/her informed consent for one or more research purposes; or

b. when the data subject is a legally incapacitated person incapable of free decision, and domestic law does not permit the data subject to act on his/her own behalf, his/her legal representative or an authority or any person or body provided for by law has given his/her consent in the framework of a research project related to the medical condition or illness of the data subject; or

c. disclosure of data for the purpose of a defined medical research project concerning an important public interest has been authorised by the body or bodies designated by domestic law, but only if:

    i. the data subject has not expressly opposed disclosure; and

    ii. despite reasonable efforts, it would be impracticable to contact the data subject to seek his consent; and

    iii. the interests of the research project justify the authorisation; or

d. the scientific research is provided for by law and constitutes a necessary measure for public health reasons.

12.3.     Subject to complementary provisions determined by domestic law, health-care professionals entitled to carry out their own medical research should be able to use the medical data which they hold as long as the data subject has been informed of this possibility and has not objected.

12.4.     In respect of any scientific research based on personal data, the incidental problems, including those of an ethical and scientific nature, raised by respect of the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data should also be examined in the light of other relevant instruments.

12.5.     Personal data used for scientific research may not be published in a form which enables the data subjects to be identified, unless they have given their consent for the publication and publication is permitted by domestic law.

    Explanatory Memorandum

    to Recommendation No. R (97) ...

    of the Committee of Ministers to Member States

    on the protection of medical data

    

INTRODUCTION

    The impact of data processing technology on various aspects of day to day life, especially personal privacy, has long engaged the attention of the Council of Europe, an intergovernmental Organisation which has to its credit the drafting of what is the world's first binding legal instrument in the field of data protection - the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (ETS 108) See footnote 1 . With reference to specific data processing contexts, a committee of experts mandated by the Council of Europe has laid down detailed principles and guidelines for the protection of privacy based on the provisions of the Convention but adapted to suit each context.

    These principles and guidelines have been embodied in recommendations adopted by the Committee of Ministers and calling upon the governments of member States to take account of the solutions offered in their approach to the data protection issues covered.

    Nine such initiatives have so far been taken in the framework of what is referred to as the "sectoral approach" to data protection:

-    Recommendation No. R (81) 1 on regulations for automated medical data banks (23 January 1981);

-    Recommendation No. R (83) 10 on the protection of personal data used for scientific research and statistics (23 September 1983);

-    Recommendation No. R (85) 20 on the protection of personal data used for the purposes of direct marketing (25 October 1985);

-    Recommendation No. R (86) 1 on the protection of personal data used for social security purposes (23 January 1986);

-    Recommendation No. R (87) 15 regulating the use of personal data in the police sector (17 September 1987);

-    Recommendation No. R (89) 2 on the protection of personal data used for employment purposes (18 January 1989);

-    Recommendation No. R (90) 19 on the protection of personal data used for payment or other related operations (13 September 1990);

-    Recommendation No. R (91) 10 on the communication to third parties of personal data held by public bodies (9 September 1991);

-    Recommendation No. R (95) 4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services (7 February 1995).

GENERAL COMMENTS ON THE RECOMMENDATION

    The use of computers in medicine serves the interests of the individual and of the community.

    In the first place, computers contribute towards better medical care by automating techniques, reducing the burden on the doctor's memory and facilitating the compilation of medical records. Medical computer systems meet the new demands of specialisation and teamwork by providing quick and selective access to information on the patient and his treatment and thus ensuring continuity in medical care.

    Medical data processing also brings a major improvement to hospital management and in this way it can help to reduce the cost of health care. Computers have many uses in recording the admission, transfer and release of patients, keeping track of diagnostic and therapeutic activities, medication, laboratory analyses, accounting, invoicing, etc.

    Lastly, medical data processing represents an indispensable instrument for medical research and for a policy of early and systematic diagnosis and prevention of certain diseases.

    Accordingly, personal health data appear in many files which can be recorded on a computer. The holders of these files vary: the attending physician, the hospital doctor, the school doctor, the works doctor, the doctor of an insurance company, the hospital administrator, social security offices, etc.

    Usually the recording of medical data occurs in the context of the doctor-patient relationship. It takes the form of a medical record to be used in making the diagnosis and in supervising and treating the patient. In the context of this confidential relationship freely chosen by the patient, the information is obtained with the patient's consent by the doctor or a member of the medical team who is required to observe confidentiality under the rules of professional ethics.

    Health records may also be established outside the context of the doctor-patient relationship and may include data concerning perfectly healthy persons. The recording of information is sometimes imposed by a third party, perhaps even without the explicit consent of the data subject.

    The quality and integrity of information is extremely important in matters of health. At a time of increasing personal mobility, the exchange of accurate and relevant information is necessary for the individual's safety. Furthermore, the development of medical science

depends on a transborder flow of medical data and the setting up of specialised information systems over considerable geographical distances (such as the Eurotransplant organisation for the transplantation of human organs).

    The needs which medical data processing systems have to satisfy are often contradictory. Information must be readily available to duly authorised users whilst remaining inaccessible to others. The obligation to respect the patient's privacy places certain restrictions on the recording and dissemination of medical data, whereas the right of each individual to health implies that everyone should benefit from the progress made by medical science thanks to intensive use of medical data.

    Certain of the contents of medical files may harm the patient if used outside the doctor-patient relationship. Medical data belong to the most intimate personal sphere. Unauthorised disclosure of personal medical data may therefore lead to various forms of discrimination and even to the violation of fundamental rights.

    In view of these problems, it has become highly desirable that the operation of every automated medical file should be subject to a specific set of regulations. The general purpose of these regulations should be to guarantee that medical data are used not only so as to ensure optimum medical care and services but also in such a way that the data subject's privacy and dignity are fully respected.

    Although such regulations will be adopted by authority of the person or body in charge of each data file (hospital management, faculty of medicine, etc), it is desirable that they should follow a common pattern and conform to general principles of data protection.

    It appears advisable that the framework for these regulations should be European in scale. There are two reasons for this.

    First, such a European framework will be best suited to the international mobility of people and to international exchanges in the field of medicine.

    Secondly, national data protection legislation - including protection of medical data - is being harmonised at the European level, on the basis of two resolutions of the Committee of Ministers of the Council of Europe, one of which, adopted in 1973, has laid down data protection principles for the private sector, while the other, adopted a year later, has given

similar principles for the public sector See footnote 2 . Moreover, in September 1980 the Committee of Ministers adopted a Convention on data protection See footnote 3 , which was opened to signature on 28 January 1981 and which became effective on 1 October 1985. Article 6 of this Convention stipulates special safeguards for sensitive personal data, which specifically include information relating to health.

    In 1990 the Council of Europe's Committee of Experts on Data Protection concluded that Recommendation No. R (81) 1 on regulations for automated medical data banks, whose preparation had commenced in 1976, was no longer in keeping with the rapid development either of medical science or of technology.

    Furthermore, since the Recommendation was adopted the Convention had been signed and implemented and various other sectoral recommendations had been drawn up. It was therefore agreed to carry out a revision of Recommendation No. R (81) 1.

    It fell to a working party which had been set up for the purpose by the Committee of Experts on Data Protection to examine current problems raised by data protection in the medical sector. The working party, chaired by Mr M. CAPCARRERE (France), met on seven occasions between February 1990 and July 1992 to "examine the data protection problems created by medical data, including genetic data and data relating to contagious or incurable diseases".

    Using the same approach as for the drafting of the previous sectoral recommendations, the experts adapted the rules embodied in the Convention so as to give them specific application to the protection of medical data.

    In accordance with the principle laid down in Article 6 of the Convention to the effect that "health data" are classified among the special categories of data covered by that provision, the experts have found it necessary that the collection and processing of such data should be attended by appropriate guarantees and safeguards in respect of the data subjects.

    The definition of appropriate guarantees thus formed the bulk of the working party's activities, which concerned information to the data subject prior to data acquisition, securing the data subject's informed and express consent, and the special case of medical research.

    The draft produced by the Working Party was examined by the Project Group on Data Protection in September 1992; it was subsequently revised by the Bureau of that Project

Group in November 1992, and in January, March, and September 1993. The Project Group, chaired by Mr. K. CHALAZONITIS (Greece), examined it again in May and October 1993.

    In March 1994 the Steering Committee on Bioethics (CDBI) and the European Health Committee (CDSP) gave their opinions on the draft Recommendation.

    These opinions were examined by the Bureau at its meeting from 22 to 25 March 1994 and proposals to modify the text were made.

    These proposals were examined by the Project Group, under the chairmanship of Mr J.P. WALTER (Switzerland), in June and October 1994.

    The revised text of the draft Recommendation was approved by the Project Group on 14 October 1994, together with this Explanatory Memorandum.

    On 5 December 1994 the draft Recommendation and Explanatory Memorandum were approved by the European Committee on Legal Co-operation, and presented to the Committee of Ministers.

    The Committee of Ministers passed on the draft to the European Health Committee for a second opinion, which was given on 6 July 1995.

    In the light of the observations made by the European Health Committee on the one hand, and by the Commission on behalf of the European Community on the other, the Project Group revised the draft during its 30th and 31st meetings (November 1995 and June 1996).

    The draft Recommendation, thus revised, was approved by the Project Group on Data Protection on 7 June 1996, as was the revised Explanatory Memorandum.

    On 28 November 1996, both texts were approved by the European Committee on Legal Co-operation.

    On ...., Recommendation No. R (..) .. on the protection of medical data was adopted by the Committee of Ministers.

DETAILED COMMENTS ON THE RECOMMENDATION

Preamble

    The Preamble contains the considerations which have led the Committee of Ministers to address the Recommendation to the governments of the member States See footnote 4 .

    One of these considerations is that compared to other categories of personal data,

medical data are also being processed automatically by information systems integrated into some medical equipment, as well as outside the health-care sector itself (eg. social security, insurances).

    Because of this wider use of medical data, and with a view to the fact that under Article 6 of the Convention medical data may only be processed if domestic law provides appropriate safeguards, reference is made in this respect to the rights and fundamental freedoms of the individual, and in particular the right to privacy.

    Moreover, the Committee of Ministers was aware that Recommendation No. R (81) 1 on regulations for automated medical data banks, since its adoption more than fifteen years earlier, had been overtaken by the rapid evolution in respect of medical science as well as of computer technology, and had become obsolete.

Operative part of the Recommendation

    The Committee of Ministers recommends first of all that the governments of the member States take steps to ensure that the principles contained in the Appendix are reflected in their law and practice. The wording of this Recommendation is flexible, because it is addressed also to those member States which are not yet Party to the Convention and which

have therefore not yet pledged to take the necessary measures in their domestic law to give effect to the basic principles for data protection.

    Secondly, governments are recommended to ensure wide circulation of the Appendix to the Recommendation to all persons who in their profession are called on to collect and/or process medical data.

    Finally, the Committee of Ministers abrogates the preceding Recommendation on regulations for automated medical data banks. It is clear that the circulation of the present text implies that Recommendation No. R (81) 1 is repealed.

     APPENDIX TO THE DRAFT RECOMMENDATION

1.    Definitions

    The definition of "personal data", which follows the definition in the Convention as interpreted in the Explanatory Report to that Convention, has already been used in many of the sectoral recommendations adopted by the Committee of Ministers in the field of data protection.

    However, with relation to some preceding recommendations, the drafters of the Recommendation considered that in view of the developments in computer technology the element "costs" was no longer a reliable criterion for determining whether an individual was identifiable or not. The definition was also amended to make clear when data could be considered to be anonymous.

    In the absence of an internationally recognised definition, the drafters of the Recommendation opted for the most comprehensive possible definition of "medical data" as it considered the concept of "medical records" in the preceding Recommendation overly restrictive in the context of electronic data processing and saw a need to go beyond the discreet relationship between the doctor and his patient, so as to cover any person likely to keep medical data. It was understood that medical data would equally apply to the past, present and future health of the data subject and to both physical and mental health.

    The drafters of the Recommendation further agreed that under the terms of the Recommendation, "medical data" should also include any information - unless of public knowledge - giving a ready idea of an individual's medical situation, for instance for insurance purposes, such as personal behaviour, sexual life style, life style, abuse of alcohol and nicotine, and consumption of drugs. This was the reason for including in the definition of medical data the words "manifest and close", i.e. clear and direct impact on the health situation.

    In so far as the removal of substances of human origin, or the grafting and the transplantation of tissues or organs have led to the constitution of a medical record, the problem of safeguarding anonymity between the donor and the recipient will be covered by this Recommendation, since it applies also to an individual's past health. Such protection of anonymity between donor and recipient is provided for in general terms in Resolution (78) 29 of the Committee of Ministers of the Council of Europe on harmonisation of legislations of member States relating to removal, grafting and transplantation of human substances.

    When medical data appear together with other information in non-medical files, for example insurance, employment or social security files, the protection measures advocated in this Recommendation apply also to medical data kept in such files. Apart from the medical data kept therein, such files may raise important problems in respect of individual freedoms; such problems have been addressed in Recommendation No. R (89) 2 as regards the employment sector and in Recommendation No. R (86) 1 as regards the social security sector.

    For the purposes of the Recommendation, the drafters of the Recommendation considered that most of the principles should apply to genetic data as well as to medical data. However, since some principles in the Recommendation apply exclusively to genetic data, and in the absence at the time of drafting of a generally accepted definition of "genetic data", they agreed on the definition which appears in Chapter 1. It was understood that this definition did not include the results of an analysis carried out by other means than DNA technology on blood, tissue, hair, sperm, etc., which, however, might produce genetic data when analysed.

    Genetic information may result from phenotypic observations, family history studies and laboratory analyses, including observation of genes closely linked to genes causing disease or of such genes themselves by DNA technology. Such studies may be conducted to diagnose a pathological condition in individual patients, to evaluate the possibility of future disease in people who are still healthy, or to assess the risk of a person or couple having offspring with a genetic disorder or disease.

    Genes control many human traits; genetic data are only medical data if they are relevant to health or disease in an individual or his relatives.

    However, following the mandate they had received, the drafters of the Recommendation worded the definition in such a way that genetic data are also covered which are not considered to be medical data in the Recommendation.

    Genetic data are collected and stored for prevention, diagnosis, treatment, genetic counselling and risk evaluation as well as for research purposes. As genetic disorders by their very nature are heritable, their presence has implications for all blood relatives, both present and future.

    Distinctions can be made between the following categories of genetic data:

    Phenotypic data refer to observations of inherited normal traits, symptoms or signs in a single individual. These observations include clinical observations made by a physician or a physician/geneticist as well as the results of laboratory analyses that can detect inherited or genetically influenced characteristics. Records of phenotypic data relevant to disease are kept in physicians' files and may also be stored in various categories of registers such as driving licence registers or registers kept for research purposes.

    Data in physicians' records or registers are genetic data only if they refer to genetically determined, or genetically influenced, traits.

    Medical history data are in some cases genetic data, namely where information about a given individual indicates that she or he has had symptoms or signs that may reflect the presence of mutant genes.

    Family data comprise information about a person's parents, uncles, aunts, grand-parents, brothers, sisters, children, as well as more distant relatives. Family data are genetic data only to the extent that the disease or trait in a given person is known to be genetically determined or genetically influenced, or if the occurrence of a trait or disease is such that in

the given family(ies) it appears to be inherited or influenced by genes, even if it had previously not been suspected that the trait or disease could be of a genetic nature.

    Family data also comprise information about marriages between related persons and information about numbers of offspring, stillborn children and abortion. Family data are essential for genetic analyses or normal traits as well as diseases. Records of family data are kept in physicians' files, in medical registers for use in the future in connection with genetic counselling or diagnosis, even in coming generations, or in research registers.

    Genotypic data comprise information about specific genes at given gene loci in single persons and their relatives. Genotypic data may be the results of phenotypic observations of an individual and his/her relatives. Today, genotypic data may be the results of DNA analyses.

    Genotypic data include information that a given person is a healthy, heterozygous carrier of a recessive gene which in the homozygous state would cause serious disease, or of an X-linked gene (in a healthy female) which in a male could cause disease (because males have only one X chromosome).

    Genotypic data may refer either to normal traits or to diseases that are inherited or where a genetic predisposition is of importance (the latter would be the case with several common disorders).

    Genotypic data relevant to disease will be recorded in physicians' files, in genetic registers for future use in connection with genetic counselling or genetic diagnosis, or in research registers.

    Genotypic data may be stored in police files if they have been obtained in connection with a crime. Genotypic data may also be recorded in institutions for forensic medicine. This may be the case also for genotypic data obtained in connection with paternity cases. In the last instance, data could also be stored in governmental offices involved in protecting the interest of the children in paternity cases.

    Genetic information amounting to "genetic data" may also be found in adoption registers, twin registers, published books of a genealogical or biographical nature and many other places. The drafters of the Recommendation underlined the importance of the meaning given to the term "genetic data" in the Recommendation.

    The collection and processing of genetic data involves the storage of data concerning third parties. These third parties may be constituted by members of the data subject's genetic line or collateral relatives or members of his social family. The drafters agreed to accord an intermediate status to members of the data subject's genetic line so as to distinguish them

from third parties in the strict sense of the term and to grant them a hybrid legal protection; they worded the definition of a "genetic line" accordingly.

2.    Scope

    It should be recalled that Article 6 of the Convention stipulates that personal data concerning health may not be processed automatically unless domestic law provides appropriate safeguards. Under the Convention, therefore, it is for Contracting States to provide appropriate safeguards for the protection of individuals in cases where data relating to health are processed in automated files not covered by this Recommendation.

    Like the Convention, which draws no distinction between the public and private sectors, this Recommendation applies to files of medical data in both sectors, since they must meet the same requirements and since there is a frequent transfer of data between the two sectors.

    The Recommendation refers on several occasions to "health-care professionals". The drafters of the Recommendation intended this expression to apply to all those persons who, in the exercise of their professions, provide medical care for others.

    Having regard to the varied categories of health-care professionals, the drafters of the Recommendation felt that it would be difficult to provide in Principle 2.1 an accurate and exhaustive description of the medical and paramedical personnel who have to collect or process medical data. For example, in certain States social workers would not fall within the category of health-care professionals but might in other countries. The drafters therefore held that the Recommendation should apply to any person or body either routinely or occasionally processing medical data by automated means, whether or not for a legitimate reason.

    In practice, this means that the principles are applicable to the collection or the processing of medical data for the purpose of medical treatment, the assessment of the health situation or the fitness of a person (eg. for employment, school-attendance, national service), preventive care, health consultation, scientific research, rendering social assistance or reimbursement of insurances, as well as for the purpose of identifying an individual.

    Consequently, since Article 6 of the Convention requires appropriate safeguards for the automatic processing of medical data, the drafters of the Recommendation agreed that the related principles should also apply to situations where medical data are processed for research purposes (Recommendation No. R (83) 10), in the social security sector (Recommendation No. R (86) 1) and the employment sector (Recommendation No. R (89) 2).

    The drafters of the Recommendation were nevertheless aware of the fact that in some member States domestic law also provides for the collection and processing of medical data in certain sectors other than the health sector, and stipulates appropriate guarantees for this purpose. Consequently Principle 2.1 permits such States not to apply the Recommendation

to the collection and processing of medical data in those non-medical sectors where national legislation offers other appropriate safeguards for the protection of privacy, in accordance with Article 6 of the Convention.

    In accordance with the definition of "automatic processing" given in Article 2 of the Convention, automatic processing within the meaning of the Recommendation comprises storage of data, carrying out of logical and/or arithmetical operations on those data, their alteration, conservation, erasure, retrieval or circulation. However, as was noted in paragraph 30 above, automatic processing of medical data might imply the use of information systems other than computers.

    Like Article 3 para. 2.c. of the Convention, Principle 2.2 of the Recommendation enables any member State to apply the provisions to medical data which are not processed automatically.

    On the other hand, States should not allow medical data to be processed by other means simply in order to exclude them from the scope of the Recommendation.

3.    Respect of privacy

    In conformity with Article 6 of the Convention, the Recommendation acknowledges that medical data require even more protection than other non-sensitive personal data. Hence the requirement in Principle 3.1, which does not appear in other sectoral recommendations, that for the collection and processing of medical data not only respect of the right of privacy be guaranteed, but also the other rights and fundamental freedoms which might be put at risk, eg. during the collection of the medical data. As indicated in paragraph 64 above, the term "processing" also includes the conservation of data.

    For those reasons, Principle 3.2 recalls the requirement in Article 6 of the Convention for appropriate safeguards in the law insofar as the various stages of collection and processing of medical data are concerned.

    It should be noted that Principle 3.2 requires such safeguards for the collection of medical data as well. With regard to the processing of such data, it should be recalled that in the terms of the definition (see paragraph 64 above), these safeguards shall be provided for storage of medical data, for their modification, conservation, extraction, diffusion etc.

    As one of such safeguards, Principle 3.2 underlines that in principle only health-care professionals, bound by rules of confidentiality, should collect and process medical data, or where necessary persons acting on behalf of health-care professionals, as long as such persons are subject to the same rules.

    As pointed out in paragraph 61 above, the drafters of the Recommendation recognised, however, that in certain member States other professionals, not directly responsible for health care, could collect and process medical data. The third sub-paragraph of Principle 3.2 provides

for this possibility, but only on the condition that this category of professionals must abide by confidentiality rules comparable with those imposed on health-care professionals, or that domestic law provides for appropriate safeguards which are as efficient as confidentiality rules, i.e. they are sufficiently efficient to guarantee respect of privacy of the data subject. Principle 3.2 therefore complements Principle 10.4 of Recommendation No. R (89) 2 on the protection of personal data used for employment purposes, which requires that data covered by medical secrecy should only be stored by personnel bound by the rules on medical secrecy.

4.    Collection and processing of medical data

    Once again, with a view to the sensitive nature of medical data, Principle 4.1 recalls the provisions in Article 5 of the Convention: the collection and processing must be fair and lawful, and for specific purposes only. These requirements are elaborated further in Chapter 4.

    The principle of fair collection is made more explicit in Principle 4.2: medical data must, in normal conditions, be obtained from the data subject himself/herself. This principle therefore concerns the "disclosure" of his data by the data subject himself, and not "communication" of medical data by a third party (eg. the doctor).

    It is obvious that this rule cannot always be applied; in such cases other sources of information may be consulted only if this is necessary to achieve the purpose for which the data are to be processed (eg. medical treatment) or if the data subject cannot provide the data himself. But in any case, the collection of medical data must be in accordance with the related provisions in Chapter 4 (see paragraphs 73-104 hereafter), Chapter 6 (Consent, paragraphs 129-142 hereafter) and Chapter 7 (Communication, paragraphs 143-152 hereafter).

    After the provisions indicating how medical data should be collected (Principle 4.1) and from whom (Principle 4.2), Principle 4.3 lays down when medical data may be collected or processed. They may be collected, if provided for by law, where there is a contractual obligation to do so if this is necessary for the establishment of a legal claim or when the data subject has given his/her consent. Principle 4.3 does not constitute a derogation from Principle 3.2, but sets conditions for the legitimacy of the collection or processing.

    Medical data may also be collected from the data subject or from other sources if this is provided for by the law for one of the purposes set out in Principle 4.3.a: public health, the prevention of a real danger or the suppression of a specific criminal offence, or another important public interest.

    When medical data are collected and processed, the appropriate safeguards described in Principle 3 shall be provided by domestic law.

    Furthermore, medical data may be collected and processed if permitted by law for the purposes set out in Principle 4.3.b, for preventive medical purposes or for diagnostic or therapeutic purposes, or to safeguard the vital interests of a data subject, or with a view to respecting specific contractual obligations, or with a view to the establishment, exercise or

defence of a legal claim. In accordance with principle 4.3.c., medical data may also be collected and processed if the data subject has given his/her consent for one or more purposes insofar as domestic law does not provide otherwise.

    Collection and processing of medical data for the establishment, exercise or defence of a legal claim may only be carried out when a specific case occurs, for example a conflict between a doctor and a patient about treatment, allowing the doctor to communicate data to his lawyer in order to defend himself in a lawsuit. Collection "in anticipation" is not lawful.

    The physical or legal incapacity of a data subject to give his/her consent gives rise to a situation where medical data may be collected, processed or communicated to safeguard the vital interests of this person (Principle 4.3.b.ii and 7.3.b.ii).

    When medical data are collected and processed in the context of contractual obligations (Principle 4.3.b.iii and 7.3.b.iii), member States of the European Union will after transposition of the community directive into their national legislation, only be able to make use of this option in the context of labour law; for the other member States of the Council of Europe, these principles may be taken into consideration in other fields, such as sport, training or insurance.

    The drafters of the Recommendation felt that in each of these conditions medical data may be collected and processed if the law including in common law countries, common law or statute, explicitly provides for it. If the law provides for the collection, without giving the appropriate safeguards required under Article 6 of the Convention, in fact a derogation is made under Article 9 of the Convention and the conditions set out in that Article must be respected, i.e. the collection must constitute a necessary measure in a democratic society in the interest of protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences, or of protecting the data subject or the rights and freedoms of others.

    For the purposes of the Recommendation, the authors thought that the expression "the law" should be understood in the sense given to it in the case law of the European Court of Human Rights. In particular, it must be precise, foreseeable and accessible.

    The words "if provided for by law" also cover cases where collection and processing are laid down by law. If medical data may be collected and processed as a consequence of an obligation under the law (eg. in the field of social insurances to obtain invalidity pension, or in the field of prevention of epidemics), the drafters of the Recommendation have trusted the legislator to take account of the other requirements in Article 9 of the Convention, i.e. that the processing constitutes a necessary measure in a democratic society in the interests of protecting State security, public safety, the monetary interests of the state or the suppression of criminal offences, or protecting the data subject or the rights and freedoms of others.

    Medical data may therefore be collected without consent, if the law provides for this, "for the purposes of" (ie. in the interest of) public health; this purpose is in line with the derogation for reasons of public safety in Article 9 of the Convention. It should also be noted that the words "in the interest of public health" include the management of health services.

    The drafters of the Recommendation agreed that medical data could furthermore be collected without consent, if provided for by law for the prevention of a real danger or the suppression of a specific criminal offence. Rather than the terminology used in Article 9 of the Convention, they preferred the wording used in Recommendation No. R (87) 15 regulating the use of personal data in the police sector. Principle 2.1 of this Recommendation excludes an open-ended, indiscriminate collection of data by the police. It expresses a qualitative and quantitative approach to Article 5.c of the Convention which stipulates that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are stored. Given that Article 9.a of the Convention allows a derogation from this principle in regard to the "suppression of criminal offences", Principle 2.1 of the Recommendation attempts to fix the boundaries to this exception by limiting the collection of personal data to such as are necessary for the prevention of a real danger or the suppression of a specific criminal offence, unless domestic law clearly authorises wider police powers to gather information. "Real danger" is to be understood as not being restricted to a specific offence or offender but includes any circumstances where there is reasonable suspicion that serious criminal offences have been or might be committed to the exclusion of unsupported speculative possibilities. Moreover, processing of genetic data for the requirements of legal proceedings or a criminal enquiry is governed by Principle 4.7 (paragraph 95 below).

    Apart from public health, a real danger or the suppression of a criminal offence, there may be other important public interests at stake. Principle 4.3.a.iii permits the law to provide for the collection and processing of medical data to protect such interests.

    It may be that the data subject is not in a position to give his consent. If the law provides for this, the data may be collected and processed to safeguard vital interests of the data subject, or of a third person, i.e. to preserve the physical or mental integrity of either the data subject or somebody else including, in the case of genetic data, a member of the data subject's genetic line. This implies that medical data may be collected and processed without the consent of the data subject for preventive medical purposes, or for diagnostic or therapeutic purposes, with respect to the data subject or to a member of the genetic line, or even a third person, in order to protect an interest which is essential for the data subject's life.

    Principle 4.3 permits also the collection and processing of medical data if they are necessary to respect any obligation arising from a contract, on condition however that domestic law permits it. The authors of the recommendation felt that especially in labour law a contractual obligation or a contractual right should be able to give rise to collection or

processing of medical data, as the data subject had already given his/her consent when the contract was concluded.

    Principle 4.3 also takes account of lawsuits; medical data may be collected and processed without the consent of the data subject if permitted by law and if this collection or processing is necessary for the establishment of a legal right. It should be recalled nevertheless that, by virtue of Principle 4.7, processing of genetic data for the requirements of a legal procedure should be covered by a specific law providing the appropriate safeguards.

    Apart from any legal provision or obligation, medical data may also be collected and processed if the data subject - or his legal representative - has given his consent unless domestic law opposes this. The drafters of the Recommendation were aware that, from the point of view of protection of medical data, consent of the data subject gives fewer guarantees than legal obligations or legal provisions which - by virtue of Article 6 of the Convention - should be accompanied by appropriate safeguards. In Chapter 6 of the Recommendation, the

conditions for such consent and the possible derogations are elaborated further.

    Medical data collected by a health-care professional for preventive medical purposes or for diagnostic or for therapeutical purposes may, after the specific medical care, also be necessary to accomplish other services in the interest of the patient; for example, the chemist will have to supply him with the prescribed medicine, the administrative service of the hospital will have to make out the bill, or the social security services will have to organise the reimbursement of the expenses incurred. The authors of the recommendation felt that the purpose of processing by such "health services" (which do not cover insurance companies acting on a contractual basis) is compatible with the purpose of the collection of these medical data. Principle 4.4 accordingly permits processing of medical data for these health services, on condition that the processing is carried out in the interests of the patient.

    This type of health service may be managed by the health-care professional who collected the medical data, or by someone else. In the latter case, the necessary medical data may be communicated by the health-care professional in accordance with Principles 7.2 and 7.3 (see paragraphs 144 and 145 below).

Unborn Children

    The protection of the medical data of the unborn child, with a view to the protection of its privacy once it is born, raises specific questions, of in particular, an ethical nature, which are beyond the scope of this Recommendation.

    When drafting principles 4.5 and 4.6, the principal concern of the drafters of the Recommendation was not to establish parental authority, but rather to ensure that a child's medical data were not "public" at the time of its birth.

    In the absence of a generally accepted legal rule on when an unborn child can be considered to be a person, the drafters of the Recommendation were of the opinion that measures should be taken to ensure the protection of the medical data of a child which had been collected and processed before its birth, and that therefore the unborn child should be protected in a way similar to the protection of the medical data of a child after its birth. For

example, this may be achieved by considering data of the unborn child to be the personal data of the mother. This requirement is confirmed in Principle 4.5.

    Following the trend in family law in the member States, the drafters of the Recommendation concluded in Principle 4.6 that unless domestic law provides otherwise, the holders of parental responsibilities of the future child should be entitled to act on behalf of the unborn child as a data subject.

    It was understood that in the exercise of the rights of access to and rectification of the medical data of the unborn child, the interests of the mother must be duly taken into account.

Genetic data

    In spite of the specific nature of genetic data (see paragraphs 41-58 above), the drafters of the Recommendation considered that the conditions for their collection and processing should be the same as those for the collection and processing of medical data, set out in Principle 4.3.

    In this connection, the drafters of the Recommendation were aware that the collection and processing of genetic data may be necessary in the interests not only of the protection of public health, but also the promotion of public health, since genetic analyses might reveal health risks for future generations. They were aware, however, that this possibility to derogate should not lead to a proliferation of genetic data banks, or an abuse of genetic data.

    Principle 4.1, inspired by Article 5 of the Convention, implies that genetic data may only be processed for purposes compatible with the purposes for which they were collected, and on the same conditions. The drafters of the Recommendation did not include a requirement that genetic data should not be used for artificial modifications of the genetic heritage of data subjects, cloning or the selection of individuals since such requirement would seem to be outside the scope of the Recommendation, and, in any case, be covered by the principle of compatible purposes.

    Genetic data collected and processed for diagnosis or medical or preventive treatment or for scientific research purposes, should only be used, in the first instance, for these specific purposes or to enable the data subject to take a decision whether or not to undergo treatment; the same principle applies when the data were collected with a view to procreation. Principle 4.7 is a logical consequence of the general principle of purpose specification; to use or re-use such data for other purposes should not be allowed. Principle 4.7 also applies when genetic analysis is carried out to establish whether a person can procreate without risk to the health of his/her future children. In this respect, Principle 4.7 does not aim at establishing an

ethical norm on whether or not procreation should be preceded by genetic analysis; the principle merely requires that if genetic data are collected for that purpose in accordance with domestic law or the existing ethical standards, they may only be used to facilitate the data subject's decision.

    In defining Principle 4.7 the drafters of the Recommendation paid special attention to the use of genetic data for scientific research; in this context they confirmed that such research would be ruled by Chapter 12 "Scientific research". It was agreed that secondary use for scientific research of genetic data which had been collected for other purposes would not be incompatible with these initial purposes, as long as the conditions in Chapter 12 would be respected, and in particular Principle 12.2 (see paragraphs 200-209 hereafter) and Principle 12.3 (paragraph 209).

    Principle 4.7, which applies to scientific research in general, is followed by two principles aimed more specifically at situations where genetic analysis may be carried out with a specific aim.

    Although the analysis of deoxyribonucleic acid (DNA) within the framework of criminal justice is regulated in Recommendation No. R (92) 1, adopted by the Committee of Ministers on 10 February 1992, the drafters of the Recommendation considered it useful to include in this Recommendation a provision on the protection of genetic data processed for the purpose of criminal investigations, which also covers analysis of such data for the requirements of judicial procedures.

    The expression "judicial procedure" is not used in the same way in member states. The drafters of the Recommendation wished Principle 4.8 to apply to any procedure before the courts, whether initiated under civil or criminal law, where the judicial proceedings may have recourse to genetic analysis of one or more persons.

    Consequently, Principle 4.8 requires a specific law for the processing of genetic data for judicial procedures and criminal investigations. By "specific law" is understood either a specific provision of the data protection Act, or a specific provision in penal law, as long as they refer to the use of genetic data for the purpose of criminal investigations. This requirement is a logical consequence of Article 6 of the Convention which imposes appropriate safeguards in domestic law for the processing of any sensitive data. The principle of compatibility of purposes also applies here: data collected and processed in the framework of judicial procedures and criminal investigations shall only be used for the original purposes and not for other purposes, in particular not to determine other characteristics of the data subject (see paragraph 78 above).

    The second paragraph of Principle 4.8 is intended to define these purposes. Genetic data processed for the needs of a judicial procedure - for example a paternity suit - should only be used to establish whether or not there is a genetic link between the child and the

alleged father. In the same way, in a criminal investigation genetic data should only be used in order to prevent a real danger or suppress a criminal offence.

    It was considered that the proof of guilt or innocence, even on the basis of evidence supplied by genetic analyses, would be beyond the scope of this Recommendation.

    Principle 4.9 aims at regulating the use of genetic data for purposes other than diagnosis, therapeutic or preventive treatment, scientific research or criminal investigations. This use can only be allowed in principle for health reasons and to avoid every serious risk for the health of the data subject or for a third person. However, in the case of the collection and processing of genetic data in order to predict illness, the Recommendation requires the existence of an overriding interest and appropriate safeguards provided for by law in view of the various risks inherent in the collection and processing of genetic data, in particular the risk of discrimination (as far as reference to law is concerned, in view of the case law of the organs of the European Convention on Human Rights, see paragraph 75 of the present explanatory memorandum).

    It should be recalled that the conditions for lawfulness laid down in Principle 4.3 also apply to the collection and processing of genetic data.

    Principle 4.10 adds a supplementary condition for genetic data to be collected and processed: the purpose of collection and processing must be health protection and in particular the prevention of any serious harm to the data subject or a third person.

    The drafters of the Recommendation emphasised that a candidate for employment, an insurance contract or other services or activities should not be forced to undergo a genetic analysis, by making the employment or the insurance dependent on such analysis, unless such dependence is explicitly provided for by law and the analysis is necessary for the protection of the data subject or a third party (eg. work with dangerous substances).

    Principle 4.9 is even more specific with regard to the collection and processing of genetic data with a view to predicting illness. Such data may be collected and processed if the interest in doing so overrides the data subject's interest in not having his genetic data collected and processed (for example, a collective interest) and if domestic law has provided appropriate safeguards.

    It was understood that such overriding interest should be in accordance with the related criteria set out in Principle 4.3.

5.    Information for data subjects

    One of the means to ensure that medical data are obtained and processed fairly and lawfully, as required under Article 5 paragraph a of the Convention, is to inform the data

subject whose data are collected of a number of elements. These elements are listed in Principle 5.1.

    It is obvious that such information is indispensable when the data subject is required to give his "informed" consent (see paragraph 130 hereafter).

    But even in cases where his consent is not required - i.e. when the collection and processing of medical data follow an obligation under the law or under a contract, are provided for or authorised by law, or when the consent requirement is dispensed with - the Recommendation provides that the data subject is entitled to relevant information. Although the drafters of the Recommendation agreed that as a general rule Principle 5.1 should be strict, they admitted two kinds of derogation. First of all, Principle 5.6 allows for derogations to be made for certain reasons of public interest, for protection of the data subject or a third person, or in medical emergencies. Secondly, information on the various elements listed under a, b, c and d has to be supplied only in as far as relevant (see paragraphs 115, 116 and 124 hereafter).

    Principle 5.1 identifies the following elements on which the data subject must be informed:

a.    the existence of a file containing his medical data, and the type of data collected or to be collected.

    In most cases, it may also be necessary to collect other personal data from the data subject than medical data.

b.    the purpose or purposes for which the data are or will be processed;

    Apart from medical purposes, the data may have to be processed for other purposes, eg. for reimbursement of expenses, for research or for statistics.

c.    where applicable, the individuals or bodies from whom the data are or will be collected.

    Principle 4.2 provides for the possibility to obtain medical data from other sources.

d.    the persons or bodies to whom and the purposes for which they may be communicated;

    Apart from health-care professionals, other professionals, eg. chemists, social security officials, and family members or legal representatives may have to be informed of certain medical data for specific purposes.

e.    if there are any, the possibilities for the data subject to refuse his consent, to withdraw it, and the consequences of such withdrawal.

    If the data subject has the possibility to refuse or withdraw his consent, it is clear that any such refusal or withdrawal can only apply to his own medical data. It should also be made clear that the obligation to inform the data subject in no way prejudices the existence of the right to refuse or withdraw consent.

f.    the identity of the file controller and, where appropriate of his/her representative as well as the conditions under which the rights of access and of rectification may be exercised.

    In accordance with Article 8, paragraph a, Principle 5.1 requires that the data subject be informed of the identity of the person responsible for processing his/her medical data, or of his/her representative.

    These conditions for the exercise of rights of access and rectification are laid down in Chapter 8 of the Recommendation.

    According to Principle 5.2 the information should be provided before the data are collected. This is not always possible, eg. when the data cannot be collected from the data subject himself. In such cases he must at least be informed, as soon as possible, that his data have been collected and, in so far as necessary and possible (eg. the data subject is already aware, or is not in a position to understand), the relevant elements listed in Principle 5.1 must be provided.

    The drafters of the Recommendation agreed that it was left to each member State to determine ways and means to supply the information.

    Information on the elements above may be partly of a general nature, i.e. some information applies to all patients who are treated by a given health-care professional or in a given health-care institution. For instance, the public at large should be given general notice in advance of any plans involving the introduction of automatic processing systems for medical data. Such "collective" information may be given by the most efficient and practical means, eg. on posters, in leaflets or in public registers.

    Other parts of the information may concern the health situation of a given individual, i.e. apply only to the patient and his particular medical data. In such cases Principle 5.3 requires that sort of information to be appropriate and adapted to the circumstances and in accordance with the rules of deontology. The information and the method of supplying it should then be specially aimed at the individual and his capacities to understand it: the information must be "individualised", and preferably be given to each data subject individually.

    In the same way, the relationship of trust between the patient and his doctor may have consequences for the content and form of the information. "Information ... appropriate and adapted to the circumstances" also takes account of this relationship, and provides, for example, that the doctor should give supplementary information if his patient requests it.

    The drafters of the Recommendation underlined, however, that any relevant information, whether provided collectively or individually, was equally important, and should in all cases be appropriate.

    The drafters of the Recommendation also acknowledged that on some occasions the data subject may not have to be told some or all of the elements referred to in Principle 5.1, either because these elements are obvious to him from the context in which the medical data are collected, without the need for further explanation, or because he has already been properly informed of these elements on a previous occasion.

    "Information ... adapted to the circumstances" can imply that the requirement of information may partly be waived in respect of certain elements, if the health-care professional in charge of the treatment believes that knowledge of any of these elements might harm the person whose data are to be collected. In such a case he may either postpone the information, or supply it through another medical doctor, designated by the patient. The drafters of the Recommendation saw no need to include a specific principle on this possibility.

    All these provisions, however, only allow the right to information to be adapted, not to restrict the information.

    The data subject need not be informed by the actual person in charge of processing the data. However, the person in charge of the medical treatment should ascertain himself that the patient has had the opportunity to obtain in particular the "individualised" information. The drafters of the Recommendation were aware of the difficulties which the medical doctor might meet in practice; they agreed therefore that he should see to it that the data subject has had access to the information, unless this is manifestly unreasonable or impracticable.

    A genetic analysis may produce other results than the information sought; such unexpected findings, ie findings which are not causally linked to the aim of the analysis, may cause harm to the data subject, or he might prefer not to know them. Moreover, the drafters of the Recommendation felt that developments in genetic research are too recent and too significant to expect the uninitiated to be as familiar with the potential results as with those of a traditional medical examination. Principle 5.4 recommends therefore prior information of the data subject on the objectives of the genetic analysis, and on the possibility of finding more. If necessary, this information may be deferred.

    As indicated in paragraph 41 above, blood tests are not in themselves genetic analyses. The drafters of the Recommendation thought that establishing the Rhesus factor should not be considered as an analysis of the human genome, to which Principle 5.4 applies.

    It is clear that information can only be supplied to persons capable of understanding; Principle 5.5 provides for the information to be given to the person legally recognised to act in the interests of a data subject who is legally incapacitated.

    Under "legally incapacitated persons" the drafters of the Recommendation understood any person whose situation gives rise to his/her consent being defective under domestic law.

    However, in some member States domestic law permits certain incapacitated persons to act on their own behalf if they are capable of free decision (eg. on medical contraception). In such cases, Principle 5.5 allows the information to be given to the data subject himself.

    The drafters of the Recommendation felt that the "information ... appropriate and adapted to the circumstances" required in Principle 5.3 should apply equally to de facto incapacitated adults. Rather than create a supplementary category of derogations from the right to information, with the risk of abuse, the drafters wished to place confidence in health-care professionals.

    The Recommendation encourages the provision of information to legally incapacitated persons who are, however, capable of understanding it; as will be seen in Principle 6.4, account should be taken of the opinion which such persons express, unless this is contrary to domestic law.

    As pointed out in paragraph 107 above, the drafters of the Recommendation acknowledged that under certain conditions medical data could be collected without informing the data subject of each of these elements. These conditions are listed exhaustively in Principle 5.6 of the Recommendation. The drafters agreed that such derogation from the information requirement could not be made when access to the data was refused, limited or delayed (see paragraph 156 hereafter).

    It was emphasised, however, that any derogation would in general only apply to the requirement of information prior to the collection of data; to the extent possible the obligation to inform the data subject after the collection would remain valid, as would the general obligation to obtain his consent before processing the data.

    In the spirit of Article 6 of the Convention, which requires appropriate safeguards for the processing of medical data, the drafters of the Recommendation in respect of the requirements of individualised information and consent (see also paragraph 133 hereafter) narrowed in Principle 5.6.a the possibilities for making derogations and restrictions which are otherwise allowed under Article 9 of the Convention. In this way such derogations and restrictions are allowed only if provided for by law, and if this constitutes a necessary measure in a democratic society to prevent a real danger or to suppress a specific criminal offence (cf. paragraph 78 above), to protect the data subject or the rights and freedoms of others, including relatives of the data subject, or for reasons of public health (see paragraph 77 above).

    It may be in the interest of the data subject if in emergencies those medical data which the health-care professional considers necessary for treatment are collected and processed before he is informed of this collection (Principle 5.6.b).

    Subject to paragraph 119 above, it should be emphasised that Principle 5.6 does not permit derogation from the right to information before collection of genetic data laid down in Principle 5.4; indeed, the drafters of the Recommendation felt that collection of genetic data should always be preceded by information of the data subject, unless the urgency of this collection requires the deferment of information.

6.    Consent

    One of the conditions on which medical data may be collected and processed is that the data subject has given his consent in so far as he is capable of doing so. As these data are regarded as sensitive data within the meaning of Article 6 of the Convention, Principle 6.1 requires that the consent be " free, express and informed". It may be obtained in coded form (as with plurifunctional cards, for instance).

    Free, express and informed consent given in writing is a requirement laid down in the Recommendations on data protection in other sectors; for the processing of medical data, such consent need not be written; it can also be given orally, or by means of a recording, provided that the desired purpose of authenticating the data subject's agreement is achieved.

    Consent is "informed" if the data subject is informed in particular of the purposes involved and the identity of the data controller. Consent is "free" if the data subject has the possibility to refuse his consent, to withdraw it or to modify the terms and conditions of his consent.

    The drafters of the Recommendation were aware that the principle of free consent implied the possibility of withdrawal. However, it was accepted that a provision on the possibility for the data subject to withdraw his consent at any time would lead to too many practical problems (e.g in a fully automated hospital). It should be clear, however, that if domestic law makes social benefits dependent on the processing of medical data, the data subject must accept that withdrawal of his consent might imply the loss of these benefits.

    The drafters of the Recommendation also acknowledged that under certain conditions medical data could be processed without the data subject's free, express and informed consent. These conditions are listed exhaustively in the Recommendation.

    As regards the collection of medical data in the course of a consultation or treatment for preventive, diagnostic or therapeutic purposes by a doctor, and which the data subject has freely chosen, the drafters of the Recommendation felt that the consent of the patient need

not be expressed if the data were indeed to be processed only for the provision of care to the patient. Principle 4.3.b.i. provides the legal basis for processing medical data in the context of the management of a medical service operating in his/her interest (see paragraph 84 above).

    The observations made under paragraph 134 also apply to the auxiliary staff of the person in charge of the treatment, eg. nurses and secretaries, and members of other health-care professions who assist the attending physician (radiographer, scanner-operator).

    Principle 6.2 provides that after genetic analysis the data subject should only be informed of the results in so far as these correspond to the objectives of the consultation, of the diagnosis, or of the treatment, unless the data subject himself has asked for more information (see Principle 8.4 hereafter). In other words, the content of the consent is decisive for access to the results of the analysis (see paragraph 164 hereafter).

    Principle 6.3 provides that if a legally incapacitated person cannot decide freely, nor act on his own behalf, consent for the processing of his or her medical data must be given by the person legally entitled to act in the interest of the incapacitated data subject or by any other authority, body or person designated by the law.

    Up to the age of legal capacity, the parents of a minor are legally competent to fulfil the required conditions of consent on his behalf. Where there are no parents, the court appoints a guardian to perform this function. The same applies to any other person or body recognised by domestic law as being legally competent to manage the affairs of the minor.

    As to adults de facto incapable of giving their consent, eg. for reasons of mental illness, the drafters of the Recommendation considered that the national legal systems or courts should appoint a legal representative or other authority, body or person able to give consent on behalf of the incapacitated person.

    Consent by the legal representative or other authority, body or person designated by law, can only be given instead of the consent required from the data subject, and on the same conditions.

    However, if in accordance with Principle 5.5, the incapacitated person has been informed (see paragraph 122 above), his wish to accept or not collection and processing of his medical data should be taken into account unless this is contrary to the law.

    In medical emergency situations, medical data may be collected and processed even without the consent of the data subject. This follows from Principle 4.3, sub-paragraph a.iv (see paragraph 80 above). However, the drafters of the Recommendation underlined that any decision to proceed to the collection and processing of medical data without consent of the data subject should not be taken for reasons of interest to persons other than the patient. For example, a decision to disclose health data for medical research purposes should not be taken by the researchers themselves; an independent third party should be found, for instance a

family member. Furthermore, it is clear that in such situations only those data may be collected and processed which are necessary for the medical treatment, and only as long as the data subject is not able to give his consent.

    The drafters of the Recommendation agreed that there was no need for a special principle dispensing explicitly the person in charge of medical treatment from the requirement to seek consent when this might cause serious harm to the data subject. The consent is dispensed with by virtue of Principle 4.3.b.i.

    Moreover, Principle 5.6 allows information to be withheld from the data subject for his own protection; any consent required in such circumstances would therefore not be "informed".

7.    Communication

    It is obvious that medical data, one of the categories of sensitive data for which the Convention requires special protection, should not be communicated outside the medical context in which they were collected, unless they are made anonymous (in which case the data no longer fall under the definition of personal data).

    There are however certain circumstances under which relevant medical data must be disclosed to other persons or bodies which, while not in charge of the medical treatment of the data subject, act otherwise in his direct interest (eg. social security services), or are in charge of medical research. In the latter case, the provisions under Chapter 12 apply as well as the provisions in this Chapter. Principle 7.3 defines four alternative conditions for such disclosure.

    As is clear from Principle 7.3, medical data may be communicated under certain conditions and also outside the medical sector. However, Principle 7.2 introduces, as one of the appropriate safeguards referred to in Article 6 of the Convention, the preliminary condition that such communication may only be made to persons bound by confidentiality, unless the domestic law provides for other safeguards. The rules of confidentiality are, for the medical sector, medical secrecy, or comparable rules for other sectors. In all cases, the person who receives the data should be subject to the principles of the Recommendation.

    Principle 7.3 permits communication of medical data insofar as they are relevant to attaining the objective for which they are communicated, even without the knowledge of the data subject and even for a purpose other than that for which the data were collected. The drafters of the recommendation have consequently taken care to specify the four alternative conditions under which such communication may take place.

    First of all, the drafters of the recommendation based paragraph a on the conditions imposed in Article 9 of the Convention for any derogation from the protection of sensitive data. Communication of medical data may therefore take place if it is provided for by law and

constitutes a necessary measure in a democratic society for one of the following objectives:

a.    reasons of public health (for example, in the case of contagious diseases);

b.    protection of the data subject him/herself (for example, where communication is clearly in his/her own interest);

c.    protection of a member of the genetic line (for example, where the results of a genetic analysis point to a serious risk for another member of the genetic line); cf paragraph 151 below);

d.    protection of the rights and liberties of others if respect of these rights and liberties clearly overrides the interests of the data subject (for example, in the case of contagious disease);

e.    respect of contractual obligations with regard to labour law (for example, in cases of sickness of the employee);

f.    prevention of a real danger or suppression of a specific criminal offence (for example, the search for a wounded criminal in a hospital; see also paragraph 78 above);

g.    any other important public interest (for example, State security).

    The drafters of the Recommendation agreed that the expression "measure which is necessary in a democratic society" permits communication in the case of an interest which overrides that of the data subject.

    Secondly, medical data may be communicated if such communication is necessary for the proof, exercise or defence of a right in court. As this concerns communication of sensitive data, in the interest of a third person, without the knowledge of the data subject and for purposes incompatible with those of collection, the drafters of the recommendation emphasised that the proof, exercise or defence of a right in court shall prevail over the right to privacy of the data subject.

    The physical and legal incapacity of a data subject to give his/her consent gives rise to a situation where medical data may be collected, processed or communicated to safeguard the vital interests of this person (Principle 4.3.b.ii and 7.3.b.ii).

    With regard to collection of medical data in the context of contractual obligations (7.3.b.iii and 4.3.b.iii), member States of the European Union may only use this option in the context of labour law; in other member States of the Council of Europe these principles may be taken into consideration in other fields, such as sport, training or insurance.

    Thirdly, medical data may be communicated if the data subject - or his/her legal representative - has given his/her consent and domestic law does not provide otherwise. By virtue of Principle 6.1 this consent should be free, express and informed (ie be preceded by prior information as required in Principle 5.1); consent is not required when the conditions described in Principle 7.3.d. are fulfilled.

    Consent may be given for a clearly defined purpose, or the communication may be made for several purposes at once, for example for medical research in general. It should be noted that such communication, based on consent, is not necessarily accompanied by the appropriate guarantees required by Article 6 for communication in accordance with domestic law.

    Such communication is, however, dependent on domestic law to take account of member States where medical secrecy rules exclude any disclosure of medical data by health- care professionals, even if the data subject consents. Such rules vary from one State to another.

    Fourthly, medical data may be communicated where the following cumulative conditions have been fulfilled:

a.    the data subject (or his/her representative) has not opposed the communication (which is not obligatory);

b.    domestic law is not opposed to it;

c.    the data had been collected in a preventive, diagnostic or therapeutic context freely chosen by the data subject;

d.    the purposes of communication and preceding processing are not incompatible. The drafters of the recommendation felt that such compatibility exists where the data are communicated for treatment of the patient, or to manage a medical service acting in his interest (see paragraph 84 above).

    The drafters of the Recommendation acknowledged that the questions raised by disclosure of genetic data would seem to be of an ethical nature and beyond the scope of this Recommendation. From the point of view of protection of personal data they considered that the person subjected to a genetic analysis should be encouraged to advise the other members of his genetic line to ask for genetic consultation when the resulting information needs confirmation or reveals the existence of a serious risk for their health.

    Furthermore, and depending on national legislation and professional rules of conduct, if the health of a blood relative (on the mother's or father's side) is exposed to a serious and imminent risk, the health-care professional involved should be allowed to inform that member, even if the person subject to the original genetic analysis refuses to given his consent or his consent cannot be obtained. The data subject should be informed of this.

8.    Rights of the data subject

    One of the most important principles in the field of data protection, confirmed in Article 8 of the Convention, is the right of every person to know the information about him stored by other persons.

    In the medical field there are three main obstacles to the application of this principle. On the one hand, it may be extremely detrimental to the treatment of a patient if he is given the full facts about his case. Secondly, medical information as such may make little sense to

the layman. And thirdly, medical data, and in particular genetic data, may concern also persons other than the data subject.

Rights of access and rectification

    Principle 8.1 summarises, in respect of medical data, the provisions under Article 8, paragraphs a and b, of the Convention: as a general rule, every person shall be enabled to have access to information about himself in a medical file and implicitly to know of its existence. Exceptions to this rule should be reduced to a minimum; as an example of such an exception, it might be detrimental for a patient to know that he is on record in a cancer register.

    For this reason, Principle 8.1 leaves the option that the right of access be exercised indirectly (see the following paragraph); in that case and unless this would be contrary to domestic law, the data subject should specify this and be enabled to designate for this purpose a person of his choice, who should be given full access.

    In some member States, domestic law does not enable the data subject to have direct access to his medical data (eg. in accordance with the rules of medical secrecy), which in fact constitutes a derogation under Article 9 of the Convention. If, however, this right exists and the data subject does not wish to exercise it himself, he should be enabled to designate a person - in accordance with domestic law - to have access. Depending on the law in force,

such person may be a medical doctor or other health-care professional, a relative or any other person of the data subject's choice.

    As is the case with "individualised" information (paragraph 112 above), the data subject must be enabled, to the extent possible, to understand the information to which he has access. This does not mean that medical data must be stored in an intelligible form; in many cases information will be coded, eg. diagnostic groups. What is important is that the information is accessible to the data subject - or the person of his choice - in a form which can be understood by him.

    Like Article 9 of the Convention, Principle 8.2 allows for derogations to be made from the right of access to medical data if the law provides for such refusal, limitation or delay. Principle 8.2 is also based on the general principle of proportionality; access to medical data cannot be refused, limited or delayed except to the extent to which it is necessary: each case should be considered on its own merits.

    Firstly, the right of access may be refused, limited or delayed if this constitutes a measure which is necessary in a democratic society to protect State security, public safety or for the suppression of criminal offences.

    The drafters of the Recommendation felt that access to medical data should not be restricted to protect the monetary interests of the State.

    Secondly, access to medical data may also be refused, limited or delayed if it is likely to cause serious harm to the data subject's physical or mental health; paragraph 8.2.b recognises "the right not to know". In such cases it would, however, be desirable for access to be given indirectly (see paragraph 152 above), and in any case as soon as the risk of harm no longer exists, access must be given.

    Thirdly, access may be refused, limited or delayed if it would reveal information on third parties and the protection of the personal data of this third party would override the interest of the data subject to have access to his own medical data. Moreover, the drafters of the Recommendation provided also in paragraph c for the possibility to refuse, limit or delay access to genetic data when this might cause serious harm to a member of the genetic line, or to a person who has a direct link with this line, eg. a presumed family member who appears not to be a member of the genetic line, or a presumed outsider who turns out to belong to the family.

    Finally, paragraph d. of Principle 8.2 resumes the possibility, provided for in Article 9, paragraph 3, of the Convention, of restricting the right of access to data used for statistical purposes or scientific research, where this restriction creates no risk of infringement of the privacy of data subjects, for example where safeguards provide that the data will not be used for taking decisions about the data subject.

    Under Article 8 of the Convention, the right of access to one's personal data goes hand in hand with the data subject's right to obtain, on certain conditions, rectification or erasure of his data. A general principle of data protection is that data must be corrected or erased if they are erroneous. In the medical sector, however, the exercise of this right of rectification or erasure may sometimes raise problems of a specific nature.

    Principle 8.3 therefore allows the data subject to ask for rectification of such erroneous data, but not for their erasure, because even erroneous medical data might have their importance for the data subject's medical history.

    It is clear that the data subject cannot be enabled to obtain rectification of medical data to which he has not been given access - direct or indirect - under Principle 8.2.

    Personal data in a medical file may be accompanied by "judgmental data": opinions and evaluations made by the persons in charge of the medical analysis or treatment which thus also constitute medical data, but data on which these persons may claim a certain right of determination. Although the drafters of the Recommendation recognised that, as in the employment sector (Recommendation No. R (89) 2), the data subject should in principle have the right, in accordance with domestic law, to contest judgmental data in his medical file and have such contest recorded, they admitted that to formulate a specific principle on this issue would meet with too many difficulties in practice.

    Following the preceding Recommendation No. R (81) 1 on regulations for automated medical data banks, the drafters of the Recommendation considered that data subjects should be allowed to appeal against a refusal to rectify erroneous data. Depending on domestic law and national practice, such appeals could be lodged either with the competent tribunal, or the Data Protection Authority. If, in accordance with Principle 9.3, the controller of a medical file has drawn up internal regulations, such appeal might be addressed to either the person or body to whom certain decisions must be submitted for approval, or the person who supervises the use of the medical data file, or the person to whom appeal may be made in the event of dispute, if such persons have been designated in the internal regulations (see paragraph 179 hereafter).

Unexpected Findings

    As indicated in paragraphs 119 and 160 above, unexpected results of a genetic analysis may cause harm to the data subject or other members of the genetic line which is of more importance than the data subject's right to know his own genetic data, eg. presence of unexpected family relations, or absence of presumed family relations. Such incidental data were not the purpose of the analysis; nobody asked for them. Moreover, Article 5 of the Convention requires that data undergoing automatic processing shall be adequate, relevant and non-excessive. The best protection of such incidental data would be their immediate erasure.

    Paragraph c of Principle 8.2 allows access to genetic data to be refused, limited or delayed, if it is provided for by law, if revealing these data is likely to cause serious harm to consanguine/uterine kin or to a person in the direct genetic line (see paragraph 160 above).

    However, the drafters of the Recommendation were aware that the Convention requires also in Article 8 that the data subject shall be enabled to have access to his data. In the genetics sector, the right of access to probably complex data should be understood rather as a right to comprehensible information for the data subject. Moreover, it was noted that Principle 11 of Recommendation No. R (92) 3 on genetic testing and screening for health-care purposes was worded as follows:

        "In conformity with national legislation, unexpected findings may be communicated to the person tested only if they are of direct clinical importance to the person or the family.

        Communication of unexpected findings to family members of the person tested should only be authorised by national law if the person tested refuses expressly to release information even though the life of the family members is in danger."

    For these reasons Principle 8.4 does not entirely exclude the possibility that information on unexpected findings is given to the person subjected to an analysis. However, the following conditions must be met:

either        a.    domestic law must not prohibit such information; and

        b.    the person himself has asked for the information; and

        c.    the information is not likely to cause serious harm to his/her health (physical or mental) or cause harm to certain categories of persons;

or        the information is of direct importance for the treatment of the person or for the prevention of harm to his/her health, or is not prohibited by domestic law.

    The categories of persons who should not be harmed include first of all of consanguine/uterine kin, ie. members of the genetic line of the person who has undergone the genetic analysis. Secondly, the drafters of the Recommendation believed that this protection should also be extended to persons belonging to his/her social family, ie. the persons who, while not belonging to his/her natural or legal family, are however linked by ties of affinity, such as the spouse or an adopted child. Thirdly, protection should be extended to those

people who are not members of the genetic line or of the social family, but who have a direct link with the person who has undergone the analysis, for example the sperm donor.

    In certain member States, domestic law does not permit information on unexpected findings to be concealed, in the interests of a third party, from the data subject who has made the request for the information. Principle 8.4 permits, in this case, a derogation from this restriction of information, on condition that domestic law provides other appropriate safeguards to protect third persons.

    Since Principle 8.4 already constitutes a derogation from the right of access the restrictions set out in Principle 8.2 do not apply to it.

9.    Security

    As a first rule, the general provisions regarding security laid down in the Convention apply to medical data files, and in particular its Article 7. Principle 9.1 takes up this provision, adapts it to the particular nature of medical data and to the special conditions in which they are collected and expands it further.

    The drafters of the Recommendation believed that the measures laid down in Principle 9.1 should also be taken with respect to genetic data and, as far as possible, should cover the carriers of these data, such as samples taken from human bodies.

    Furthermore, under Article 6 of the Convention, personal data concerning health may not be processed automatically unless domestic law provides appropriate safeguards.

    The drafters of the Recommendation underlined the growing importance of security measures, caused by the increased use of electronic equipment by general medical practitioners, the many thefts of such equipment and the relatively low expenses incurred by the implementation of such measures. Therefore, Principle 9.2 requires in particular a policy

aimed at ensuring the security and accuracy of medical information systems, including a number of security counter-measures similar to those defined in Article 118 of the Convention implementing the Schengen Agreement of 14 June 1985. Such measures should balance the smooth functioning of the system for the benefit of the patient against the safeguards necessary for his privacy to be protected against undue intrusion. They should keep up with the technological developments in information systems, without however leading to disproportionate expenses.

    Moreover, the measures should be appropriate, i.e. proportional to the processing. For instance, a practitioner should not leave his personal computer in an unlocked room; larger health-care centres should be equipped with code systems for access to computers.

    In respect of sub-paragraph e of Principle 9.2 (access control), the system design should be appropriate to the circumstances, eg. keep the different types of data together when this would facilitate the patient's care and treatment. Information should preferably be available only on a need-to-know basis.

    In the case of medical files of a certain volume, to which, apart from the person in charge of medical treatment, other health-care professionals have a legitimate access, Principle 9.3 recommends that the controller of such files draw up, in conformity with domestic law, internal regulations to ensure respect of the relevant principles in this Recommendation. Such regulations should also designate the persons with whom an appeal could be lodged if rectification of erroneous data were refused (see paragraph 166 above).

    Where controllers of medical files cannot themselves ensure that security measures are being respected, they should under Principle 9.4 appoint information security agents, not in order to pass on their own responsibility for the security of the medical data, but in order to delegate some of their tasks.

10.    Conservation

    The Recommendation takes account of a situation in which medical data files must be treated differently from most other types of data files. As a general rule, expressed in Principle 10.1, medical data must not be stored longer than is necessary, for it is a threat to his/her privacy if information relating to any individual is allowed to accumulate as the years go by.

    However, the interests of public health, medical research, the treating physician, the controller of the file or historical or statistical reasons may require the long-term conservation of medical data, even after the death of the persons concerned. Specific regulations exist in a number of member States for the conservation of medical archives. Principle 10.2 permits the long-term conservation of medical data, provided that adequate safety and privacy safeguards are given.

    Personal data collected during a genetic screening and diagnosis and associated genetic counselling may be stored, including data on genetic counselling, diagnosis and prevention of disease. For purposes of medical care - diagnosis, treatment and prevention of disease - and for related research, long-term storage of genetic data may be needed because of the nature of genetic diseases. Particular consideration should be given to specific security requirements necessitated by the long-term storage of genetic data.

    Principle 10.2 can also apply to incidental data resulting from a genetic analysis.

    When medical data are conserved, the privacy of the patient is best safeguarded by anonymisation of his data. If this is not possible, other special safety measures must be taken for this purpose.

    However, none of these safeguards affects, in principle, the right of the data subject to require erasure of his medical data once they are no longer useful for the purpose for which they were collected. This right can only be restricted by overriding and legally protected interests, eg. legal obligations to store medical data in archives, or when domestic law does not allow erasure by the data subject, or when the legitimate interests of the health- care professional to conserve data of his patients to defend himself against possible allegations of incorrect diagnosis or treatment would oppose erasure (Principle 10.3).

    The drafters of the Recommendation did not include a provision on the transfer of medical data to another health-care professional, if the data subject asked for this, because of the questions which such obligation would raise outside the scope of the Recommendation.

11.    Transborder data flows

    With the increasing mobility of persons, the transborder flow of medical data becomes more and more important: the life of the data subject may depend on the rapid and uncomplicated communication of his medical data.

    Yet, with a view to the sensitive nature of medical data and the risk which unauthorised access poses for the data subject's privacy, Principle 11.1 confirms explicitly that the provisions in this Recommendation also apply when medical data are transferred across the border. In this, and in the following Principles 11.2, 11.3 and 11.4, the Recommendation follows Recommendation No. R (91) 10 on the communication to third parties of personal data held by public bodies.

    Principle 11.2 sets out the principle of free flow of data. Since a Contracting Party to the Convention must be possessed of data protection norms consistent with the Convention's basic principles, there is no prima facie justification for restricting the flow of data to it. This is certainly the case when the exporting State is also a Contracting Party. However, Principle 11.2 is not exclusively concerned with the situation in which the communicating country is a Contracting Party. It also envisages personal data being communicated by States not Party to the Convention, including States which have not yet adopted legislation on data protection. The drafters of the Recommendation have sought to encourage the acceptance by all countries of the principle of free flow of data to States which have ratified the Convention.

    The provisions of Principle 11.2 are without prejudice to the right of a Contracting Party to determine the conditions for the transfer of particular categories of personal data or personal data files in accordance with the provisions of Article 12, paragraph 3.a. of the Convention.

    Principle 11.3 deals with the situation in which the State of destination ensures protection of medical data which is in accordance with the basic principles of the Convention as well as the philosophy of this Recommendation, but has not yet ratified the Convention. Certain States have in fact adopted data protection laws in conformity with the Convention but have not yet reached the stage of depositing their instrument of ratification. As in Principle 11.2, Principle 11.3 similarly encourages the free flow of data to such States. It is felt that even though ratification of the Convention is an absolute necessity at some stage, the legal situation in regard to data protection in such countries should be accepted as sufficient and transborder communication should be allowed to take place without further conditions. To use the terminology of the Convention, an "equivalent level of protection" may be deemed to exist in such countries, at least when the data are to be imported from the territory of Contracting Parties.

    Principle 11.4 deals with a situation in which the State of destination has not ratified the Convention and does not ensure the effective protection of personal data which can be considered to be compatible with the basic principles of the Convention. In this case, and so as not to weaken the protection of data subjects and so undermine the scope of data protection principles, in particular the principles laid down in the Convention as well as this Recommendation, exporting States should allow communication of medical data to third parties resident in such countries, only if one of the two conditions hereafter is met.

    Sub-paragraph a of Principle 11.4 provides for an alternative method of ensuring data protection in the event of communication of medical data to countries which have not yet legislated for data protection. The alternative method envisages the exporting country taking measures which could guarantee the integrity of the data, including respect of the principles laid down in the Convention and in this Recommendation, in the territory of the country of destination. One such measure could require the importing third party to commit itself

contractually to respecting data protection principles. In this regard, reference should be made to the model contract which has been drawn up by the Consultative Committee of the Contracting Parties to the Convention. The use of contract law, it should be emphasised, is to be regarded as a stop-gap measure pending the enactment of data protection provisions in the country of destination and should not be seen as replacing the need to adopt such provisions at some stage. In order to allow for dispute resolution free from considerations of national law, the contract should provide for a system of independent arbitration. The competence of the independent arbitrators should extend to enabling the data subject to enforce his rights in regard to his data and to awarding him compensation in the event of such rights being denied by the third party. Principle 11.4, sub-paragraph a, stresses that the use of such measures as an alternative to protection by domestic law is conditional on the data subject being informed of the possibility that his data may be communicated to third parties situated in countries not having data protection provisions, and being given the opportunity to object to the communication.

    In the second place, the drafters of the Recommendation have suggested that communication could take place if the data subject had given his consent, and thereby had taken the responsibility in the circumstances envisaged for his medical data to be communicated outside his national territory to a country where it is impossible to monitor the fate of the data.

    Principle 11.5 recommends that in the case of transborder data flows appropriate supplementary measures be taken for the security of the data. The exporter of the data should, in such cases, indicate the purposes for which the data were collected, and the persons to whom they may be communicated. The importer should undertake to respect these purposes, and not to communicate to other persons or bodies, unless he is obliged to do so under domestic law (eg. in criminal investigations). It is clear that such supplementary measures cannot be required in emergency situations, and are superfluous when the data subject has himself accepted the transfer.

12.    Scientific research based on medical data

    Although the Recommendation does not refer to it explicitly, the requirement in Article 5 of the Convention that personal data undergoing automatic processing should be adequate, relevant and not excessive applies equally to medical research: only the data necessary for the purposes of such research should be used.

    The primary means of protecting medical data to be used for scientific research purposes, called for in Principle 12.1, is to make them anonymous. For this reason, researchers as well as public authorities concerned are urged to develop anonymisation techniques.

    The second means of protection advocated by the Recommendation involves arrangements for supervising planned research projects based on the quality requirements laid down in Article 5 (b) and (c) of the Convention (Principle 12.4; see paragraphs 211-212 hereafter).

    The nature or objectives of certain research projects sometimes make it impossible to use anonymous data. In such cases under Principle 12.2 personal data may be used if the purposes of the research project are legitimate and one of the conditions listed is fulfilled.

    Firstly, personal data may be used for medical research if the data subject has been duly informed of the research project - or at least if the information requirements in Chapter 5 have been respected - and has given his consent for that particular project, or, at least, for the purposes of medical research (sub-paragraph a).

    Secondly, in the case of a legally incapacitated person, this consent must have been given in accordance with Principle 6.4, and the research project must have a connection with the medical condition or disease of the data subject (sub-paragraph b).

    The drafters of the Recommendation agreed that any consent given on behalf of a legally incapacitated person should not be motivated by material interests, but that any explicit requirement along these lines would be outside the direct scope of this Recommendation.

    Thirdly, cases may arise where the data subject cannot be found or where for other reasons it is apparently impossible to obtain the consent from the data subject himself (eg. in the case of an epidemic). When in such cases the interests of the research project are such that they justify the consent requirement to be waived - for example in the case of an important public interest - and unless the data subject has explicitly refused any disclosure, then the authorisation to use personal data may be given by the body or bodies designated by domestic law and competent in the area of personal data. The drafters of the Recommendation agreed that such authorisation should, however, not be given globally, but case by case; moreover, the medical data should be used only for the medical research project defined by that body, and not for another project of the same nature (sub-paragraph c).

    The authorisation, by the designated body, of communication of medical data for the purposes of a medical research project also depends on other factors implicit in the spirit of the Recommendation in the present principle, or explicitly set out in other principles:

    a.    the existence of alternative methods for the research envisaged;

    b.    the relevance of an important public interest of the aim of the research for example in the field of epidemiology, of drug control or of the clinical evaluation of medicines;

    c.    the security measures envisaged to protect privacy;

    d.    the necessity of interfering in the privacy of the data subject.

    Furthermore, the drafters of the Recommendation specified that opposition by the data subject need not necessarily intervene before communication of his medical data; he could also appeal against the authorisation given by the body concerned, on condition nevertheless that such appeal does not jeopardise the whole research project. The form of this kind of appeal would depend on the system provided by domestic law (authority responsible for data protection, ethics committee, court, etc.).

    The drafters of the Recommendation agreed that under sub-paragraph c.ii it would not be necessary to make the reasonable efforts in all cases; the person in charge must,

however, consider whether with reasonable efforts it would be practicable to contact all data subjects. If this seems possible, then the efforts must be made.

    Furthermore, it was understood that to seek the consent of the data subject for medical research would be an unreasonable demand for the research institute, and would rather be the responsibility of the person or body envisaging disclosure of medical data.

    The expression "disclosure of data" in sub-paragraph c was translated into "communication des données" in the French version. Whilst accepting that this translation did not reflect in full the English expression, the drafters of the Recommendation agreed that the intended meaning of this principle was to subject, in the conditions described, not only any use, but also any transmission of medical data for medical research, to prior authorisation.

    Finally, medical research may be based on personal data, without the data subject's consent, if the research is provided for by law (not necessarily "explicitly authorised") and constitutes a necessary measure for reasons of public health, including therapeutic research (sub-paragraph d).

    Because of the stricter protection of medical data required by Article 6 of the Convention, sub-paragraph d, in allowing such exceptions, is less flexible than Article 9 of the Convention.

    As in paragraph 75 above, the drafters of the Recommendation noted that under "law", in sub-paragraph d, should be understood any mandatory ruling, whether general or subsidiary legislation, eg. a ministerial decree, as long as the ruling is based on domestic law and is sufficiently accessible and foreseeable (cf. the case law of the European Court of Human Rights).

    Principle 12.3 recognises that medical doctors and medical bodies entitled to carry out their own research should be allowed to use, for their own research, the medical data which they have collected themselves, if the data subjects are aware of such use and have not objected, ie. they had been informed that one of the purposes of the collection would be medical research. These complementary provisions may in particular consist of the consent of the data subject or of permission given under domestic law or by a controlling body for public health reasons.

    Medical research using personal data may raise problems connected with data protection, which are addressed in this Recommendation, but also incidental questions of an ethical and scientific nature, such as:

a.    the need for research involving personal data;

b.    the suitability of the data to be collected for a particular research project;

c.    the exhaustive nature of the research project;

d.    the processing of the data of the unborn and deceased;

e.    the information of the patient and his family;

f.    the ways and means of collecting the data;

g.    the communication of the research findings.

    Depending on domestic law, these questions may have to be solved, preferably in advance, by one or more specific bodies designated by law and responsible for the questions within their sphere of competence. The drafters of the Recommendation considered that it would be outside the scope of the Recommendation to address such ethical and scientific questions raised by medical research, or to designate the bodies responsible for solving such questions. They referred to national legislation, which in the case of various bodies should distribute responsibilities and ensure co-ordination.

    Principle 12.4 requires therefore merely that any such ethical and scientific questions be examined, apart from the data protection point of view, also in the light of other relevant instruments in the field of ethics or science.

    By "exhaustive nature of the research project" in sub-paragraph c of the preceding paragraph, the drafters of the Recommendation had in mind a project requiring the collection of medical data concerning all persons affected by such research, with or without their

consent. The effectiveness of certain types of epidemiological research in fact depends on the recording of data concerning all the patients infected.

    The general principle of purpose specification applies in particular to the processing of personal data for medical research: such data collected, processed or disclosed for one specific project should not be used for another project, or for purposes other than those for which the consent or the authorisation has been given under Principle 12.2. If the second research project, for which the data were not collected, or for which consent or authorisation was not given, is substantially different from the first project then the whole procedure defined in Chapter 12 should be followed again.

    Although it may seem obvious that the possibility to use personal data in medical research does not imply that the results of the research may be published in a form which enables identification of the data subjects, the drafters of the Recommendation thought it wise, because of the sensitive nature of medical data, to emphasise this requirement in Principle 12.5. In some member States, publication of medical data is, however, prohibited, even if the data subject has consented.


Footnote: 1 Hereafter referred to as "the Convention".


Footnote: 2 Resolution (73) 22 on the protection of the privacy of individuals vis-à-vis electronic data banks in the private sector; Resolution (74) 29 on the protection of the privacy of individuals vis-à-vis electronic data banks in the public sector.


Footnote: 3 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28 January 1981, ETS 108). At the time of publication of this Explanatory Memorandum, 17 States had ratified the Convention: Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Luxembourg, The Netherlands, Norway, Portugal, Slovenia, Spain, Sweden and the United Kingdom.


Footnote: 4 Albania, Andorra, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldova, The Netherlands, Norway, Poland, Portugal, Romania, Russia, San Marino, Slovakia, Slovenia, Spain, Sweden, Switzerland, "the former Yugoslav Republic of Macedonia", Turkey, Ukraine and the United Kingdom.



 Top

 

  Related Documents
 
   Meetings
 
   Other documents