European Data Protection Supervisor
European Data Protection Supervisor

Health

Health

The General Data Protection Regulation (GDPR) recognises data concerning health as a special category of data and provides a definition for health data for data protection purposes. Though the innovative principles introduced by the GDPR (privacy by design or the prohibition of discriminatory profiling) remain relevant and applicable to health data as well, specific safeguards for personal health data and for a definitive interpretation of the rules that allows an effective and comprehensive protection of such data have now been addressed by the GDPR. Processes that foster innovation and better quality healthcare, such as clinical trials or mobile health, need robust data protection safeguards in order to maintain the trust and confidence of individuals in the rules designed to protect their data.

Filters

Pages

27/02/2013
27
Feb
2013
08/02/2013
8
Feb
2013

In vitro diagnostic medical devices

Opinion on the Commission proposals for a Regulation on medical devices, and amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and a Regulation on in vitro diagnostic medical devices

Tags:
19/12/2012
19
Dec
2012

Clinical trials on medicinal products

Opinion on the Commission proposal for a Regulation on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC

Tags:
29/06/2012
29
Jun
2012
28/03/2012
28
Mar
2012

Cross-border threats to health

Opinion on the proposal for a decision of the European Parliament and of the Council on serious cross-border threats to health

See also the text of the proposal

The Commission proposal for a Decision on serious cross-border threats to health aims to increase cooperation between Member States in dealing with communicable diseases and other cross-border threats to health. To this end, it envisages among others a widening of the existing Early Warning and Response System (EWRS) to include new types of health threats and the use of contact tracing.

The EDPS Opinion raises several points for clarification, the most important of which are:

  •  The concept of contact tracing should be defined more clearly and the main types and sources of data to be exchanged should be specified. Also, criteria for assessing the necessity of contact tracing in a given case should be established;
  •  The relationship between the EWRS and the proposed ad hoc surveillance should be clarified, as well as the role of the European Centre for Disease Prevention and Control (ECDC) in ad hoc surveillance;
  •  A more specific reference to data security requirements should be introduced.
Executive summary of the EDPS OpinionPDF icon
03/12/2010
3
Dec
2010

2009 Annual Report - A year of major importance for the fundamental right to data protection

The report shows that 2009 was of major importance for the fundamental right to data protection.

This is due to a number of key developments: the entering into force of the Lisbon Treaty, ensuring a strong legal basis for comprehensive data protection in all areas of EU policy; the start of a public consultation on the future of the EU legal framework for data protection; and the adoption of a new five-year policy programme for the area of freedom, security and justice ("Stockholm Programme") with the emphasis on the importance of data protection in this area.

The EDPS has been highly involved in these fields and is determined to pursue this course in the near future. 

You can obtain a paper version of this Annual Report on EU Bookshop

Full text of the Annual Report:PDF icon
26/04/2010
26
Apr
2010

Early Warning Response System ("EWRS") - European Commission

Opinion of 26 April 2010 on a notification for prior checking on the Early Warning Response System ("EWRS") (Case 2009-0137)

07/09/2009
7
Sep
2009

EudraVigilance database - EMEA

Opinion of 7 September 2009 on a notification for prior checking regarding the EudraVigilance database (Case 2008-402)

EMEA manages the EudraVigilance database whose originates from National Competent Authorities, Market Authorization Holders and sponsors of clinical trials.  The purpose of the database is to evaluate suspected adverse reactions to medicinal products for human use. The EDPS considers that the processing is lawful to the extent that EMEA follows the recommendations included in the Opinion, particularly those regarding the data quality principle.

The EDPS recommended, among others, that EMEA:

  • Engages in an examination of the possibility to minimize the personal data recorded in ICRs as well as of the possibility to anonymise or pseudoanonymise personal information contained in ICRs;
  • Considers whether a  limited conservation period would fulfill the purposes sought by the data processing;
  • Adopts the security measures described in this Opinion.
19/05/2009
19
May
2009
22/04/2009
22
Apr
2009

Pharmacovigilance

Opinion on the proposals for a Regulation and for a Directive on pharmacovigilance, OJ C 229, 23.09.2009, p. 19

The EDPS takes the view that the lack of a proper assessment of the data protection implications of pharmacovigilance constitutes one of the weaknesses of the current legal framework set out by Regulation (EC) No 726/2004 and Directive 2001/83/EC. The current amendment of Regulation (EC) No 726/2004 and Directive 2001/83/EC should be seen as an opportunity to introduce data protection as a full-fledged and important element of pharmacovigilance.

A general issue to be addressed thereby is the actual necessity of processing personal health data at all stages of the pharmacovigilance process. As explained in this Opinion, the EDPS seriously doubts this need and urges the legislator to reassess it at the different levels of the process. It is clear that the purpose of pharmacovigilance can in many cases be achieved by sharing information on adverse effects which is anonymous in the meaning of the data protection legislation. Duplication of reporting can be avoided through the application of well structured data reporting procedures already at national level.

17/03/2009
17
Mar
2009
05/03/2009
5
Mar
2009

Organ transplantation

Opinion on the proposal for a directive on standards of quality and safety of human organs intended for transplantation, OJ C192, 15.08.2009, p. 6

The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.

The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.

  • Basic principles for national security measures may include the following:
  • adoption of a specific information security policy;
  • definition of a confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing;
  • addressing security mechanisms in the national databases, based on the concept of "privacy by design" (i.e. application of data protection requirements as early as possible in the life cycle of new technological developments);
  • ensuring regular monitoring and independent audits of the security policies in place.

With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.

05/03/2009
5
Mar
2009

Organs donation and transplantation: EDPS calls for enhanced security measures at national and cross-border levels

Today, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal for a Directive on standards of quality and safety of human organs intended for transplantation. The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa.

12/12/2008
12
Dec
2008
03/12/2008
3
Dec
2008

EDPS opinion on patient's rights: specific data protection dimension of cross-border healthcare needs to be addressed in more concrete terms

On 2 December 2008, the European Data Protection Supervisor (EDPS) adopted an opinion on a proposal for a Directive on the application of patients' rights in cross-border healthcare. The proposal aims at establishing a Community framework for the provision of cross-border healthcare within the European Union (EU) for those occasions where the care patients seek is provided in another Member State than in their home country.

02/12/2008
2
Dec
2008

Cross-border healthcare

Opinion on the proposal for a Directive on the application of patient's rights in cross-border healthcare, OJ C 128, 06.06.2009, p. 20

The proposal aims at establishing a Community framework for the provision of cross-border healthcare within the EU, for those occasions where the care patients seek is provided in another Member State than in their home country. The implementation of such a scheme requires the exchange of personal data relating to the health of patients between authorized organisations and healthcare professionals of different Member States.

The EDPS welcomes the proposal and expresses his support to the initiatives of improving the conditions for cross-border healthcare. He expresses concerns, however, about the fact that EC healthcare related initiatives are not always well co-ordinated with regard to ICT use, privacy and security, thus hampering the adoption of a universal data protection approach towards healthcare. This is also evident in the proposal where references to data protection are mainly of a general nature and do not adequately reflect the specific privacy-related needs of cross-border healthcare.

The EDPS defines two main areas of concern regarding data protection in cross-border healthcare: a) the different security levels which may be applied by the Member States for the protection of personal data, and b) privacy integration in e-health applications. To this end, the EDPS makes the following recommendations:

  • Provision of a clear definition for 'health data'.
  • Introduction of a specific Article on data protection, clearly describing the responsibilities of the Member States and identifying areas for further development.
  • Adoption of a Community mechanism for the definition of a commonly acceptable security level for health data to be applied by the Member States.
  • Incorporation of the notion of 'privacy by design' already in the proposed Community template for e-Prescription.
  • Introduction of a more explicit reference to the specific requirements relating to subsequent use of data concerning health as laid down in Article 8 of Directive 95/46.
04/06/2008
4
Jun
2008

Medical check-ups - CPVO

Opinion of 4 June 2008 on the notification for prior checking regarding pre-employment and annual medical check-ups (Case 2007-176)

This opinion concerns the pre-employment and annual medical check-ups organized at the CPVO. The recommendations of the EDPS include the following:

Regarding data quality, the scope of data collected on the medical overview form and the information included on the certificate of fitness should be revised to comply with the principles of relevance and proportionality.  As to the conservation of the data, a reasonable, definite time frame must be established by the CPVO for the conservation of each category of employee and candidate medical data held by the CPVO. On information to data subjects, clear and specific information needs to be provided to data subjects regarding all items listed under Articles 11 and 12 of the Regulation. With respect to the pre-employment medical check-up, the EDPS also recommends the additional information on anti-discrimination referred to in point 3.8.4 of the Opinion. Finally, with regard to processing data on behalf of controllers, the service contracts concluded with the CPVO Physician and the CPVO Medical Centre should be modified to address data protection aspects pursuant to Article 23 of the Regulation. Instructions should be provided to the processors to comply with the minimum data protection safeguards recommended in this Opinion.

19/09/2007
19
Sep
2007
05/09/2007
5
Sep
2007

Community statistics on health data

Opinion on the proposal for a Regulation of the European Parliament and of the Council on Community statistics on public health and health and safety at work (COM(2007) 46 final), OJ C 295, 7.12.2007, p. 1

On 5 September, the EDPS adopted an Opinion on a proposal for a Regulation of the European Parliament and of the Council on Community statistics on public health and health and safety at work.
 
The proposal aims at establishing the framework for all current and foreseeable activities in the field of Public health and Health and Safety at Work statistics carried out by the European Statistical System (i.e. Eurostat), the national statistical institutes and all other national authorities responsible for the provision of official statistics in these areas.
 
The main recommendations refer to the necessity to address the differences between Data Protection and Statistical Confidentiality and the notions which are specific to each area. Transfers of personal data to third countries as well as conservation periods of statistical data are also analysed.
 
Following discussion between the services of Eurostat and the EDPS, a common review of the processes put in place in Eurostat when dealing with individual records for statistical purposes will be conducted and may lead to the need for prior-checking.
COM(2007) 46 final of 07.02.2007 PDF icon
14/12/2006
14
Dec
2006

Pages