You are here: Resources > FIDIS Deliverables > Interoperability > D4.11: eHealth identity management in several types of welfare states in Europe > 
Storage of health data  Title:


Access of health data

The access to health data is essential for healthcare professionals, for patients and for third parties. However, the control on the access to medical data in records and cards is an essential safeguard to citizens’ privacy. According to the Swedish correspondent, ‘there is a tendency to increase the access to the records (to be able to supply better care rather than a debate about privacy)’ (Sweden -15).

Access and use of the health related data is guided by (legal and technical) procedures: there should always be a log system in order to verify (post-hoc) who has accessed what data, when en why. The German correspondent provided some clear examples of access control: 1. ‘to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used’, 2. ‘to prevent data processing systems from being used without authorization’, 3. ‘to ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access’ and 4. ‘that personal data cannot be read, copied, modified, or removed without authorization in the cause of processing or use and after storage’ (Germany-2, according to vGeneral provisions on data security and technical measures to ensure privacy protection are laid down in Article 9 BDSG and the annex to Article 9).

We differentiate between (1) access of the citizen to his or her health information, (2) access of the healthcare provider and (3) access of third parties.  

(1) Patient access

Patients have the right to access the medical data relating to them. This does not have to be direct access, although this can boost patients’ trust in electronic health record systems. In general, people can view at least certain parts of the patient record (e.g. in the Swedish and UK case you can ask for a print-out (at your own cost)). In Germany, ‘patients and insurance holders shall be entitled to fully access all data stored relating to them’ (the joint declaration of 3 May 2002 announcing the introduction of the eGk the Federal Ministry of Health and the stakeholder organisations in the health sector) (GE-16). Sometimes the right to look into one’s record can only be done in the company of a health worker (in case of Norway). Sometimes a written request – without motivation - is necessary (the individual health file in Flanders) (Question 9.3). The Belgian answer stresses the fact that the patient does not have open access to all parts of the record. For example: comments and notes of the healthcare professional are not available to the patient (BE-9.10) (this has been mentioned by the Andaloucian report as well (ES - 9.7 on ‘subjective observations’). In Belgium the access granted by the patient is depending on the type of the specific record (Morbé, 2003, 94-96). According to the answer of Norway, Norwegian patient can not change nor delete data from their files. Contrary, Andalusian patients can request a change or deletion of information but only when it is not correct. Dutch patients have a (general) right to delete his own health information in the electronic medical record and his/her electronic GP record. In the Flemish case, patients can exclude information from databases/ records but only in ‘severe reasons and special cases and when the information was not generated in the case of voluntary participation to a preventive program’. The patient also has the right to object to the nation-wide availability of his health information through the electronic general practicer record (right to block the access to his health information for other healthcare professionals).

Several provisions of the data protection directive can limit patient access. Access right can be denied e.g. in the context of article 13 (1) of the Data Protection Directive, ‘to protect the rights of freedom of others’. Examples can be found in the legislations of Bulgaria, Finland, Italy, the Netherlands, Norway, Poland, Spain and the UK. This exception shows that in a democratic society the ‘balancing exercise’ is an important check. Also, exemptions to the right to information (article 10-11) are rather common. First of all, this can happen in the context of art 11 (2) ‘where providing information to the data subject is impossible or would require a disproportioned effort, and appropriate safeguards are observed, the data controller or his/her representative would not have to provide any information’ (Rouillé-Mirza and Wright, 2004b, 203). Countries as Belgium, Germany, the Netherlands and Spain have included this exemption in the context of scientific research / purposes in their domestic law. Without explicitly referring to the context of scientific research or purposes, the exemption has been included in Finland, Italy, Norway and the UK as well. In Hungary, the exemption is not included in domestic law (Rouillé-Mirza and Wright, 2004b, 220-221). Secondly, the exemption can be allowed in the context of art 13 (1). For example in Norway, there is an ‘exemption to the information provisions where it is inadvisable for the data subject to gain such knowledge, out of consideration for the health of the person concerned or for the relationships with persons close to the person concerned (Section 23 c of the Norwegian Persona Data Act (14/4/2000 No. 31).


(2) Access of healthcare professionals

‘An NHS primary care trust has warned of a new risk to the confidentiality of medical records under the National Programme for IT (NPfIT); after more than 50 staff viewed the electronic records of a celerity admitted into hospital’, Tony Collins, ‘, 17/09/2007. 

In the context of the doctor-patient confidentially, it is crucial that healthcare providers can only consult health data if this is necessary for the treatment of a specific patient. Transmission control is an important aspect in this context: ‘to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged’ (Germany-2).

In the countries questioned, closed records with selective access limited to well-defined circumstances seem to be the standard (Norway, Switzerland, Netherlands, Sweden, Spain and Belgium). As a result, only information from the health record which is necessary and relevant can be consulted and the access depends on the relation of the healthcare provider with the patient. The secrecy of duty of the health care provider and the protection of the doctor – patient relation is perceived to be essential (Question 9.6). According to the Dutch answer, selective access by the healthcare provider is supported by authentication and authorization. In contrast, the Swedish answer points out to the fact that selective access is foremost a legal restriction instead of a technical one (logs can be consulted to check if the selective access has been used correctly but this is not checked in a consistent manner)! (Question 9.10) The answer of the UK shows that evidence of breaking the stipulation of privacy and confidentiality which are included in the contract of clinical and managerial/clerical or secretarial staff, can lead to ‘immediate suspension and possible dismissal’. In the Netherlands, Well Managed Healthcare System” (GBZ) criteria are established for access of healthcare provisioners to the electronic medical record and authorization guidelines for the GP record “lead takers”. The German penal code (Article 203) and the professional code of conducts serve as general rules for the patient record system NEXUS.MedFolio®. In German, ‘legal provisions exist on collection, transmission and storage of medical data by health care providers. Strict purpose binding provisions apply and sector specific information must not be linked (question 16). The Italian J-Hospital system ‘has a module that performs advanced check on user data entry.’ (question 9.6)

Several countries state that the exchange of information between healthcare organizations is arranged in a standardized way. Old-fashioned way of information sharing (document sent by fax or email) and paper-based approaches do still exists (e.g. UK), next to more advanced ways of sharing of information as for example, the Dutch secure storage approach (use of UZI card) and the Italian Jhospital system (question 11).

(3) Access by third parties: 

Since informational privacy and medical secrecy must be ensured, neither patients nor doctors can be put under pressure to provide health related information to third parties (e.g. insurance companies, employers, (governmental) health organizations…). At least in principle, (direct) access of medical information from patient records by third parties is not allowed. However, in the context of medical-scientific research and government policy (statistics), an exception can be made.

Citizens must understand the workings of the data controller in order to develop trust in the system. The data controller is responsible for the management of the data. He or she has to ‘implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.’ So it is the duty of the data controller to ‘choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures’ (art. 17 of the D 95/46/EC). (Authorized) people working under the authority of the controller or the processor can only process data when required by law, or when they received instructions from the data controller. This means that not only the head of a healthcare institute or department is responsible, but also all authorized employees working with the data of the electronic health care (clinical professionals). As a result, professionals on the health care and the administrative levels can be put responsible. An electronic signature or another authentication measure can be used to verify in real time or post-hoc who gathered, maintained or stored the data. This is important in liability issues.

Some countries work with central nodes to exchange health related information between organizations. This means that there are no centralized database of information but there are specific structures or/and organizations that connect information from various databases and provide the information to those (authorized ones) who need it. As a result, the organizations ‘on top’ of the exchange system can access a lot of information, but the information remains at the source location. Examples are available in the Netherlands (National Switch Point), in Belgium (cross-road bank, FLOW, BeHealth), in Spain (central node of NHS) and in Germany (Statutory Health Insurance (SHI) company). The answer of the UK shows a discrepancy between the companies providing system for data exchange and the users of those systems. The first offer centralized systems in order to organize the exchange information between healthcare organizations. The latter believe a ‘disseminated open architecture that allows data to stay where it was created but be accessed by appropriate clinical carers’ is the best option (Question 10). Nevertheless, ‘summarising and sharing with others then it can only be done with the explicit written agreement of the patient on every occasion. For example, the provision of information for life insurers or health care insurers’ (UK -16). 

According to the results of Hämäläinen (2007, 10) there is a relation between the type of national health information system and the way health is organized in a specific country: ‘having an integrated national health information system, seems to be a higher priority in state-centred systems than in others’, Also ‘in region-driven countries the architectural choice for an eHealth service network with interoperable connections is favoured more than an integrated information system. Promoting and deploying standards is a higher priority in groups other than the state-driven group, which is understandable since the use of standards is essential in multi-player systems’ (Hämäläinen, 2007, 10). 

Use of health information

The European legal framework shapes the conditions for on the use of health data. At least in theory, Member States have an obligation to prohibit the processing of health related data (article 8 (1) D95/46/EC). However, European states can make use of various exceptions to this general prohibition to allow the processing of personal data in the context of eHealth. When possible, we refer to the answers to the question list.

First of all, there are exemptions to the prohibition of processing sensitive data in the context of article 8 of the Data Protection Directive.

In the context of article 8 (2a): when the data subject has given his or her explicit consent to process the data. But, Member States can lay down in law ‘that the prohibition referred to (…) may not be lifted by the data subject’s giving his consent’.

In the context of article 8 (2c): when processing the data is necessary to ‘protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent’. 

In the context of article 8 (3): for preventive medicine and medical diagnosis (and medical research in general). In the UK it is explicitly allowed to process sensitive data in the context of medical research, medical diagnosis and preventive medicine (The UK 1998 Data Protection Act Chapter 29, Schedule 3, Paragraph 8 (2)). This entails a rather wide interpretation of article 8 (3). Although not mentioned explicitly in other countries, processing of sensitive data for could be allow if it’s put under the purpose of science or preventive medicine or medical diagnosis.

In the context of art 8 (4): public interest: it is possible for States to use article 8 (4) of the Data Protection Directive, instead of article 8 (3), in order to allow the processing of sensitive data in the context of scientific (and thus medical) research.). However, states have to provide ‘suitable safeguards’. In the UK and the Netherlands among others the prohibition to process is ignored when processing is done for scientific research that has ‘substantial public interest’. It is unclear what is meant with the latter concept. In Norway for example, the public interest has to clearly exceed ‘the disadvantages or risks it might entail for the data subject’ (Rouillé-Mirza and Wright, 2004b, 218). According to Rouillé-Mirza and Wright (2004b, 218-219), ‘it is not rare to see the (pre-2004, sic.) NAS providing an exemption to the prohibition of processing sensitive data for medical research for particular processing, which could be seen as being of public interest, and also when the safeguards required are in place. This latter remark is interesting, since it shows that the pre-2004 New Assigned States have been following the same logic as the European Member States.

Additional exceptions relating to the data protection principles (article 6 (1)) are also possible in the following contexts: 

In the context of article 6 (1b): for historical, statistical or scientific purposes.  

In the context of Article 13 (1g): the article on the protection of the data subject or of the rights and freedoms of others can be used to restrict the application of article 6 principles in relation to medical research. The UK once again and the Netherlands provide proof for this exemption based on article 13 (1).

In relation to the purpose principle, there is an exemption for scientific reasons. However, in Belgium, Finland, Italy, Slovakia and Spain, no safeguards are provided ‘to ensure that there are no measures or decisions regarding any particular individual’ (Rouillé-Mirza and Wright, 2004b, 211). This means that the legislation of these countries is not compliant with the Directive! Safeguards are provided by law e.g. in the UK, Germany, the Netherlands and Poland. However the Directive does not specify the content of these safeguards.

In the context of article 18 (2) of Directive 95/46/EC, the Supervisory Authority has not to be notified about automatic processing. This exemption can be used for medical research purposes but it seems not many countries make use of it. However Finland, the Netherlands (as well as Greece and Sweden) do.

Member states of the EU can take supplementary measures (next to those stipulated in the D 95/46/EC framework) to ensure the protection of personal data of their citizens. Yet they have also the freedom to allow additional exceptions to the general prohibition of processing those data. There seems to be a difference between what is possible by law and what the practice by institutions is. The law of Spain for example, provides several possibilities for the use of personal data in the light of epidemiological research. However in the Spanish practice there is a rather limited interest in the use of personal data for such research. 


Storage of health data  fidis-wp4-d4.11.eHealth_identity_management_in_several_types_of_welfare_states_in_Europe.sxw  Discussion
15 / 19