Today, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal for a Directive on standards of quality and safety of human organs intended for transplantation. The proposal provides for national quality programmes to advance organs donation and transplantation, including a traceability mechanism to ensure that all organs can be traced from donation to reception and vice versa. The proposed procedure involves the collection and circulation of health data, which are regarded as sensitive and therefore fall under the stricter rules of EU data protection legislation.
The EDPS welcomes the attention given in the proposal to the data protection needs arising both for the donors and the recipient of organs, especially as concerns the requirement for keeping their identities confidential. He however recommends to further emphasize the need for reinforced protection of the donors' and recipients' personal data throughout the organs traceability chain established within the proposal. This can be achieved with the application of strong organisational and technical security measures, both in the national donors and recipients databases, as well as in the cross-border exchange of organs.
Peter Hustinx, EDPS, says: "Without obstructing the fast and efficient transfer of organs, strong data protection safeguards must be put in place throughout the donation and transplantation chain. This can primarily be done through the adoption of strict and sound security measures in the relevant national services so as to ensure confidentiality, integrity, accountability and availability of data. The adoption of a proper mechanism for the identification of the donors and recipients is also crucial, especially for the exchange of organs at cross-border level".
Basic principles for national security measures may include the following:
With regard to the cross-border exchange of organs, the need for harmonizing information security policies among Member States should be further stressed. In addition, special attention should be paid to the possibilities of indirect identification of donors and recipients' data (pseudonymisation). The EDPS also recommends specific consultation with the national data protection authority when organs are exchanged with third countries.