Archivos de la etiqueta: Salud

03Mar/15

Act on a Health Sector Database nº 139/1998

Act on a Health Sector Database nº. 139/1998

(Passed by Parliament at 123rd session, 1998-99)
Index:

Section I – General terms

Section II – Licence and committee on the creation and operation of a health sector database

Section III – Collection of information

Section IV – Access to the database and utilisation of data, etc.

Section V – Monitoring

Section VI – Penalties

Section VII – Various provisions

 

SECTION I. General terms


Art. 1. Objectives

The objective of this legislation is to authorise the creation and operation of a centralised database of non-personally identifiable health data with the aim of increasing knowledge in order to improve health and health services.
Art. 2. Scope

This legislation extends to the creation and operation of a centralised health sector database. The legislation does not apply to the medical record systems of individual health and research institutions, data collections made in connection with scientific research into individual diseases or groups of diseases, nor to records kept by health and social security authorities on users of the health service and operation of the health service. The legislation does not apply to the storage or handling of, or access to, biological samples.
Art. 3. Definitions

In this legislation the following definitions apply:
1. Health sector database: A collection of data containing information on health and other related information, recorded in a standardised systematic fashion on a single centralised database, intended for processing and as a source of information.
2. Personal data: all data on a personally identified or personally identifiable individual. An individual shall be counted as personally identifiable if he can be identified, directly or indirectly, especially by reference to an identity number, or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
3. Non-personally identifiable data: data on a person who is not personally identifiable as defined in clause 2.
4. Coding: the transformation of words or numbers into an incomprehensible series of symbols.
5. One-way coding: the transformation of words or series of digits into an incomprehensible series of symbols which cannot be traced by means of a decoding key.
6. Health data: information on the health of individuals, including genetic information.
7. Genetic data: any data; of whatever type, concerning the heriditary characteristics of an individual or concerning the pattern of inheritance of such characteristics within a related group of individuals. It also refers to all data on the carrying of any genetic information (genes) in an individual or genetic line relating to any aspect of health or disease, whether present as identifiable characteristics or not.

SECTION II. Licence and committee on the creation and operation of a health sector database

Art. 4. Grant of operating licence and payments by licensee

The creation and operation of a health sector database are only permitted to those who have an operating licence by the terms of this legislation.
When an application has been received, the Minister of Health may grant an operating licence to create and operate a health sector database subject to the further terms of this legislation.
The licensee shall pay a fee for the grant of the licence in order to meet the costs of preparing and issuing the licence. The licensee shall also pay a yearly fee equivalent to the costs of the work of the committee under the terms of Art. 6, and other costs pertaining to service and monitoring of the operation, including monitoring by the Data Protection Commission under the terms of legislation on the recording and handling of personal data, and costs of publication and publicity cp. Art.8.
The licensee shall pay all costs of processing information for entry onto the database, cp. Clause 8, Art 5.
The minister and licensee may agree on further payments to the Treasury, which shall be devoted to promoting the health service, research and development.
Art. 5. Conditions of licence etc.

An operating licence for the creation and operation of a health sector database is contingent upon the following conditions:
1. The database must be located exclusively here in Iceland.
2. Technical, security and organisational standards meet the requirements of the Data Protection Commission.
3. The recording and processing of health data shall be carried out by, or under the supervision of, people who are professionally qualified in the health sector.
4. Detailed information shall be available on the area of activity and projects of the applicant for a licence.
5. A detailed work plan from the applicant shall be available, which shall fulfil the conditions and objectives of this Act regarding working arrangements and progress.
6. The operation of the database shall be financially separate from the licensee’s other business.
7. The Ministry of Health and Social Security and the Director General of Public Health shall at all times have access to statistical data from the database in accessible form, so that they will be of use in statistical processing for compiling health reports and planning, policy-making and other projects of the parties specified.
8. The licensee shall pay all costs of processing data from health institutions and self-employed health workers for entry onto the database. The data shall be processed in a manner that fulfils the needs of the relevant institution or self-employed health worker for a standardised information system, the needs of medical specialist fields and the requirements of health authorities, cp. Clause 7, and so that it can be used in scientific research.
9. The licence shall be temporary, and it shall not be granted for more than 12 years at a time.
10. The licensee shall hand over to the committee cp. art. 6 a copy of the database, which shall be updated regularly, to be further specified in the licence. A copy of the database shall always be stored in a bank safety deposit box, or in some other secure manner, to be further specified in the licence.
11. The licensee shall ensure that after the expiry of the period of the licence, the Minister of Health and Social Security, or the party assigned by the Minister to operate the database, shall receive indefinite use of all software and right required for the maintenance and operation of the database.
The Minister may make the licence subject to further conditions than those specified above.
At the end of the period of the licence by the terms of the licence, the Minister shall make a decision on the operation of the database, after receiving the opinion of the committee cp. art. 6 and the Data Protection Commission. The same applies if the licence is revoked or if the licence is withdrawn from the licensee by the terms of this legislation.
The licence and database under the terms of this legislation cannot be transferred, nor can they be subjected to attachment for debt. Neither the licence nor the database may be used as collateral for financial liabilities.
Art. 6. Committee on the creation and operation of a health service database

The Minister shall appoint a committee on the creation and operation of a database under the terms of this legislation. The committee shall comprise three people and three substitutes, appointed for four years at a time. One shall be a health sector worker with a knowledge of epidemiology, another shall have knowledge of information technology and/or computer science, and the third shall be a lawyer, and shall chair the committee. Their substitutes shall fulfil the same conditions.
The role of the committee is to ensure that the creation and operation of the database are in keeping with the terms of this legislation, regulations made on the basis of the legislation, and conditions laid down in the operating licence, in so far as this does not fall within the ambit of the Data Protection Commission. The committee shall supervise the negotiation of contracts between the licensee on the one hand and health institutions and self-employed health workers on the other. It shall protect the interests of health authorities, health institutions, self-employed health workers and scientists in the drawing up of agreements. The sum to be paid by the licensee under the terms of para.3 art. 4. shall be negotiated by the committee, as shall recompense in the form of access to data from the database for health institutions, self-employed health workers and their staff for purposes of scientific research.
The committee shall advise the Ministry of Health and the Director General of Public Health on the utilisation of data from the database. Should the operating licence be revoked or the licence withdrawn from the licensee, the database shall be operated by the committee until the Minister has reached a decision on its long-term operation, cp. Para. 3, Art. 5.
The committee shall be provided with staff and working facilities. The committee shall seek specialist assistance as deemed necessary.
The committee shall inform the Minister and the Data Protection Commission without delay if it believes that there is some defect in the operation of the database.
The committee shall, no later than 1 March each year, submit a report to the Minister on the operations of the past year

SECTION III. Collection of information


Art. 7. Access to data from health records

With the consent of health institutions or self-employed health workers, the licensee may be provided with data derived from medical records for entry onto a health sector database. The health institutions shall confer with the physicians’ council and specialist management of the relevant institution before contracts are concluded with the licensee.
In the handling of records, other data and information, the conditions deemed necessary by the Data Protection Commission at any time shall be complied with. Personal identification shall be coded before entry on the database, so that it is ensured that the licensee’s staff work only with non-personally identifiable data. The staff of the relevant health institution or self-employed health workers shall prepare the data for entry on the health-sector database. Health data shall be transferred in coded form in order to ensure their security. Personal identification shall be coded one-way, i.e. by coding that cannot be traced using a decoding key. The Data Protection Commission shall carry out further coding of personal identification, using those methods that the commission deems to ensure confidentiality best.
With regard to access to data from medical records, this shall otherwise be subject to the Acts on the rights of patients, on physicians, on the health service and on the recording and handling of personal data.
Art. 8. Rights of patients

A patient may request at any time that information on him/her not be entered onto the health-sector database. The patient’s request may apply to all existing information on him/her or that which may be recorded in the future, or to some specific information. Such a request must be complied with. The patient shall inform the Director General of Public Health of his/her wish. The Director General of Public Health shall produce forms for giving such notice, and shall ensure that these are available at health institutions and at the premises of self-employed health workers. The Director General of Public Health shall ensure that a coded register of the relevant patients is always accessible for those who carry out the entry of data onto the health-sector database.

The Director General of Public Health shall ensure that information on the health-sector database and on the rights of patients cp. para. 1 shall be accessible to the public. Health institutions and self-employed health workers shall have this information available to patients on their premises.

SECTION IV. Access to the database and utilisation of data, etc.


Art. 9. Access by health authorities to data on the health-sector database

The Ministry of Health and Director General of Public Health shall always be entitled to statistical data from the health sector database so that it may be used in statistical processing for the making of health reports and planning, policy-making and other projects of these bodies. This information to the specified parties shall be provided free of charge.
Art. 10. Utilisation of the health sector database

Data recorded or acquired by processing on the health-sector database may be used to develop new or improved methods of achieving better health, prediction, diagnosis and treatment of disease, to seek the most economic ways of operating health services, and for making reports in the health sector.
The licensee shall be authorised to process data on the health sector database from the health data recorded there, provided that data are processed and connected in such a way that they cannot be linked to identifiable individuals. The licensee shall develop methods and protocols that meet the requirements of the Data Protection Commission in order to ensure confidentiality in connecting data from the health-sector database, from a database of genealogical data, and from a database of genetic data. With regard to linking the data on the health-sector database with other databases than those specified here, the Act on recording and handling of personal data shall apply. It is not permissible to give information on individuals, and this shall be ensured e.g. by limitation of access.
The licensee may not grant direct access to data on the database.
The licensee is authorised during the period of the licence to use the data on the database for purposes of financial profit, under the conditions laid down in this legislation and the licence.
The health service database may not be transported out of Iceland, and processing of it may only be carried out here in Iceland.
Art. 11. Confidentiality

Employees of the licensee, including contractors, are bound by an obligation of confidentiality on matters that they become aware of in their work which should remain confidential, by law or by their nature. They shall sign an oath of confidentiality before they begin work. The obligation of confidentiality remains in force, even if employment ceases.

SECTION V. Monitoring


Art. 12. Monitoring of the creation and operation of a health-sector database

The Data Protection Commission shall monitor the creation and operation of the health sector database with regard to recording and handling of personal data and the security of data on the database, and is responsible for monitoring compliance with conditions laid down by the commission.

The committee on the operation of the database, cp. Art. 6, shall be responsible for monitoring the compliance in every way of the activities of the health sector database with the terms of this legislation, regulations issued under the terms of this legislation, and the conditions of the licence. The committee shall monitor all questions to and processing from the database. It shall regularly send to the Science Ethics Committee a record of all questions processed on the database, together with information on the enquirers.
The minister shall issue regulations on an interdisciplinary ethics committee which shall assess studies carried out within the licensee’s company and questions which are received. The committee’s evaluation must reveal that there is no scientific or ethical reason to prevent the study in question being carried out, or the questions processed from the database.

SECTION VI. Penalties


Art. 13. Revocation of licence

The Minister may revoke the licence under the terms of this legislation if the licensee or the licensee’s employees violate the terms of legislation, if the conditions of the licence are not fulfilled, or if the licensee becomes unable to operate the database. Should the licensee violate the terms of this legislation or not comply with the conditions of the licence, the Minister shall give the licensee a written warning, allowing a reasonable period of grace to rectify matters. Should the licensee not comply with such a warning, the licence shall be revoked. In the case of deliberate violation or gross negligence, the Minister may revoke the licence without notice and without allowing time for rectification.
Art. 14. Penalties

Violation of the terms of this legislation entails fines or imprisonment for up to three years, unless a more severe penalty is prescribed in other legislation.
The same penalties apply to failure to comply with the conditions for granting of an operating licence under the terms of this legislation, or government regulations under the terms of the legislation, or failure to comply with a command or prohibition under the terms of the legislation, or government regulations under the terms of the legislation.
A legal entity may be sentenced to pay fines due to violation of this Act or regulations based on it. A legal entity may be fined regardless of the guilt of its employees. The legal entity shall be responsible for payment of a fine imposed upon an employee of the legal entity, provided that the offence is connected to the employee’s work for the legal entity.
Art. 15. Withdrawal of licence etc.

The licensee may, in addition to the penalties specified in Art. 14, be subject to revocation of the licence by legal verdict, in the case of deliberate violation or gross negligence.
Equipment which has been used for serious violation of this legislation may be confiscated, together with the profits of the violation, cp. Art. 69 of the Penal Code nº 19/1940.
Art. 16
Attempted violation, and participation in violation, of this legislation are subject to penalties as stated in section III of the Penal Code, nº 19/1940.
Art. 17. Compensation

Should the licensee, an employee of the licensee or a person assigned to process data violate the provisions of this Act with regard to confidentiality, regulations issued on the basis of them, or the conditions laid down by the Data Protection Commission, the licensee shall compensate the person to whom the data relate for financial loss which this has caused.
The licensee, however, is not obliged to compensate for loss which the licensee proves not to be attributable to a mistake or negligence on the licensee’s part, or that of an employee or processor.

SECTION VII. Various provisions


Art. 18. Regulations

The Minister may prescribe further terms on the practice of this Act by issuing regulations.
The Minister shall issue regulations on the activity of the committee on operation of a health sector database under Art. 6, and on limitation of access under para. 2 art. 10.
Art. 18. Enactment

This Act shall take force immediately.
This Act shall be reviewed no later than 10 years after its enactment.
Provisional clauses
I

The licensee’s licence fee under para. 3, Art. 4 shall for the first year be based upon estimated costs pertaining to the preparation and monitoring of the operations of the health sector database.
II

The entry of data onto the health-sector database shall not commence until six months after the enactment of this Act.
III

Before processing begins on the health-sector database, the committee on the operation of the database cp. art. 6 shall ensure that the assessment of an independent expert on the security of information systems has been sought.

Passed by the Alþingi 17 December 1998.

01Sep/07

Breve comentario al artículo 7 sobre la protección de datos personales de la salud

Breve comentario al artículo 7 sobre la protección de datos personales de la salud

En la actualidad, el tema de la protección de los datos personales en lo concerniente a la salud y su ulterior consideración como datos sensibles, hace que lo concibamos no como una especie de “patito feo” en el mundo de la teoría de la protección de datos, sino en todo caso como la salvaguarda y esperanza posible de un mayor acercamiento a un campo digno de especial consideración como éste, que el presente artículo titula.

De forma ejemplificativa, la situación mencionada se enmarca dentro de los datos personales de la salud de las personas físicas con la proliferación de clínicas especializadas en el campo científico de la cirugía estética y demás cuestiones análogas, como puede ser el caso de una consultora determinada que representa a uno de estos centros privados; pues bien, una cuestión en modo alguno carente de relevancia práctica como es la posibilidad de incluir los datos estéticos a la categoría de datos personales relativos a la salud.

La primera idea que se nos puede venir a la cabeza es un no rotundo: nada tiene que ver un dato estético con un dato de salud. La estética está completamente reñida con la enfermedad, si bien lo primero puede derivar en lo segundo. No ha sido, ni es la primera vez que se han escuchado el caso de personas que estaban completamente interesadas en la realización de ciertas mejoras físicas y se han visto finalmente abocadas a complicaciones diversas de cierto calibre, muchas de ellas cuando no, con la propia muerte.

Para poder centrarnos en el tema, opino que los elementos de mayor relevancia serían los atinentes a los propios servicios que una empresa estética viene realizando desde hace tiempo y la categoría profesional a la que puede ser encuadrables los profesionales que atienden y hacen frente en dichos lugares.

Como primer enfoque y mediante una tarea de simple descarte, los datos personales referentes a las personas, aparecen en el artículo 7.3 de la Ley Orgánica de Protección de Datos (legislación actual).El presente artículo exige el consentimiento expreso a diferencia del párrafo anterior en el que dicho beneplácito presenta los rasgos de expreso y por escrito.

Al hablar de datos sensibles, creo que lo mas conveniente a la hora de reforzar su garantía debida y por tanto elevar la seguridad jurídica, hubiera sido mejor, medir por el mismo rasero los párrafos segundo y tercero del artículo 7 de la LOPD para evitar sobretodo, dudas específicas en la labor de interpretación llevada a cabo por los propios órganos judiciales o bien la posible unificación de ambos párrafos en uno solo con el fin de evitar la existencia de dos pequeños subgrupos de datos especialmente protegidos. Lo que no cabe duda es que es una cuestión en la que el legislador, debió prestar en su día mayor atención, como así dice Vizcaíno Calderón en su “Comentario a la Ley de Protección de Datos”.

Es una idea encomiable por parte del legislador, la consideración de aspectos psicológicos como la salud mental, los temas genéticos y el alcohol entre otros, para introducirlos en el articulado de la ley dentro de lo que son los datos sensibles, ciertamente merecen su injerencia en esta parte y como ejemplo de su utilidad pragmática y para su mejor consulta tenemos la posibilidad de consultar lo establecido en la Memoria Explicativa del Convenio 108 y la Recomendación número R (97) 5,del Comité de Ministros del Consejo de Europa, relativo a la protección de datos médicos, siendo éstos mismos ahora los textos de referencia en esta materia.

¿Pero y los datos estéticos? .¿ Donde los ubicamos, entonces? .Porque alguna cabida por mínima que sea deben de tener. La LOPD se olvida por completo de ello, no mencionando el término estética. Es curioso que en ocasiones el legislador tiene la intención de abarcar un gran número de supuestos pera ser regulados y una cuestión que aparentemente es tan simple como puede ser lo estético y todo lo que ello conlleva se le olvida o no lo tiene en cuenta sobretodo en una ley cuyo contexto social refleja una época de considerable avance. A mi modo de ver, podrían darse dos situaciones: por un lado optar por hacer una interpretación extensiva sobre lo establecido en la propia ley, con la consiguiente contrapartida de no obtener el respaldo judicial, basándose los tribunales en sus decisiones en el tenor literal de los preceptos normativos; por otra en la necesidad de refugiarnos en la Ley 41/2002 de 14 de noviembre, básica reguladora de la autonomía del paciente y de derechos y obligaciones en materia de información y documentación clínica que “viene a solventar varias de las interrogaciones suscitadas respecto al tratamiento de los datos de salud” como muy bien apunta Fanny Coudert en la obra ” Estudio práctico sobre la protección de datos de carácter personal”.

Esta ley puede ser la que mejor se acerque a las cuestiones que se han planteado sobre datos de estética; la mayor ayuda ya nos la da el artículo 4 al hablar de “datos, valoraciones e informaciones de un paciente a lo largo de su proceso asistencial”,no especificando además el tipo de profesional médico (enfermera, residente, supervisor etc).Debe ser un profesional cualificado, para una clínica pública o privada, cualificada a su vez y sometido ante todo al secreto profesional. Estas tres características se dan en el presente caso; de hecho si la LOPD es de aplicación a todo lo que no regule la ley del 2002, no veo a mi juicio inconveniente en tener en cuenta, no solo la propia LOPD, sino también la ya mencionada Ley 41/2002,como estudiar en profundidad la normativa autonómica vasca de la misma materia, que aunque no tenga la misma extensión que la anterior en lo que a su aplicación se refiere, creo que podría esclarecer alguna que otra duda así como realizar una tarea de relleno y complemento con la normativa estatal a efectos de una mejor comprensión.