This article is part of our special report Data protection.
Health and medical data need specific attention when legislation on data protection is at stake. Patients’ data contain highly sensitive information and require particularly strict protection and security mechanisms against any unauthorised access, mismanagement, or identity theft, says Katrín Fjeldsted.
Dr Katrín Fjeldsted is the president of the Standing Committee of European Doctors (CPME).
"Confidentiality of the information exchanged between a patient and his/her doctor shall under no circumstances be compromised. This is a matter of trust and is fundamental to the patient-doctor relationship.
A breach of this confidentiality, because of low data protection security standards, might very well undermine this trust. At the end of the day, the effects on the treatment outcome will be disastrous and to the detriment of the patient.
Nonetheless, the sensitivity of health and medical data does not mean that they should be locked forever with nobody allowed to access it. A doctor willing to understand the medical history of his/her patient will need to access and process the medical record.
While data protection laws are there to guarantee efficient security standards for patients’ privacy, they should not impede doctors to do their job: treat their patients.
Hence, the legislator has to find the right balance between an easy access for doctors to their patients’ data and the protection of patients’ right to confidentiality and private life. We are convinced this is feasible, be the five following conditions respected:
First of all, a distinction in the level of consent requirements needs to be established between primary and secondary use of health data.
In the context of primary use of health data, it might be difficult to obtain explicit consent from the patient in addition to his agreement to be treated, e. g. when a physician needs to share a patient’s data within a defined healthcare team. The act of seeking and agreeing to treatment should automatically be considered as consent of the subject for his/her data to be processed.
In the context of secondary use of health data, e. g. for research purposes, explicit and informed consent of the patient must be sought. To consciously decide on whether or not s/he wants to take part in a research study, the patient needs to be fully informed of the foreseen risks and benefits of the study, but also of his/her rights as well as possible alternatives. The ethical conduct of medical research is based on the premise that the principle of informed consent is fully respected. While some research cases can necessitate more flexible solutions to the provision of consent, we believe these should be exceptional, strictly regulated and justified (please see the World Medical Association’s Declaration of Helsinki, which sets an international standards as early as 1975). The obligation for informed consent to be sought by researchers – standard at International level for decades – should under no circumstances be waived by the future European regulation.
The right to be forgotten is also crucial for the data subject to keep control over his/her data. However, some exemptions are needed for certain specific and well-defined cases. In the treatment provision context, data needs to be retained for purposes of preventive, legal and occupational medicine, medical diagnosis, provision of care and treatment, as well as for the management of healthcare services. This is currently not acknowledged in the Commission’s proposal and we urge the Legislator to introduce this measure, otherwise the health care system will not be able to provide high quality of care and to safeguard patient-safety.
Furthermore, a big number of European physicians practice in small and medium sized medical practices. We are concerned by the introduction of the necessity to conduct impact assessments and the creation of a data protection officer. While we do understand the necessity for big entities, e.g. hospitals, to implement these requirements since they process a critical mass of data, we fear small and medium sized practices will not be equipped to face this challenge. Indeed, they neither have the financial nor the human resources to comply with these unproportional requirements. Physicians might in the end be impeded in the conduct of their core activity. We hope the legislator will take account of these specificities and propose viable alternate solutions.
The upcoming vote in the European Parliament on the general data protection regulation is the opportunity to ensure strong data protection rules for high quality healthcare in Europe. We call on members of the European Parliament to take up this role for the best interest of patients.