Top

Health and Technology

Published in:

07-03-2017 | Original Paper

The processing of health information- protecting the individual right to privacy through effective legal remedies

Author: Björg Thorarensen

Published in: Health and Technology | Issue 4/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The right to privacy generally belongs to constitutionally protected rights and is listed with fundamental human rights in international human rights instruments. Personal health information is particularly important element of private life, and health data is defined and accepted as sensitive personal data. Modern computer and information technology is capable of processing enormous amounts of data concerning health, which entails a growing risk of violations of privacy by both public authorities and private entities. This article addresses the concept of privacy, as a legal term and a human right, and judicial remedies to enforce the right before national authorities. Whereas no single comprehensive federal law exists in the US for instance, regulating the collection and use of personal data, European states have adopted an extensive regulatory framework on the issue. The European Court of Human Rights in Strasbourg has repeatedly confirmed that information about a person’s health is an important element of one’s private life. Accordingly, processing of health information is an interference with the right to privacy, which may however be justified with a reference to public interests such as scientific research, subject to certain legal requirements. Finding a fair balance between the competing public and private interests is a complicated task. A case study will be made of Iceland, where the European treaties and regulations on protection of personal data have been implemented into domestic law. The Icelandic courts have resolved questions related to processing of health data and violations of privacy, and inter alia declared unconstitutional, legislation on the establishment of a centralised health sector database. This illustrates how legislation, accompanied with effective individual access to the courts, may offer legal reliefs to individuals claiming violation of their right to privacy.

previous article Oversight of EU medical data transfers – an administrative law perspective on cross-border biomedical research administration

next article The choice architecture of privacy decision-making

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Article 12 of the Universal Declaration of Human Rights, adopted by General Assembly resolution 217 A (III) of 10 December 1948.

It should be noted that the two European instruments, the European Convention on Human Rigths and the Charter of Fundamental Rights of the European Union are fundamentally different in nature and origin, the former being a traditional treaty ratified by 47 the Member States of the Council of Europe while the latter forms a part of the constitutional basis of the European Union, which is a supranational institution. All the 28 members of the Union are also state parties to the ECHR.

See, e.g., the IVth Amendment to the Constitution of the United States of 15 December 1791 and more specifically Article 102 of the Norwegian Constitution adopted on 17 May 1814 and Article 86 of the Danish Constitution of 5 June 1849.

Traditionally, reference is made to the influential 1890 article The Right to Privacy, by Samuel Warren and Louis D. Brandeis, published in Harvard Law Review, Vol. IV, No. 5, which postulated a general common-law legal right of privacy. The leading U.S. Supreme Court judgment on the issue Griswold v. Connecticut 381 U.S. 479, pronounced in 1965, which established explicitly that the Constitution protected the right to privacy, focused on aspects related to law which infringed marital privacy.

The ICCPR has been ratified by 168 Member States, including the United States.

Human Rights Committee: The right to respect of privacy, family, home and correspondence, and protection of honour and reputation (Art. 17). General Comment 16, 8 August 1988, para.10. It should be noted that the UN has also adopted Guidelines Concerning Computerized Personal Data Files. General Council Resolution No. 45/95 of 14 December 1990.

Council of Europe, ETS No. 005 Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950, available at http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/005.

See judgment of 4 December 2008, in the Case of S. and Marper v. The United Kingdom, No. 30562/04 and 30,566/04, paragraph 66 and 67. The case dealt with the question whether the retention by the police of fingerprints, DNA profiles and cellular samples violated the applicants’private life under Article 8. DNA profiles are a special type of health oriented data, and such profiles which are produced from biological material can unambigously identify a person. The European Court of Human Rights assessed carefully the limitation requirements in pararaph 2 of Article 8. It concluded that the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences, as applied in the case of the applicants, failed to strike a fair balance between the competing public and private interests. Accordingly, it constituted a disproportionate interference with the applicants’right to respect for private life and could not be regarded as necessary in a democratic society.

Case of Z. v. Finland, No. 22009/93, judgment of 25 February 1997, paras. 95–97. Emphasis is provided by the Author, and does not appear in the text of the judgment.

Ibid, paras.110–113.

See also, regarding processing of health data, Case of LL v. France, No. 7508/02, judgment of European Court of Human Rights of 10 October 2006. The Court concluded that the use of medical data in divorce proceedings before domestic courts was, in the light of the fundamental importance of the protection of personal data, not proportionate to the aim pursued and was therefore not “necessary in a democratic society for the protection of the rights and freedoms of others.”

Council of the OECD, Recommendation concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980, available at www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

Council of Europe, ETS No. 108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, available at http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=00J7LTdc. All the 47 Member States of the Council of Europe have ratified the Convention. On 8 November 2001 an Additional Protocol to the Convention regarding supervisory authorities and transborder data flows was adopted. See ETS No. 181, available at http://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680080626.

Available at http://data.europa.eu/eli/dir/1995/46/oj.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, available at http://data.europa.eu/eli/reg/2016/679/oj. Furthermore, the EU has adopted Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, available at http://data.europa.eu/eli/dir/2016/680/oj.

Data Protection Directive, Article 2 (a).

Ibid, Article 2 (b).

Ibid, Article 2 (c).

Ibid, Article 2 (h).

Ibid, Article 6 and Article 6 of the1981 Data Protection Convention.

When the new EU Regulation of 2016 comes into force it will become directly applicable as such in all the EU member states, not requiring any implementing measures in domestic law.

Data Protection Directive, Articles 25–26.

Other data falling under special categories according to Article 8 of the Data Protection Directive are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning sex life.

In a judgment of the Court of Justice of the European Union in Luxembourg of 6 November 2003, Case C-101/01, the Court confirmed that in the light of the purpose of the Data Protection Directive, the expression “data concerning health” used in Article 8(1) thereof should be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual. Accordingly, information that an individual had injured her foot and was working part-time on medical grounds constituted personal data concerning health within the meaning of Article 8(1) of the Directive.

Data Protection Directive, Article 8 (2).

Ibid, Article 8(3).

Ibid, Preamble, paras. 33, 34 and 42.

One aspect of this right is reflected in Article 7 of the ICCPR which stipulates that “no one shall be subjected without his free consent to medical or scientific experimentation.”

http://www.wired.com/2015/03/iceland-worlds-greatest-genetic-laboratory/

Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000, Article 1.

Patients’ Rights Act, No. 74/1997, Articles 1 and 12.

Health Records Act, No. 55/2009, Articles 1 and 2.

General Penal Code, No. 19/1940, Article 230.

The occurrence of such violations is discussed in Mathews R. On protecting & preserving personal privacy in interoperable global healthcare venues. Health and Technology. June 2016, Volume 6, pp. 53–73.

Judgment of the Supreme Court of Iceland of 25 February 1999, No. 252/1998.

Government Regulation on a Health-Sector Database, No. 32/2000, 22 January 2000

Íslensk erfðagreining ehf, now DeCODE Genetics a subsidiary of the biotechnology company Amgen, and is a biopharmaceutical company based in Reykjavik.

Case No. 151/2003. The judgment is available in English translation at https://epic.org/privacy/genetic/iceland_decision.pdf

Act on Scientific Research in the Health Sector, No. 44/2014, Article 7.

See e.g. Article 13 of the ECHR and Article 2(3) of the ICCPR.

Article 34 of the ECHR.

Rehof LA. Article 12. In: Alfredsson G, Eide A, editors. The universal declaration of human rights. A common standard of achievement. Leiden: Martinus Nijhoff Publishers; 1999.

Mathews R. On protecting & preserving personal privacy in interoperable global healthcare venues. Heal Technol. 2016;6:53–73.CrossRef

Warby M, Moreham N and Christie I. In: Tugendhat and Christie I, editors. The law of privacy and the media. Second edition. Oxford: Oxford University Press; 2011. p 112–113.

Joseph S, Schultz J and Castan M. The international covenant on civil and political rights. Cases, materials and commentary. Second ed. Oxford: Oxford University Press 2004, 476–477.

Rainey B, Wicks E, Ovey C. Jacobs, White & Ovey. The European Convention on Human Rights. Sixth ed. Oxford: Oxford University Press; 2014. p. 362–3.CrossRef

Xenos D. The positive obligations of the state under the European convention of human rights, vol. 12. New York: Routlegde; 2012.

Tomás Gómez-Arostegui H. Defining private life under the European Convention on Human Rights by referring to reasonable expectations. Cal W Int Law J. 2005;35(2):155. Available at SSRN: http://ssrn.com/abstract=669401

Kindt EJ. Privacy and data protection issues of biometric applications: a comparative legal analysis. Dordrecht: Springer Netherlands; 2013. p. 90–2.CrossRef

Hustinx P. EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation. 2014, 34. Available at http://www.statewatch.org/news/2014/sep/eu-2014-09-edps-data-protection-article.pdf.

10.

Blume P. Protection of informational privacy. Copenhagen: DJØF Publishing; 2002. p. 91.

11.

Blume P. Protection of informational privacy. Copenhagen: DJØF Publishing; 2002. p. 92.

12.

Thorhallsson B, Thorarensen B. Iceland’s democratic challenges and human rights implications. In: Carey HF, editor. European institutions, democratization and human rights protection in the European periphery. Lanham: Lexington Books; 2014. p. 225.

13.

Thorarensen B. Stjórnskipunarréttur. Mannréttindi [Constitutional Law. Human Rights]. Churchill Way: Codex Publishing; 2008. p. 294.

14.

Althingistidindi [Parliamentary Reports] 1999–2000, A, doc.1360.

15.

Thorarensen B. Judicial control over Althingi. Altered balance of powers in the constitutional system. Icelandic Review of Politics & Administration. 2016;12(1):23–46.CrossRef

Title: The processing of health information- protecting the individual right to privacy through effective legal remedies
Author: Björg Thorarensen
Publication date: 07-03-2017
Publisher: Springer Berlin Heidelberg
Published in: Health and Technology / Issue 4/2017
Print ISSN: 2190-7188
Electronic ISSN: 2190-7196
DOI: https://doi.org/10.1007/s12553-017-0184-4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 4/2017

An introduction to the contributors

“Global privacy and security, by design: Turning the “privacy vs. security” paradigm on its head”

Trust and ethical data handling in the healthcare context

Reflections upon periclitations in privacy: perspectives from Rwanda’s digital transformation

Interrogating “privacy” in a world brimming with high political entanglements, surveillance, interdependence & interconnections

Personal control of privacy and data: Estonian experience

Premium Partner