The following HTML text is provided to enhance online
readability. Many aspects of typography translate only awkwardly to HTML.
Please use the page image
as the authoritative form to ensure accuracy.
Protecting Data Privacy in Health Services Research
reputation.” This same right is also found in the 1955 European Convention on Human Rights, although the possibility of State “interference”... ”for the protection of health” was specifically foreseen as a possible exception. Although the right to privacy was further strengthened by its inclusion in the 1976 United Nations International Covenant on Civil and Political Rights, it was both the Council of Europe's 1981 Convention for the Protection of Individuals with Regard to the Automatic Processing of Data which considered health data as “special”, and the Organization for Economic Cooperation and Development (OECD's) 1989 Guidelines for the Protection of Privacy and Transborder Flows that established the modern parameters for the principled regulation and security of medical data. The eight OECD principles are: (1) collection limitation; (2) data quality; (3) purpose specification; (4) use limitation; (5) security safeguards; (6) openness; (7) individual participation; and (8) accountability. The 1981 Convention, in particular, established exceptions for data banks for statistics or scientific research purposes as well as the rules for record linkage.
The last decade has also witnessed an increasing emphasis on patient autonomy and patient's rights. Thus, according to the World Health Organization, all health status information should remain confidential even after death (art. 4.1), Declaration on the Promotion of Patient's Rights in Europe). Concurrent with this expanding ambit of confidentiality is that of the notion of identifiability through personal data. The 1995 European Community Directive on the Protection of Individuals (with regard to the processing of personal data and on the free movement of such data) defines personal data as “any information relating to an individual or identifiable natural person “(data subject); an identifiable person is one who can be “identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” (art. 2.a).
It was however, the 1997 Council of Europe's Convention on Human Rights and Biomedicine that included a new corollary right: “the right not to be informed about health information ” within the concept of respect for private life and the right to information. In a sense, privacy in the health sector once associated with the property of medical records, then as a right of “secrecy ” (i.e., not to be personally identified or “processed” without consent), has now been extended to cover the sphere of personal intimacy through not being informed of one's own health data.
In that same year, the Council of Europe also adopted Recommendation R97 (5) on the Protection of Medical Data. Three articles bear mention here:
Article 1. An individual shall not be regarded as ‘identifiable' if identification requires an unreasonable amount of time and manpower.
Article 3.1. The respect of rights and fundamental freedoms, and in particular of the right to privacy, shall be guaranteed during the collection and processing of medical data.