PRINCIPLES APPLYING TO AUTOMATED MEDICAL DATA BANKS 1. Scope and purpose of the regulations
1.1. The following principles apply to automated data banks set up for purposes of medical care, public health, management of medical or public health services or medical research, in which are stored medical data and, as the case may be, related social or administrative data pertaining to identified or identifiable individuals (automated medical data banks).
1.2. Every automated medical data bank should be subject to its own specific regulations, in conformity with the laws of the state in whose territory it is established.
The regulations of medical data banks used for purposes of public health, management of medical and health services, or for the advancement of medical science should have due regard to the pre-eminence of individual rights and freedoms.
1.3. The regulations should be sufficiently specific to provide ready answers to those questions likely to arise in the operation of the particular medical data bank.
1.4. Where a medical data bank combines several sets of medical records or sub-systems of medical data, each of these elements may require separate supplementary regulations relating to its special features.
1.5. The requirements and obligations following from this recommendation are to be taken duly into account not only with regard to medical data banks which are operational, but also those which are in the development phase. 2. Public notice of automated medical data banks
2.1. Plans for the establishment of automated medical data banks as well as plans for the fundamental modification of existing banks should be brought to the notice of the public in advance.
2.2. When an automated medical data bank becomes operational a public notice thereof should be given, relating at the very least to the following features:
a. the name of the medical data bank; 3. Minimum contents of the data bank's regulations
b. reference to the instrument pursuant to which the medical data bank has been established;
c. a summary of the data bank's regulations and an indication of how the complete regulations can be obtained or consulted.
3.1. The data bank's regulations should at least contain provisions on:
4. Recording of data
a. its specific purpose(s);
b. the categories of information recorded;
c. the body or person for whom the data bank is operated and who is competent to decide which categories of data should be processed;
d. the person(s) in charge of its day-to-day running;
e. the categories of persons who are entitled to cause data to be placed in storage, modified and erased ("originators of the data");
f. the person or body
- to whom certain decisions must be submitted for approval;
- who supervises the use of the data bank;
- to whom appeal may be made in the event of dispute;
g. the categories of persons who have access to the data bank in the course of their work and the categories of data to which they are entitled to have access;
h. the disclosure of information to third parties;
i. the disclosure of information to the individuals concerned ("data subjects");
j. the long-term conservation of data;
k. the procedure concerning requests for use of data for purposes other than those for which they have been collected;
l. the security of data and installations;
m. whether and on which conditions linking with other data banks is permitted.
4.1. The person or body responsible for establishing and/or managing a medical data bank should ensure that:
a. data are collected by lawful and fair means;
b. no data are collected other than those which are relevant and appropriate to the declared purpose(s);
c. so far as is practicable the accuracy of the data is verified; and
d. the contents of the record are kept up to date as appropriate.
4.2. In order to ensure on the one hand selective access to the information in conformity with paragraph 5.1. and on the other hand the security of the data, the records must as a general rule be so designed as to enable the separation of:
a. identifiers and data relating to the identity of persons;
b. administrative data;
c. medical data;
d. social data.
A distinction between objective and subjective data is to be made with regard to the data mentioned under c and d above.
Where, however, it is unnecessary or impossible to achieve such separation, other measures must be taken in order to protect the privacy of individuals and confidentiality of the information.
4.3. A person from whom medical information is collected should be informed of its intended use(s). 5. Access to and use of information
5. 1. As a general rule access to the information may be given only to medical staff and, as far as national law or practice permits, to other health care staff, each person having access to those data which he needs for his specific duties.
5.2. When a person mentioned in the previous paragraph ceases to exercise his functions, he may no longer store, modify, erase or gain access to the data, save by special agreement with the person or body mentioned in paragraph 3.1.f.
5.3. A person referred to in paragraph 5.1 who has access to data in the course of his work may not use such data for a purpose different from that for which he originally had access to those data, unless:
a. he puts the information in such a form that the data subject cannot be identified, or
b. such different use has been authorised by the person or body referred to in paragraph 3.1.f., or
c. such different use is imposed by a provision of law,
it being understood that national law or practice may impose an additional obligation to obtain the consent of the data subject (or, should he be deceased, of his family) or his physician.
5.4. Without the data subject's express and informed consent, the existence and content of his medical record may not be communicated to persons or bodies outside the fields of medical care, public health or medical research, unless such a communication is permitted by the rules on medical professional secrecy.
5.5. Linking or bringing together information on the same individual contained in different medical data banks is permitted for purposes of medical care, public health or medical research, provided it is in accordance with the specific regulations. 6. The data subject and his medical record
6.1. Measures should be taken to enable every person to know of the existence and content of the information about him held in a medical data bank.
This information shall, if the national law so provides, be communicated to the data subject through the intermediary of his physician.
No exception to this principle shall be allowed unless it is prescribed by law or regulation and concerns:
a. data banks which are used only for statistics or scientific research purposes and when there is obviously no risk of an infringement of the privacy of the data subject;
b. information the knowledge of which might cause serious harm to the data subject.
6.2. The data subject may ask for amendment of erroneous data concerning him and, in case of refusal, he may appeal to the person or body referred to in paragraph 3.1.f.
When the information is amended, it may nevertheless be provided that a record will be kept of the erroneous data so far as knowledge of the error may be relevant to further medical treatment or useful for research purposes. 7. Long-term conservation of data
7.1. As a general rule, data relatable to an individual should be kept on record only during a period reasonably useful for reaching their main purpose(s).
7.2. Where, in the interest of public health, medical science, or for historical or statistical purposes it proves desirable to conserve medical data that have no longer any immediate use, technical provision is to be made for their correct conservation and safekeeping. 8. Professional obligations
In addition to the members of the health care staff, the data processing personnel and any other persons participating in the design, operation, use or maintenance of a medical data bank, must respect the confidential nature of the information and ensure the correct use of the medical data bank. 9. Extended protection
None of the principles in this appendix shall be interpreted as limiting the possibility for a member state to introduce legal provisions granting a wider measure of protection to the persons to whom medical data refer.