convention 108 new challenge for data protection in non-european states convention 108 new challenge...

ConventionConvention 108108 new challenge for data protection in non-European new challenge for data protection in non-European

statesstates

13 - 14 13 - 14 NovembNovembeerr 2008, Mexico City 2008, Mexico City

Instituto de Acceso a la Información Pública del Distrito Federal

Acceso a la Información y Protección de Datos Personales: Dos Acceso a la Información y Protección de Datos Personales: Dos Derechos en un Mismo Rostro - 2º Seminario InternacionalDerechos en un Mismo Rostro - 2º Seminario Internacional

Karel NeuwirtThe Czech Republic and

the Council of Europe

2nd Conference, Mexico City, November 2nd Conference, Mexico City, November 20082008

Content:Content:

1. History of privacy1. History of privacy

2. Legal document regarding data protection2. Legal document regarding data protection

3. The Council of Europe Convention 108 and DP 3. The Council of Europe Convention 108 and DP principlesprinciples

4. Processing of sensitive data in medical sector4. Processing of sensitive data in medical sector

5. Patient’s rights and health professionals duties5. Patient’s rights and health professionals duties


STATEMENTOF THE SIXTH IBERO- AMERICAN DATA PROTECTION NETWORKMEETING

“A commitment to attain International Data Protection and PrivacyStandards”

Giving an appropriate response towards the protection of personal informationmakes it necessary to adopt international standards such as to provideindividuals, regardless of where their data are processed

In this respect, the Council of Europe’s Convention 108, which can be ratified by non-European States, is still a benchmark in terms of guaranteeing the adequate protection of personal information.


History of privacyHistory of privacy

The Bible has numerous references to privacyThe Bible has numerous references to privacy 1361 – the Justice of the Peace Act (England)1361 – the Justice of the Peace Act (England) 1776 – Access to Public Record (Sweden)1776 – Access to Public Record (Sweden) 1858 – prohibition the publication of private facts 1858 – prohibition the publication of private facts

(France)(France) 1889 – prohibition the publication of information 1889 – prohibition the publication of information

relating to “personal or domestic affairs” relating to “personal or domestic affairs” (Norway)(Norway)

Interest in the right of privacy increased in the Interest in the right of privacy increased in the 1960s and 1970s – advent of information 1960s and 1970s – advent of information technologytechnology


History

Land of Hesse (Germany 1970) – the first Land of Hesse (Germany 1970) – the first data protection law in the worlddata protection law in the world

Sweden (1973), Germany (1977), France Sweden (1973), Germany (1977), France (1978)(1978)


Magna Carta Libertatum (The Great Charter of Magna Carta Libertatum (The Great Charter of Freedoms) England,Freedoms) England,

John of England John of England signs it on 15 June 1215 signs it on 15 June 1215

Source NPTN and Wikipedia


Privacy definitionPrivacy definition

Louis Brandeis (1856-1941): “The right to be left alone.“ (1890)

Alan F. Westin (*1929): “The claim of individuals... to determine for themselves when, how, and to what extent information about them is communicated to others.“ (1967)

Privacy is a fundamental requirement for any modern democracy


Legislation - Europe

Convention for the Protection of Human Rights and Fundamental Freedoms (Rome, 1950)

Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Council of Europe, ETS 108, 1981)

Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (The European Parliament and the Council, 95/46/EC, 1995)


Legislation - Europe

Recommendations of Council of Europe Decisions of the European Commission Working Party according the Article 29 (WP 29) Judgments of the European Court of Human Rights

(Strasbourg) Conference of the European Commissioners for Data

Protection (2001-Athens, 2002-Bonn, 2003-Sevilla, 2004-Rotterdam, 2005-Krakow, 2006-Budapest, 2007-Larnaca (Cyprus), 2008-Rome, 2009-Edinburg)

Berlin Group (data protection in telecommunication sector)


European Human Rights Convention

Article 8Article 8(1) Everyone has the right to respect for his

private and family life, his home and his correspondence

(2) There shall be no interference by a public authority with the exercise of this right except as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of morals, or for the protection of the rights of others


Council of Europe

4477 Member States Member States

5 observer countries: the Holy See, 5 observer countries: the Holy See, the United States, Canada, Japan, the United States, Canada, Japan, Mexico.Mexico.

The The Observer Status was was granted to Mexico on 1st granted to Mexico on 1st December 1999December 1999


History of Convention 108History of Convention 108

19681968 –– CoE Parliamentary Assembly addressed Recom.509 to CoE Parliamentary Assembly addressed Recom.509 to the Committee of Ministersthe Committee of Ministers

1973, 19741973, 1974 – adoption two Resolution on data protection– adoption two Resolution on data protection

19781978 – Committee of Ministers instructed CJ-PD to prepare– Committee of Ministers instructed CJ-PD to prepare ““a convention for the protection of privacy in relation to data a convention for the protection of privacy in relation to data

processing abroad and transfrontier data processing”processing abroad and transfrontier data processing” 19801980 – OECD Guidelines – OECD Guidelines 19811981 2828thth January - Committee of Ministers decided to open January - Committee of Ministers decided to open

Convention for signaturesConvention for signatures 19851985 11stst October – Convention 108 entry into force October – Convention 108 entry into force 2001 2001 – – Additional Protocol opened for signature (2004 entry Additional Protocol opened for signature (2004 entry

into force)into force)


History of Convention 108History of Convention 108

In 1968, the Parliamentary Assembly asked Committee of Ministers to In 1968, the Parliamentary Assembly asked Committee of Ministers to examine whether the European Human Rights Convention and the examine whether the European Human Rights Convention and the domestic law of member states offered adequate protection to the domestic law of member states offered adequate protection to the right of privacy vis-à-vis modern science and technologyright of privacy vis-à-vis modern science and technology

The study showed that the present legislation gave insufficient The study showed that the present legislation gave insufficient protection of human privacy and other rights of individuals with protection of human privacy and other rights of individuals with regard automated processing of dataregard automated processing of data

Two resolutions were adopted by Committee of Ministers (in 1973 and Two resolutions were adopted by Committee of Ministers (in 1973 and 1974)1974)

Within 5 years later, general data protection laws have been adopted Within 5 years later, general data protection laws have been adopted in 7 member statesin 7 member states

In April 1980 the text of the Convention has been finalizedIn April 1980 the text of the Convention has been finalized Committee of Ministers (in its 33Committee of Ministers (in its 33rdrd meeting) adopted the text and meeting) adopted the text and

decided to open it for signature on 28 January 1981decided to open it for signature on 28 January 1981


Convention No.108

The 1st legally binding international data protection instrument

Strasbourg 28.1.1981 (open for signature) Article 8 Human Right Convention A part of Schengen acquis 2008: Signature - 3 countries (not followed by

ratification)

Ratification – 40 countries


Additional ProtocolAdditional Protocol

Additional Protocol to the Convention 108 regarding supervisory authorities and transborder data flows

ETS no. 181 – 8.11.2001 ETS no. 181 – 8.11.2001 (opened for signature)(opened for signature) 2008: 2008: Signature – 14 countries (not followed by

ratification)

Ratification – 20 countries


Committee of MinistersCommittee of MinistersDecisionDecision CM/Del/Dec(2008)1031CM/Del/Dec(2008)1031, , 4 July 20084 July 2008 (its (its 10311031stst meeting) meeting)

The DeputiesThe Deputies 1. took note of the T-PD’s recommendation that non-member 1. took note of the T-PD’s recommendation that non-member states with data protection legislation in accordance with the states with data protection legislation in accordance with the Convention for the Protection of Individuals with regard to Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)Automatic Processing of Personal Data (ETS No. 108) should be should be allowed to accede to this convention; allowed to accede to this convention;

2. agreed to examine any accession request in the light of this 2. agreed to examine any accession request in the light of this recommendation; recommendation;

3. instructed the Secretariat to disseminate information about the 3. instructed the Secretariat to disseminate information about the convention; convention;

4. took note of the abridged 4. took note of the abridged report of the 24th plenary meeting of report of the 24th plenary meeting of the T-PDthe T-PD as a as a whole, as it appears in document CM(2008)81whole, as it appears in document CM(2008)81


C108: Article 6 Special categories of dataC108: Article 6 Special categories of data

Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.


SPECIAL CATEGORIES OF DATA personal data revealingpersonal data revealing political opinions, racial or ethnic origin, religious or philosophical beliefs,

trade-union membership,

data concerningdata concerning health, health, sex lifesex life

Processing of sensitive data is prohibited

The degree of sensitivity of categories of data depends on the legal and sociological context of the country concerned


CoE RecommendationsCoE Recommendations

11 sectors oriented(finance operation, direct marketing, statistics, medical, telecommunication, police, social insurance, employment,…)

technically oriented – Internet, surveillance, smart cards, biometrics, profiling


Sensitive data Sensitive data – it is a data “which are capable by – it is a data “which are capable by their nature of infringing their nature of infringing fundamental freedoms or privacy”fundamental freedoms or privacy”


Data protection and electronic health Data protection and electronic health recordrecord

A comprehensive medical record or similar A comprehensive medical record or similar documentation of the past and present documentation of the past and present physical and mental state of health of an physical and mental state of health of an individual in electronic form and providing for individual in electronic form and providing for ready availability of these data for medical ready availability of these data for medical treatment and other closely related purposes.treatment and other closely related purposes.

Definition by WP29 document on the processing of personal data Definition by WP29 document on the processing of personal data relating to health in electronic health records (EHR), WP 131, relating to health in electronic health records (EHR), WP 131, 2007. 2007.


Principle of finalityPrinciple of finality

Personal data undergoing processing shall be: stored for specific and legitimate purposes and not used in a way incompatible with those purposes


Principle of necessity andPrinciple of necessity and proportionality proportionality

Personal data undergoing processing shall be: Personal data undergoing processing shall be: adequate, relevant and not excessiveadequate, relevant and not excessive in relation to the purposes for which in relation to the purposes for which they are stored they are stored


Principle of accuracyPrinciple of accuracy

Personal data undergoing processing shall be:Personal data undergoing processing shall be: accurate and, where necessary,accurate and, where necessary, kept up to date kept up to date


Principle of the length ofPrinciple of the length of conservation conservation

Personal data undergoing processing shall be: Personal data undergoing processing shall be: preserved in a form which permitspreserved in a form which permits identification of the data subjects for no identification of the data subjects for no longer than is required for the purpose longer than is required for the purpose for which those data are stored for which those data are stored


What is processing ?What is processing ?

CollectionCollection Combination PreservationCombination Preservation Transmission TransmissionRecording Recording Closure ExchangeClosure Exchange Accumulation AccumulationOrganisation Erasure Sorting Organisation Erasure Sorting ClassificationClassificationStorageStorage Destruction Destruction BlockingBlocking HoldingHoldingAlterationAlteration ModificationModification LiquidationLiquidation Acquisition AcquisitionConsultation Consultation Searching Registration BrowsingSearching Registration BrowsingRetrieval TransferringRetrieval Transferring Arrangement Re-organisation Arrangement Re-organisationDissemination Use Making availableDissemination Use Making availableDisclosureDisclosure Publication Publication Utilisation Logical operationUtilisation Logical operationDisplacement ProvisionDisplacement Provision AccessibilityAccessibilityTransformation etc.Transformation etc. etc. etc.


Principle of security measuresPrinciple of security measures Data securityData security

Appropriate security measures shall be taken for the protection of personal data store in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination.


Principle of transparencyPrinciple of transparency Additional safeguard for the data subject

Any person shall be enabled:

a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him … c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law …d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b. and c. of this article is not complied with.


Three principles of healthcare Three principles of healthcare confidentialityconfidentiality

Healthcare professionals should respect: • Individuals have a fundamental right to the privacy

and confidentiality of their health information

• Individuals have a right to control access to and disclosure of their own health information by giving, withholding or withdrawing consent

• For any disclosure of confidential information healthcare professionals must have regard to its necessity, proportionality and attendant risks


The Legal Basis of Privacy and Confidentiality

Universal Declaration of Human Rights (1948) art.12 Universal Declaration on Bioethics and Human Rights

(2005) art.9 Charter of Fundamental Rights of the European Union

(2000/C 364/01) arts. 7, 8 Convention for the Protection of Human Rights and

Fundamental Freedoms (ETS 005, 1950) art.8 Convention for the Protection of Individuals with regard to

automatic processing of personal data (No. 108, 1981) Convention for the Protection of Human Rights and

Dignity of the Human Being with Regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine (No. 164, 1997)


Data protection principlesData protection principles

Rights for individuals (data Rights for individuals (data subjectssubjects))

- to receive certain information whenever data to receive certain information whenever data are collectedare collected

- access to the dataaccess to the data- to have data correctedto have data corrected- to object to certain types of data processingto object to certain types of data processing


Patients have a right, both ethical and legal (EC Directive 95/46/EC on data protection), to know what information a healthcare professional holds in relation to them and disclosure of their healthcare records to the patient is thus always justified.

Healthcare professionals must respect patients’ requests for access to their healthcare information and comply with their legal obligations under Data Protection laws.


Data protection principlesData protection principles - 2- 2

Obligations of data controllersObligations of data controllers

- to use personal data for specified, explicit and to use personal data for specified, explicit and legitimate purposeslegitimate purposes

- to guarantee the security of the data against to guarantee the security of the data against accidental or unauthorized access or accidental or unauthorized access or manipulationmanipulation

- to notify a supervisory authority before carrying to notify a supervisory authority before carrying out all processing operationsout all processing operations


Healthcare professionals must ensure that patients and/or their legal representative are informed in a manner appropriate for the patient’s communication needs:

• of what kinds of information are being recorded and retained;• of the purposes for which the information is being recorded and retained;• of what protections are in place to ensure nondisclosure of their information;• of what kinds of information sharing will usually occur;• of the choices available to them about how their information may be used and disclosed;• about their rights to access and where necessary to correct the information held about them within healthcare records;• the information required to be provided to them by national law implementing Directive 95/46/EC; and • country specific legal provisions or principles governing disclosure.


How must personal data be How must personal data be processedprocessed

Fairly and lawfullyFairly and lawfully Collected for specific purposes and used Collected for specific purposes and used

accordinglyaccordingly Purpose - explicit and legitimatePurpose - explicit and legitimate adequate, relevant and not excessive adequate, relevant and not excessive accurate and when necessary up to dateaccurate and when necessary up to date kept no longer than necessarykept no longer than necessary


All health service organisations must have policies for informing patients and/or their legal representative of the protections, uses and disclosures of their information for secondary purposes: (e.g.):

- planning of services;- payment for services;- management of services;- contracting of services;- risk management;- patient safety;- investigating complaints;- auditing accounts and performance;- local and national inquiries;- teaching;- research.


When can personal data be When can personal data be

processedprocessed

Data subject has unambiguously given Data subject has unambiguously given consentconsent

Necessary for performance of the contractNecessary for performance of the contract Required by lawRequired by law Necessary to protect a vital interestNecessary to protect a vital interest Necessary in the public interestNecessary in the public interest Legitimate interest of controller or 3rd personLegitimate interest of controller or 3rd person


Express consent from the patient or their legal representative should where possible be obtained before any proposed secondary uses of their personal information. Where there is agreement to disclosure, only the minimum necessary patient identifiable information should be used for each legitimate healthcare purpose.


Patient’s consent and medical Patient’s consent and medical researchresearch

A general consent may permit research use of the personal information, where

potential participants are initially properly informed about general details of the

Database including for example:

- what data will be placed into the database;- how research on the data will be regulated and supervised;- how privacy will be secured (non-technical measures);- to what other data this data will be connected;- who will have access to their information;- that their data will only be used for specified healthcare purposes;- the data will be used for the research of named diseases;- who will be likely to benefit from the research;- who will profit financially or other from the research;- that participants will be regularly informed if they wish about the

research; - that they can opt out of the research at any time if they choose


SupervisionSupervision

Independent Independent supervisorysupervisory authoritiesauthorities

Convention 108 (art. 13)Convention 108 (art. 13)

Additional Protocol to C108 Additional Protocol to C108 (art. 1)(art. 1)

Directive 95/46/EC (art. 28)Directive 95/46/EC (art. 28)


[email protected]

MUCHAS GRACIAS POR SU ATENCIÓN

convention 108 new challenge for data protection in non-european states convention 108 new challenge...

Documents

international data protection

data protection law

nd conference

history of privacy

right of privacy

mexico city instituto

privacy standards

publication of information