Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Directive 95/46/EC in Relation to Medical Research

Deryck Beyleveld, Co-ordinator of PRIVIREAL

  • Right to Information
  • Rights of Access
  • Rights to Object
    •

    The Directive says nothing on medical research explicitly. Its implications for the processing of personal data in/for medical research must be inferred from what it has to say about the general processing of personal data, especially sensitive personal data, and about processing for research and statistics. For this reason, the following outline does not mention medical research specifically unless this can be done without distorting the provisions of the Directive. The outline is made mostly without comment, but does involve some interpretation. It has no official standing and merely represents the personal view of the co-ordinator of PRIVIREAL.

    Some Information on EC Directives

    Directives have two parts: a Preamble (which is made up of Recitals) and an operative part made up of Articles.

    Articles prescribe results that EU Member States must achieve by their laws, with Article 10 of the EC Treaty (Article 10 EC) requiring Member States to "take all appropriate measures" to ensure fulfilment of their Community obligations, and Article 249 EC stating

    A directive shall be binding, as to the result to be achieved, upon each member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.

    Recitals provide guidance on interpreting Articles. Recitals enable the EC's legislators to discharge their duty to state the reasons on which a binding Community Act is based
    Article 253 EC).

    Insufficient or erroneous reasons are considered by the Brescia Case (Case-31/59) [1960] E.C.R. 82).

    In the Brennwein Case (Germany v. Commission) (Case-24/62) [1963] E.C.R. 69, the ECJ declared that the duty to state reasons gives

    an opportunity to the parties of defending their rights, to the Court of exercising its supervisory functions and to Member States and to all interested nationals of ascertaining the circumstances in which the [Treaty has been applied].

    In Von Colson and Kamann v. Land Nordrhein-Westfalen (Case 14/83) [1984] E.C.R. 1891, the ECJ declared that national authorities must, as far as possible, interpret national law in the light and wording of the purpose of the Directive in order to achieve the result pursued by the Directive.

    In Marleasing SA v. La Comercial Internacional de Alimentacion SA (Case C-106/89) [1990] E.C.R. I-4135., the ECJ went further by directing that national courts are "required" to interpret domestic law so as to ensure achievement of the objectives of the Directive, whether or not national provisions were enacted before or after the Directive.

    However, Francovich and Bonifaci v. Italy (Case-6 and Case-9/90), [1991] E.C.R. I-5357.

    If a Member State has failed to implement a Directive by the deadline for doing so, or its implementing provisions are incompatible with provisions of the Directive that are unconditional and sufficiently precise to be given effect to directly, then any national provision must give way to EC law (e.g., second Levy, Case C-158/91, [1993] E.C.R. I-4287)

    Objective of Directive 95/46/EC

    To safeguard fundamental rights and freedoms of individuals (in particular, privacy) in the processing of personal data in a harmonised manner so as to enable its free flow between States of the European Economic Area(EEA)(Article 1 ,Recitals 3&7-11)

    The fundamental rights and freedoms referred to are, most centrally, those recognised in the constitutions and laws of the Member States and the European Convention for the Protection of Fundamental Rights and Freedoms Recitals 1&10). As indicated in Article 8 of which provides a right to protection of personal data), even though the Charter is not legally binding in its own right, it is anticipated that the ECJ will take it into account in its judgments. This is because the Charter is, essentially, a compendium of the rights that the ECJ has in the past declared to have the status of fundamental principles of EC law.

    The Directive gives substance to and expands the protection of the rights and freedoms contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data Recital 11)

    Definition of Personal Data

    Any information relating to an identified or identifiable natural person ("data subject") Article 2(a) Recital 26), including "sound and image data relating to natural persons" Recital 14). ("Natural person" is not defined but Recital 24 suggests it contrasts with "legal person".)

    An identifiable person = a person who can be identified directly or indirectly from the data in conjunction with other factors Article 2(a) "likely reasonably to be used" by any person Recital 26).

    Processing of personal data = anything that can be done with personal data automatically or manually Article 2(b); Article 3(1); Recital 27). But manual processing is covered only if the data is part of or intended to be part of a "filing system" Article 3; Recital 15), = a "structured set of personal data which are accessible according to specific criteria" [Article 2(c); Recitals 15; Recital 27] definable by Member States Recital 27). Processing for purposes beyond the scope of EC law or by a natural person for purely personal or household purposes is not covered Article 3(2); Recital 12; Recital 13; Recital 16).

    Discretion to Implement

    Member States must implement the Directive within the limits set by Articles 6-21 Article 5; Recital 22). There may be a general law or different laws for different "sectors" of processing Recital 23). (thus for medical research).

    Principles of Data Protection

    Member States must (Article 6(1); Recital 28) provide that personal data is

    (a) processed fairly and lawfully;

    (b) collected for specified, explicit and legitimate purposes only (to be determined at the time of collection) and not further processed in a way incompatible with those purposes (as originally specified) ("incompatibility" is not defined positively);

    (c) adequate, relevant and not excessive in relation to the purposes for which they are collected/further processed;

    (d) accurate and, where necessary, kept complete and up to date;

    (e) not be kept in personal form for longer than necessary for the purposes for which they were collected or (compatibly) further processed.

    The principles apply to all applicable personal data, but not to data rendered anonymous so that the data subject is no longer identifiable Recital 26)

    Necessary Conditions for Lawful Processing of Personal Health Data

    At least one condition from Article 7 (which applies to all personal data) must be met and one condition from Article 8(2)-(5); Recitals 33-36) (which apply to "special" or "sensitive" categories [Recitals 34] = "data which are capable by their nature of infringing fundamental freedoms or privacy" [Recital 33], which include data relating to a person's health [Article 8(1)]) must also be met.

    Article 7 Conditions

    (a) With the data subject's unambiguous consent = "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed" (Article 2(h)) or
    (b) If necessary for a contract to which the data subject is party; or
    (c) If necessary to comply with a legal obligation of the data controller; or
    (d) If necessary to protect the vital interests of the data subject (= interests "essential for the data subject's life" [Recital 31]); or
    (e) If necessary in the public interest or the exercise of official authority; or
    (f) In the legitimate interests of the controller or recipients of the data (unless fundamental rights and freedoms of the data subject are overriding) (specifiable by Member States [Recital 30]).

    However, at least (e) and (f) are inapplicable unless the data subject is given the opportunity to object on compelling legitimate grounds, unless "otherwise provided by national legislation" (Article 14(a); Recital 45).

    Most Applicable Article 8 Conditions

    · With the data subject's explicit consent (undefined), unless national law does not permit the prohibition to be lifted by the data subject's consent (Article 8(2)(a); Recital 33)); or
    · If necessary to protect the vital interests of the data subject or another person where the data subject physically or legally cannot give consent (Article 8(2)(c)); or
    · If the data is manifestly made public by the data subject or processing is necessary to establish, exercise or defend a legal claim (Article 8(2)(d)); or
    · If necessary for the purposes of "preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy" (Article 8(3); (Recital 33); or
    · On conditions specified by national law or decision of the supervisory authority in the substantial public interest (in relation to which scientific research and government statistics are stated to be "of important public interest" [Recital 34]) subject to suitable (and specific [Recital 34]) safeguards (Article 8(4)), which must be notified to the Commission (Article 8(6)).

    Member States must determine when sensitive personal data may be processed employing a national identification number or any other identifier of general application (Article 8.7).

    Data Subjects' Specific Rights

    Right to Information

    When personal data is obtained from the data subject, Member States must grant the data subject the right to be informed (unless he already has this information) of the identity of the data controller and "his representative" if any; of the purposes of processing of the data that are intended; and anything else required for processing to be fair to the data subject (Article 10; Recital 38).

    Where the data was not obtained from the data subject, the data subject must be granted similar rights to information (Article 11(1)) In this case, there is a specific exemption from the need to provide the information (subject to Member States providing adequate safeguards) if this would be impossible, involve disproportionate effort, or if recording or disclosure of the data is expressly laid down by law (Article 11(2); Recital 40)

    When personal data was obtained from the data subject, but disclosures to third parties were not anticipated, the right of information is subject to exemption on Article 11(2) conditions (Recitals 39-40).

    Rights of Access

    Member States must give data subjects rights to obtain from the data controller

    · confirmation as to whether or not data relating to them are being processed and, if so, information at least about the purposes of the processing, the categories of data being processed, and the recipients or categories of recipients to whom the data have been disclosed;
    · intelligible communication of what data is being processed and about the source of this data;
    · knowledge of the logic behind at least the automated processing covered by Article 15(1).
    · rectification, erasure or blocking of data if its processing does not comply with the Directive (especially on the grounds of inaccuracy or incompleteness)
    · notification to third parties to whom data have been disclosed of the exercise of the last mentioned right (unless this is impossible or would involve disproportionate effort). (Article 12; Recital 41).

    Rights to Object

    Data subjects must be given a right to object

    · to processing relating to them on "compelling legitimate grounds" relating to their particular situations (unless other wise provided by national legislation) (Article 14(a))
    · without having to give reasons Recital 30 and without cost to processing of their personal data for purposes of direct marketing, about which they must be informed (Article 14(b))
    · to decisions that have legal or other significant effects on them that are based solely on automated processing intended to evaluate personal aspects relating to them ( Article 15(1)) (unless certain conditions are satisfied (Article 15(2));

    General Powers to Exempt

    Articles 6(1), 10, 11(1), 12, and 21 (which imposes a duty on Member States to publicise processing operations) may be derogated from as necessary to safeguard various goals that are beyond the remit of EC law, or to protect the data subject or the rights and freedoms of others (Article 13(1); Recitals 42-44).

    The principle of public access to official documents may be taken into account when implementing the data protection principles (Recital 70)

    Each national supervisory authority must hear, in particular, "claims for checks on the lawfulness of data processing lodged by any person when the national provisions pursuant to Article 13" apply (Article 28(4))

    Scope for Exemption Specifically for Research

    1 Further processing for historical, statistical or scientific purposes is not incompatible processing if adequate safeguards (which "must, in particular, rule out the use of the data in support of measures or decisions regarding any particular individual" [Recital 29]). are provided by Member States (Article 6(1)(b).
    2 Personal data may be kept in personal form for historical, statistical or scientific use for longer than is necessary for the purposes for which the data was collected or is being further processed if Member States provide adequate safeguards (Article 6(1)(e)).
    3 The prohibition on processing of sensitive personal data of Article 8(1) may be lifted
    · for reasons of substantial public interest (which per [Recital 34]) includes scientific research if "substantial = "important") by national law or decision of the supervisory authority if Member States provide suitable safeguards (Article 8(4));
    · (implicitly) for medical research if this may be considered to be a subcategory of preventive medicine, medical diagnosis, the provision of care or treatment, or management of health-care services, provided that the processing of sensitive personal data involved is carried out by a health professional or another person subject to an equivalent "obligation of secrecy" per national law or rules established by national competent bodies (Article 8(3)).
    4 When "data are processed solely for the purposes of scientific research or are kept in personal form for a period that does not exceed the period necessary for the sole purpose of creating statistics", Article 12 may be derogated from provided that
    · the derogation is by a legislative measure;
    · "there is clearly no risk of breaching the privacy of the data subject"; and
    · adequate legal safeguards are provided (in particular that the data are not used to take measures or decisions regarding any particular individual). (Article 13(2)).
    5 Where processing was already under way on 24 October 1998, Member States may provide, on condition that they institute appropriate safeguards, that the processing of data for the sole purpose of "historical research" need not comply with Articles 6, 7 and 8 (Article 32(3)).
    6 It is implicit that to the extent that medical research is necessary to safeguard the data subject or the rights and freedoms of others, Articles 6(1), 10, 11(1), 12 and 21 may be modified for medical research (Article 13(1)(g)). (In relation to any modification of Article 12 permitted by Article 13(1)(g), Member States may require the data subject's right to access to medical data to be exercised only through a health professional [Recital 42]).

    Responsibility to Comply

    Member States must make it the responsibility of the "data controller" = any person or body (private or public) that individually or jointly determines the purposes and means of processing (Article 2(d)). to comply with the principles of data protection(Article 6(2); Recital 25)

    Member States must impose duties on data controllers to implement appropriate security measures (Article 17(1)-(2); Recital 46).

    Those authorised by the data controller to hold or otherwise process data must do so only on the instructions of the data controller, unless required to do so by law (Article 16).

    Processors who are not themselves the data controllers must be bound by a contract (which must be in writing or equivalent form [Article 17(4)] or legal act binding them to the controller (Article 17(3)).

    Notification

    Member States
    · must require the data controller or his representative to notify the supervisory authority set up under Article 28 of any at least partly automatic processing before it is carried out (Article 18(1)).
    · may require such notification of non-automatic processing (Article 18(5)).
    · may (without prejudice to the other duties of the data controller [Recital 51]) simplify or exempt from notification when conditions under Articles 18(2) (e.g., if the data controller, operating in compliance with national law, appoints a personal data protection official responsible for independently ensuring compliance with national laws implementing the Directive and for keeping a register of processing as required by Article 21(2)) or Article 18(3) or 18(4) apply.

    Information required in a full notification is specified in Article 19(1)

    Prior Assessment

    Member States must determine which processing operations are likely to present specific risks to the rights and freedoms of data subjects (see Recital 53 for examples) and to subject these to prior checking by the supervisory authority or a data protection official (who must consult the supervisory authority if in any doubt) (Article 20(1) & Article 20(2)).

    Publication

    Except for public registers, Member States must take measures to publicise all processing operations (Article 21).

    Remedies etc.

    Member States (see also Recital 55) must
    · without prejudice to any administrative remedy, provide a judicial remedy for any breach of rights guaranteed by implementing national legislation (Article 22);
    · provide for compensation from the data controller for damage resulting from unlawful processing operations, except where the controller can prove that he was not responsible for the event causing the damage (Article 23);
    · adopt suitable measures to ensure full implementation of the provisions of the Directive, which must include sanctions for infringing implementing provisions (Article 24).

    Third Country Transfers

    Member States must provide that personal data may not be transferred to a third country (one outside the EEA) that does not provide for an adequate level of protection (Article 25(1); Recitals 56 & 57) unless

    (a) with the unambiguous consent of the data subject; or
    (b) necessary for the performance of contractual measures between the data controller and the data subject, or at the data subject's request; or
    (c) necessary for a contract in the interest of the data subject between the controller and a third party; or
    (d) necessary or legally required on important public interest grounds or to exercise or defend legal claims; or
    (e) necessary in the vital interests of the data subject;
    (f) or from a public register. (Article 26(1); Recital 58).

    Alternatively, Member States may authorise transfers where the data controller adduces adequate safeguards by e.g., appropriate contracts (Article 26(2); Recital 59), in relation to which the Commission may, in accordance with Article 31(2), decide that certain standard contractual clauses constitute sufficient safeguards, with which Member States must comply (Article 26(4)).

    Article 25(2) specifies considerations that Member States must take into account in assessing the adequacy of protection in a third country.

    Member States and the Commission must inform each other of countries they consider do not provide adequate protection (Article 25(3)).

    If the Commission does not consider protection in a third country to be adequate, Member States must act to prevent transfers of data of the type for which protection is not adequate to that country (Article 25(4)), while the Commission must act to try to remedy this situation (Article 25(5); Recital 59).

    The Commission may find, in accordance with Article 31(2), that a third country provides adequate protection, and then the Member States must comply with this decision (Article 25(6)).

    Codes of conduct

    Article 27(1) (see also Recital 61) requires Member States and the Commission to encourage the drawing up of codes of conduct to assist with the implementation of the Directive in specific sectors of processing. The supervisory authority is required to vet codes drawn up by bodies representing categories of data controllers and to consult with data subjects or their representatives (Article 27(2)). Article 27(3) provides a role for the Article 29 Working Party in approving draft Community Codes and amendments to existing Community codes.

    Supervisory Authority

    Member States must provide for one or more independent (Recital 62) public authorities. ("the supervisory authority"), the responsibilities of which are specified in Article 28 (and Recitals 63 & 64)

    Article 29 Working Party

    Article 29 (see also