16 March 2012
For some years, regulators and commentators have been aware that the regulatory framework governing the processing of personal data within Europe (through the EU Data Protection Directive 95/46/EC and the UK Data Protection Act (1998)) was in need of some reform to take account of technological advances and an emerging global market for data. In January 2012, the EU published a draft Data Protection Regulation and Draft Data Protection Directive in the first step towards legislative change – expected to culminate in new legislation in 2014.
Significantly, the processing of personal health data for health purposes and for medical research are governed by the draft Regulation, which once enacted, will have direct effect on member states (rather than requiring intervening national legislation).
Both the Directive and the Regulation offer new definitions for personal data which, in effect, widen the scope of the legislation. Increased emphasis is placed on the rights of the individual data subject to be fully informed and to understand the full extent of how their personal data is used. The requirements for consent are more explicit and robust, requiring that any consent should be given explicitly enabling a ‘freely given, specific and informed indication of the data subject’s wishes’ (Recital 25). Data subjects can more easily access details of processing that concerns them, and for the first time, obligations are placed on data processors to ‘rectify’ data.
These increased rights afforded to the data subject are balanced by strengthened exemptions for data processing for health, public health (Article 81) and for ‘historical, statistical and scientific research’ (Article 83). These offer a more robust framework for those providing healthcare and medical research, and provide increased clarity about what the law allows.
Another significant change is that ‘genetic data’ is defined within the draft regulatory framework for the first time, as all data ‘concerning the characteristics of an individual which are inherited or acquired during early prenatal development’. This definition should be refined to clarify that only ‘identifying’ genetic data should be within the scope of the Regulation. Generally however, if the draft Directive and Regulation remain in their current form and the exemptions survive European and national scrutiny by member states, these reforms would seem to offer a sensible and proportionate way forward.
Comment: Technological changes and social networks undoubtedly create challenges that were not anticipated by policy makers when the Data Protection Directive was enacted in 1995. However, some of the proposals contained in the draft framework could be unduly burdensome in the context of large scale population based research. One example is the proposed controls placed on the transfer of personal data to unauthorised countries or organisations with an ‘inadequate’ level of protection.
Other uncertainties arise from the definitions that are used: for example, it is unclear whether those processing personal data which is pseudonymised (or key-coded) have to comply with the Regulation. This issue and many others are highlighted in a PHGF response to a Ministry of Justice Call for Evidence on the proposed reforms.