History and background of protecting health data

Before discussing how health data is protected by the General Data Protection Regulation (GDPR), it is important to know a little bit about the history of the protection of health data. This article will investigate how and why the protection of health data started.

Health data has always been considered to be sensitive information, which can reveal a lot about a person. This is why medical confidentiality prohibits a medical professional to disclose information about a patient’s case. This is a very old obligation, which dates back to ancient Greece and is also known as the Hippocratic Oath. The obligation is of the utmost importance in order to create trust and a trusting environment for patients. If a physician does not have (accurate) information on a patient’s health, this may lead to an inaccurate diagnosis and improper treatment.

Apart from confidentiality we nowadays also know privacy and data protection, which not only bind healthcare providers by oath, but also by law. Medical confidentiality, privacy and data protection in this context all have the same scope: to create trust. In view of rapid technological developments in healthcare, the health sector pushed for regulation of data protection. Privacy and data protection started to appear in human rights documents after the Second World War, when Information and Communication Technologies (ICT) gradually started to emerge.

Europe

In Europe there are two major international organisations who determined the data protection landscape: the Council of Europe and the European Union (EU). Privacy was first mentioned in article 8 of the Council of Europe’s European Convention on Human Rights (ECHR) and later also in article 7 of the Charter of Fundamental Rights of the European Union (the Charter). Data protection was first mentioned in 1981 in the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and later also in article 8 of the Charter.

In the same year as Convention 108, the Council of Europe’s Committee of Ministers adopted Recommendation No. R (81) 1 on regulations for automated medical data banks, which was replaced in 1997 by Recommendation No. R (97) 5. Due to the increased use of computers for medical care, medical research, hospital management and public health records it became desirable to ensure the confidentiality, security and ethical use of personal information contained in health records. The Recommendations set out a number of principles, such as access control. Access restrictions safeguard privacy so that only the staff involved in the care of a patient can access the medical records and only the parts which they require for their part of the job. While these Recommendations focus specifically on medical data, they are not legally binding. It is however relevant to know that these recommendations exist for understanding the history and background of health data protection as many principles set in these documents are still valid today.

Convention 108 is the first and the only international legally binding instrument as regards data protection. The Convention provides safeguards for the right to privacy taking into account the increasing flow of automatically processed personal data across borders. Many decisions which affect individuals are based on information stored in computerised data files. These computerised data files have a lot of advantages, but also create a lot of responsibilities for those processing data within these systems. The principles described in the Recommendations as well as in Convention 108 were the first attempts at harmonising data protection laws. They are still the foundation of our data protection rules and regulations to date, albeit perhaps more strictly formulated nowadays to match new technological developments. These developments ignited discussions on modernising Convention 108, which lead to a draft modernised Convention, the status of which is as to date still unknown.

European Union

Although the foundation for data protection across Europe was already set by the Council of Europe in Convention 108 and other documents, there were still inconsistencies in the implementation thereof. Member States had different approaches and there were still some restrictions in cross-border data flows which was seen as an impediment of the internal market by the EU. This is why the EU implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and of the free movement of such data in 1995. This Directive has been replaced by the new General Data Protection Regulations (GDPR) which will become binding law as of 25 May 2018. While the GDPR is based on the same principles as the earlier documents, its content matches better with modern reality. This is why the focus of this course will be on protecting health data in light of the GDPR.