The Data Protection Commissioner has recently released a standpoint on software used in health administration which concerns different aspects of the processing of health data, including scientific research, storage of data abroad, as well as the information requirements to patients.
The full text of the Commissioner’s position is available in English below:
Case ABI-2982-3/2010/K
Dear Sir,
You have turned to the Data Protection Commissioner with a consultation request which concerns the products of a medical software company. I have the following standpoint in this matter:
You have indicated in your consultation request that your client is a medical software company who develops software solutions for general practitioners / family doctors. Through this software developed by your client, doctors would record data on the time and reason of the patient’s visit, the diagnosis, the examinations, the findings, the symptoms, treatments applied, drugs, identifying information as well as data related to the sick pay of the patient.
You have also noted that this software would store the patients’ data in anonymous form, thus, medical data would be transformed to information from which patients’ identities could not be inferred from. Such data would be combined only with the location and time of the recordal, since this would facilitate the organization/structuring of the recorded information, as well as the use of the data for scientific research.
I hereby inform you that the potential users of your client’ products, general practitioners shall be considered as “healthcare service providers” under Section 3 g) of the Act XLVII of 1997 on the processing and protection of medical data and related data (Medical Data Act) therefore they are authorized to process health data and personal identifying data within the framework of Section 9 (2) of the Medical Data Act. Further, these persons are obliged to keep medical secrets pursuant to Section 7 (1) of the Medical Data Act.
According to your first question, where you asked whether any special legal requirement applies in connection with the storage of the patients’ database in a remote secure server, where the content of same could be downloaded by the doctors online, I hereby inform you on the following.
I hereby draw your kind attention to the fact that remote access through a system to medical data is only permissible on the basis of detailed data protection and information security rules/by-laws with strict documentation of the access, particularly if this is made through a server located abroad. If such data is processed on a server located within the European Economic Area, this shall be treated as domestic data processing within the territory of the Republic of Hungary. As regards third countries, adequate protection of personal data would be ensured pursuant to Section 9 (1) b) of the Act 1992 of LXIII on the protection of personal data and disclosure of data of public interest (hereinafter: Data Protection Act) Section 9 (1) b), if the European Commission recognized by decision that the respective third country provides adequate level of protection, an international treaty provides such guarantees or if the data processor located in a third-country confirms that he/she ensures an adequate level of protection of personal data, the rights of data subjects, as well as their enforcement [pursuant to Section 9 (2) (c)].
In my capacity as Data Protection Commissioner I have no objection to the remote access to the server, however, I cannot support the availability of personal data and special data processed by health care institutions on foreign servers, as the withdrawal of such data from the Hungarian jurisdiction makes the enforcement of patient’s rights practically impossible.
Your second question was directed to the data protection requirements of scientific research on the database with encoded patient data. In that regard, I hereby inform you on the following.
Section 20(1) of the Medical Data Act states that health data may be processed for statistical purposes in a manner which precludes identification of the data subject.
(2) For statistical use the transfer/use of health data and personal identification data linked to the data subject is only permitted with the data subjects’ written consent.
Section 21 (1) For the purpose of scientific research the data may be inspected with the permission of the head or the privacy officer of the health institution, however, the respective scientific publication may not contain such health data or other personal data from which the identity of the patient could be inferred from. In the course of scientific research, no copy can be made on stored data which contains personal identifying information.
(2) The individuals who had access to the stored data pursuant to paragraph (1), as well as the purpose and date of inspection shall be recorded. Such records shall be retained until 10 years.
Section 32 (1) of the Data Protection Act provides that data collected or stored for purposes of scientific research shall not be used for other purposes.
(2) Personal data shall be made anonymous as soon as the purpose of research allows it.
Any data relating to identified or identifiable persons shall be stored separately from the very beginning. These data shall not be connected with other data unless this is required for the purpose of research.
(3) An organ or person performing scientific research shall not make personal data public, unless the data subject has given his consent thereto.
Section 4(2) of the Medical Data Act lays down that health data and personal identification data may be processed, inter alia, for the following purposes:
a) training / education of health care professionals,
b) medical professional and epidemiological investigation, analysis, health care planning, organizing, planning of costs,
c) statistical analysis,
d) anonymizing for impact assessment and scientific research.
This means that data collected for the purpose of scientific research must be anonymized. The same applies to the collection of data for statistical purposes. In addition, scientific research must be notified to the Health Ethics Committee which may give permission for conducting such activity.
In your third question you have asked whether it is necessary to obtain consent from any of the doctors and / or from patients for the transfer and research of the data unlinked from patient identifiers.
In my view, if the data is made anonymous, there would be no need to obtain further consent from the data subjects. Thus, after anonymisation of the data gathered through the software, your client and third parties would not be restricted to use such data for scientific research purposes.
The second issue you have raised concerns of the PHR (Personal Health Report) system to be introduced by your client, which would allow for certain patients against payment to have online access to the data kept in the administration system of the family doctor about them.
Concerning this system, you have sought clarification the Hungarian legislation permits the introduction of such a system. In this regard I have the following standpoint. Hungarian laws do not prohibit the set-up and introduction of such system outlined by you, however, the provision of such service cannot be made mandatory, as it may be used only as an option.
Under Section 7(3) of the Medical Data Act the patient has the right to be informed about the data processing in connection with its medical treatment, he has the right to access to its health data, personal identification data and its medical records, and at its own expense (s)he may obtain a copy of same.
Section 11 (1) of the Data Protection Act provides that the data subject may request information on the processing of his personal data. Section 12 (1) states that the data controller shall inform the data subject, upon his request, of the data processed by the data controller or by the processor, of the purpose of the data processing, of its legal basis and duration, of the name, address (seat) and activity of the data processor in connection with the data processing, as well as of those who received or will receive data and for what purpose.
(2) The data controller shall give the information in writing and in a clear language, within the shortest possible time, but not later than within 30 days from the submission of such request.
(3) The information referred to in paragraph (2) is free of charge, unless in the given calendar year the person requesting information has already filed a request with the data controller for the same field. In other cases expenses may be charged. Such expenses shall be refunded where the data have been unlawfully processed or where the request for information has resulted in rectification.
On this basis of the above, I see no legal obstacle to the operation of such service for consideration outlined by you, provided that once a year the access to the information / query would be free of charge.
The last point of your application concerned the scope of details in the notice to be provided to the users of the system, as well as whether it is necessary to obtain the written consent of the users of the system.
I suggest that the terms of the privacy notice cover the following information: the fact of data collection, range of data, data subjects concerned, the exercise of the rights, who may have access to the data, as well as the duration of data processing. Section 20 (2) of the Medical Data Act requires the written consent of the data subject only in those cases where health data and personal identification data linked to the data subject is processed for statistical purposes, thus, provided that the anonym data is introduced into the system, in this case the consent of the data subject would not be a must.
In connection with your submission, I hereby draw your kind attention that the position of the Data Protection Commissioner does not audit the product to be manufactured and the present standpoint provides only a guidance that is based on the facts you have presented in your application.
Please do not hesitate to contact me in connection with any further case involving the protection of personal data and the disclosure of data of public interest.
Budapest, 21 January 2011.
Sincerely yours,
Dr. András Jóri
