Santé

Avis sur la proposition de directive relative aux normes de qualité et de sécurité des organes humains destinés à la transplantation, JO C192, 15.08.2009, p. 6

The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.

The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.

• Basic principles for national security measures may include the following:
• adoption of a specific information security policy;
• definition of a confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing;
• addressing security mechanisms in the national databases, based on the concept of "privacy by design" (i.e. application of data protection requirements as early as possible in the life cycle of new technological developments);
• ensuring regular monitoring and independent audits of the security policies in place.

With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.

Avis concernant la proposition de directive relative à l'application des droits des patients en matière de soins de santé transfrontaliers, JO C 128, 06.06.2009, p. 20

The proposal aims at establishing a Community framework for the provision of cross-border healthcare within the EU, for those occasions where the care patients seek is provided in another Member State than in their home country. The implementation of such a scheme requires the exchange of personal data relating to the health of patients between authorized organisations and healthcare professionals of different Member States.

The EDPS welcomes the proposal and expresses his support to the initiatives of improving the conditions for cross-border healthcare. He expresses concerns, however, about the fact that EC healthcare related initiatives are not always well co-ordinated with regard to ICT use, privacy and security, thus hampering the adoption of a universal data protection approach towards healthcare. This is also evident in the proposal where references to data protection are mainly of a general nature and do not adequately reflect the specific privacy-related needs of cross-border healthcare.

The EDPS defines two main areas of concern regarding data protection in cross-border healthcare: a) the different security levels which may be applied by the Member States for the protection of personal data, and b) privacy integration in e-health applications. To this end, the EDPS makes the following recommendations:

• Provision of a clear definition for 'health data'.
• Introduction of a specific Article on data protection, clearly describing the responsibilities of the Member States and identifying areas for further development.
• Adoption of a Community mechanism for the definition of a commonly acceptable security level for health data to be applied by the Member States.
• Incorporation of the notion of 'privacy by design' already in the proposed Community template for e-Prescription.
• Introduction of a more explicit reference to the specific requirements relating to subsequent use of data concerning health as laid down in Article 8 of Directive 95/46.

Avis du 4 juin 2008 sur la notification de contrôle préalable concernant les visites médicales préalables à l'engagement et les visites médicales annuelles (Dossier 2007-176)