420 likes | 577 Views
Instituto de Acceso a la Información Pública del Distrito Federal Acceso a la Información y Protección de Datos Personales: Dos Derechos en un Mismo Rostro - 2º Seminario Internacional. Convention 108 new challenge for data protection in non-European states.
E N D
Instituto de Acceso a la Información Pública del Distrito Federal Acceso a la Información y Protección de Datos Personales: Dos Derechos en un Mismo Rostro - 2º Seminario Internacional Convention108new challenge for data protection in non-European states 13 - 14 November 2008, Mexico City Karel Neuwirt The Czech Republic and the Council of Europe
Content:1. History of privacy2. Legal document regarding data protection3. The Council of Europe Convention 108 and DP principles4. Processing of sensitive data in medical sector5. Patient’s rights and health professionals duties 2nd Conference, Mexico City, November 2008
STATEMENT OF THE SIXTH IBERO- AMERICAN DATA PROTECTION NETWORK MEETING “A commitment to attain International Data Protection and Privacy Standards” Giving an appropriate response towards the protection of personal information makes it necessary to adopt international standards such as to provide individuals, regardless of where their data are processed In this respect, the Council of Europe’s Convention 108, which can be ratified bynon-European States, is still a benchmark in terms of guaranteeing theadequate protection of personal information. 2nd Conference, Mexico City, November 2008
History of privacy • The Bible has numerous references to privacy • 1361 – the Justice of the Peace Act (England) • 1776 – Access to Public Record (Sweden) • 1858 – prohibition the publication of private facts (France) • 1889 – prohibition the publication of information relating to “personal or domestic affairs” (Norway) • Interest in the right of privacy increased in the 1960s and 1970s – advent of information technology 2nd Conference, Mexico City, November 2008
History • Land of Hesse (Germany 1970) – the first data protection law in the world • Sweden (1973), Germany (1977), France (1978) 2nd Conference, Mexico City, November 2008
Magna Carta Libertatum (The Great Charter of Freedoms) England,John of England signs it on 15 June 1215 Source NPTN and Wikipedia 2nd Conference, Mexico City, November 2008
Privacy definition Louis Brandeis (1856-1941): “The right to be left alone.“ (1890) • Alan F. Westin (*1929): “The claim of individuals... to determine for themselves when, how, and to what extent information about them is communicated to others.“ (1967) Privacy is a fundamental requirement for any modern democracy 2nd Conference, Mexico City, November 2008
Legislation - Europe • Convention for the Protection of Human Rights and Fundamental Freedoms (Rome, 1950) • Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Council of Europe, ETS 108, 1981) • Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (The European Parliament and the Council, 95/46/EC, 1995) 2nd Conference, Mexico City, November 2008
Legislation - Europe • Recommendations of Council of Europe • Decisions of the European Commission • Working Party according the Article 29 (WP 29) • Judgments of the European Court of Human Rights (Strasbourg) • Conference of the European Commissioners for Data Protection (2001-Athens, 2002-Bonn, 2003-Sevilla, 2004-Rotterdam, 2005-Krakow, 2006-Budapest, 2007-Larnaca (Cyprus), 2008-Rome, 2009-Edinburg) • Berlin Group (data protection in telecommunication sector) 2nd Conference, Mexico City, November 2008
European Human Rights Convention • Article 8 (1) Everyone has the right to respect for his private and family life, his home and his correspondence (2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of morals, or for the protection of the rights of others 2nd Conference, Mexico City, November 2008
Council of Europe • 47 Member States • 5 observer countries: the Holy See, the United States, Canada, Japan, Mexico. • The Observer Status was granted to Mexico on 1st December 1999 2nd Conference, Mexico City, November 2008
History of Convention 108 • 1968–CoE Parliamentary Assembly addressed Recom.509 to the Committee of Ministers • 1973, 1974– adoption two Resolution on data protection • 1978– Committee of Ministers instructed CJ-PD to prepare “a convention for the protection of privacy in relation to data processing abroad and transfrontier data processing” • 1980– OECD Guidelines • 198128th January - Committee of Ministers decided to open Convention for signatures • 19851st October – Convention 108 entry into force • 2001 – Additional Protocol opened for signature (2004 entry into force) 2nd Conference, Mexico City, November 2008
History of Convention 108 • In 1968, the Parliamentary Assembly asked Committee of Ministers to examine whether the European Human Rights Convention and the domestic law of member states offered adequate protection to the right of privacy vis-à-vis modern science and technology • The study showed that the present legislation gave insufficient protection of human privacy and other rights of individuals with regard automated processing of data • Two resolutions were adopted by Committee of Ministers (in 1973 and 1974) • Within 5 years later, general data protection laws have been adopted in 7 member states • In April 1980 the text of the Convention has been finalized • Committee of Ministers (in its 33rd meeting) adopted the text and decided to open it for signature on 28 January 1981 2nd Conference, Mexico City, November 2008
Convention No.108 • The 1st legally binding international data protection instrument • Strasbourg 28.1.1981 (open for signature) • Article 8 Human Right Convention • A part of Schengen acquis • 2008: Signature - 3 countries (not followed by ratification) Ratification – 40 countries 2nd Conference, Mexico City, November 2008
Additional Protocol • Additional Protocol to the Convention 108 regarding supervisory authorities and transborder data flows ETS no. 181 – 8.11.2001 (opened for signature) • 2008: Signature – 14 countries (not followed by ratification) Ratification – 20 countries 2nd Conference, Mexico City, November 2008
Committee of MinistersDecisionCM/Del/Dec(2008)1031, 4 July 2008(its 1031st meeting)The Deputies1. took note of the T-PD’s recommendation that non-member states with data protection legislation in accordance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)should be allowed to accede to this convention; 2. agreed to examine any accession request in the light of this recommendation; 3. instructed the Secretariat to disseminate information about the convention; 4. took note of the abridged report of the 24th plenary meeting of the T-PD as awhole, as it appears in document CM(2008)81 2nd Conference, Mexico City, November 2008
C108: Article 6 Special categories of dataPersonal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions. 2nd Conference, Mexico City, November 2008
SPECIAL CATEGORIES OF DATA personal data revealing • political opinions, • racial or ethnic origin, • religious or philosophical beliefs, • trade-union membership, data concerning • health, • sex life Processing of sensitive data is prohibited The degree of sensitivity of categories of data depends on the legal and sociological context of the country concerned 2nd Conference, Mexico City, November 2008
CoE Recommendations • 11 sectors oriented (finance operation, direct marketing, statistics, medical, telecommunication, police, social insurance, employment,…) • technically oriented – Internet, surveillance, smart cards, biometrics, profiling 2nd Conference, Mexico City, November 2008
Sensitive data – it is a data “which are capable by their nature of infringing fundamental freedoms or privacy” 2nd Conference, Mexico City, November 2008
Data protection and electronic health record A comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes. Definition by WP29 document on the processing of personal data relating to health in electronic health records (EHR), WP 131, 2007. 2nd Conference, Mexico City, November 2008
Principle of finalityPersonal data undergoing processing shall be: stored for specific and legitimate purposes and not used in a way incompatible with those purposes 2nd Conference, Mexico City, November 2008
Principle of necessity and proportionalityPersonal data undergoing processing shall be: adequate, relevant and not excessive in relation to the purposes for which they are stored 2nd Conference, Mexico City, November 2008
Principle of accuracyPersonal data undergoing processing shall be:accurate and, where necessary, kept up to date 2nd Conference, Mexico City, November 2008
Principle of the length of conservationPersonal data undergoing processing shall be: preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored 2nd Conference, Mexico City, November 2008
What is processing ?Collection Combination Preservation TransmissionRecording Closure Exchange AccumulationOrganisation Erasure Sorting ClassificationStorage Destruction Blocking HoldingAlteration Modification Liquidation AcquisitionConsultation Searching Registration BrowsingRetrieval Transferring Arrangement Re-organisationDissemination Use Making availableDisclosure Publication Utilisation Logical operationDisplacement Provision Accessibility Transformation etc. etc. 2nd Conference, Mexico City, November 2008
Principle of security measuresData securityAppropriate security measures shall be taken for the protection of personal data store in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination. 2nd Conference, Mexico City, November 2008
Principle of transparencyAdditional safeguard for the data subjectAny person shall be enabled:a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him … c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law …d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b. and c. of this article is not complied with. 2nd Conference, Mexico City, November 2008
Three principles of healthcare confidentiality Healthcare professionals should respect: • Individuals have a fundamental right to the privacy and confidentiality of their health information • Individuals have a right to control access to and disclosure of their own health information by giving, withholding or withdrawing consent • For any disclosure of confidential information healthcare professionals must have regard to its necessity, proportionality and attendant risks 2nd Conference, Mexico City, November 2008
The Legal Basis of Privacy and Confidentiality • Universal Declaration of Human Rights (1948) art.12 • Universal Declaration on Bioethics and Human Rights (2005) art.9 • Charter of Fundamental Rights of the European Union (2000/C 364/01) arts. 7, 8 • Convention for the Protection of Human Rights and Fundamental Freedoms (ETS 005, 1950) art.8 • Convention for the Protection of Individuals with regard to automatic processing of personal data (No. 108, 1981) • Convention for the Protection of Human Rights and Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine (No. 164, 1997) 2nd Conference, Mexico City, November 2008
Data protection principles Rights for individuals (data subjects) • to receive certain information whenever data are collected • access to the data • to have data corrected • to object to certain types of data processing 2nd Conference, Mexico City, November 2008
Patients have a right, both ethical and legal (EC Directive 95/46/EC on data protection), to know what information a healthcare professional holds in relation to them and disclosure of their healthcare records to the patient is thus always justified. Healthcare professionals must respect patients’ requests for access to their healthcare information and comply with their legal obligations under Data Protection laws. 2nd Conference, Mexico City, November 2008
Data protection principles- 2 Obligations of data controllers • to use personal data for specified, explicit and legitimate purposes • to guarantee the security of the data against accidental or unauthorized access or manipulation • to notify a supervisory authority before carrying out all processing operations 2nd Conference, Mexico City, November 2008
Healthcare professionals must ensure that patients and/or their legal representative are informed in a manner appropriate for the patient’s communication needs:• of what kinds of information are being recorded and retained;• of the purposes for which the information is being recorded and retained;• of what protections are in place to ensure nondisclosure of their information;• of what kinds of information sharing will usually occur;• of the choices available to them about how their information may be used and disclosed;• about their rights to access and where necessary to correct the information held about them within healthcare records;• the information required to be provided to them by national law implementing Directive 95/46/EC; and • country specific legal provisions or principles governing disclosure. 2nd Conference, Mexico City, November 2008
How must personal data be processed • Fairly and lawfully • Collected for specific purposes and used accordingly • Purpose - explicit and legitimate • adequate, relevant and not excessive • accurate and when necessary up to date • kept no longer than necessary 2nd Conference, Mexico City, November 2008
All health service organisations must have policies for informing patients and/or their legal representative of the protections, uses and disclosures of their information for secondary purposes: (e.g.):- planning of services; - payment for services; - management of services; - contracting of services; - risk management; - patient safety; - investigating complaints; - auditing accounts and performance; - local and national inquiries; - teaching; - research. 2nd Conference, Mexico City, November 2008
When can personal data be processed • Data subject has unambiguously given consent • Necessary for performance of the contract • Required by law • Necessary to protect a vital interest • Necessary in the public interest • Legitimate interest of controller or 3rd person 2nd Conference, Mexico City, November 2008
Express consent from the patient or their legal representative should where possible be obtained before any proposed secondary uses of their personal information. Where there is agreement to disclosure, only the minimum necessary patient identifiable information should be used for each legitimate healthcare purpose. 2nd Conference, Mexico City, November 2008
Patient’s consent and medical research A general consent may permit research use of the personal information, where potential participants are initially properly informed about general details of the Database including for example: - what data will be placed into the database; - how research on the data will be regulated and supervised; - how privacy will be secured (non-technical measures); - to what other data this data will be connected; - who will have access to their information; - that their data will only be used for specified healthcare purposes; - the data will be used for the research of named diseases; - who will be likely to benefit from the research; - who will profit financially or other from the research; - that participants will be regularly informed if they wish about the research; • that they can opt out of the research at any time if they choose 2nd Conference, Mexico City, November 2008
Supervision Independent supervisoryauthorities Convention 108 (art. 13) Additional Protocol to C108 (art. 1) Directive 95/46/EC (art. 28) 2nd Conference, Mexico City, November 2008
MUCHAS GRACIAS POR SU ATENCIÓN karel.neuwirt@centrum.cz 2nd Conference, Mexico City, November 2008