1 1 Legal aspects of incident reporting and data collection : Fear of the Dark? Meeting on “Incident Reporting in Radiotherapy” 3rd of September – Federal Agency for Nuclear Control
Clear up misunderstanding: scope of our Data Protection Act Privacy Protection of privacy(1) in relation to the processing of personal data (2) 2 Privacy (1) Data Protection (2) … …
1. Privacy: article 8 ECHR – art. 22 Const. Protection of privacy “Everyone has the right to respect for his private and family life, his home and his correspondence” Private life: cultivation, serenity, secrecy, isolation,… Family life: marriage, living together, starting a family... Direct effect – horizontally/vertically Important: protection of privacy is not absolute 3
Specific legal texts Besides the general provisions of article 8 ECHR and article 22 Constitution, there are several specific legal provisions which protects (certain aspects of) privacy F.e.: Act 10/4/1990 concerning private security, Act 18/7/1991 concerning private detectives, Data Protection Act, Camera Act, Act 30/6/1994 concerning telephone tap,... 4
2. Data Protection Act Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data Protects the citizen against the use of (his) personal data States the rights and obligations of the person who’s data is being processed as of the processor Just a part of “privacy” Penal act (fines) 5
Personal data? any information relating to an identified or identifiable natural person Identifiable = one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity No legal person (f.e.: company) F.e.: name, photo, telephone number (private/work), national register number, banc account number, adress, fingerprint, code, licence plate,... 6
Personal data versus anonymous data Anonymous data = data that cannot be related to an identified or identifiable person and that is consequently not personal data Encoded data = personal data that can only be related to an identified or identifiable person by means of a code 7
Processing? any operation or set of operations which is performed upon personal data, whether or not by automatic means F.e.: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data 8
Filing system? any structured set of personal data which is accessible according to specific criteria structured set of personal data Logical classification Systematic consultation of personal possible accessible according to specific criteria Name National register number... 9
Controller? any natural or legal person, un-associated organization or public authority which alone or jointly with others determines the purposes and means of the processing of personal data F.e.: doctor, company, local authority, non profit organisation,... Important: controller has to comply with all obligations of the Data Protection Act ( = responsability) ( processor) 10
Scope Data Protection Act Processing of personal data (wholly of partly) by automatic means Processing of personal data by non automatic means but only Which forms part of a filing system or Is intented to form part of a filing system 11
Principle of finality Personal data has to be processed for specified, explicit and legitimate purposes A further processing can (only) be considered compatible with the original purpose(s), considering The reasonable expectations of the data subject or The legal or regulatory provisions 12
Principle of proportionality Personal data has to be adequate, relevant and not excessive in relation to the purpose(s) of the processing Personal data has to be kept in a form that allows for the identification of data subjects, for no longer than necessary with a view to the purposes for which the data is collected or further processed 13
When can you proces personal data? “Normal” personal data: 6 cases (exhaustive list!): consent necessary for the performance of a contract necessary for compliance with a legal obligation necessary in order to protect the vital interests necessary for the performance of a task carried out in the public interest or in the exercise of the official authority promotion of the legitimate interests of the controller (balance of interest) 14
Special processings are prohibited… but… Special processings? Processing sensitive personal data Processing health-related personal data Processing of judicial personal data 15
Health-related personal data No definition In practice: all personal data concerning the former, present or future physical or mental state of health Processing prohibited but prohibition does not apply in some cases (exhaustive list), f.e.: the processing is necessary for the promotion and protection of public health, including medical examination of the population the processing is necessary for the prevention of imminent danger the processing is necessary for the purposes of preventive medicine or medical diagnosis, the provision of care or treatment to the data subject, or the management of health-care services in the interest of the data subject... 16
Always under the responsibility of a health-care professional, except When there is a written consent When the processing is necessary for the prevention of imminent danger or for the mitigation of a specific criminal offence Right of access Direct Through a health-care professional after a demand of the data subject or de controller 17
Notification with the Privacycommission Notification for any purpose or set of related purposes for which wholly or partly automatic operations are carried out Controller has to notify Notification prior to processing Content notification = legally determined Modification of notification if important information changes By paper (125 euro) or via internet (25 euro) List of exemptions by Royal Decree Notification is not intended to request an authorization or permission, but only to notify a processing = apart from very exceptional cases, in Belgium no authorization is needed to process personal data 18
Content of the notification the name of the processing the purposes the categories of data being processed (not the data themselves) any possible legal or regulatory basis for the processing the categories of recipients to whom the data may be disclosed the safeguards established for disclosure to third parties the way in which the data subjects are informed of the processing the person the data subjects may address to exercise their right of access and the measures taken to facilitate this 19
the categories of data intended to be transferred abroad, the countries of final destination and the reason why the data are transferred even if the destination countries do not ensure an adequate level of protection the period of time after which the data must no longer be stored used or disseminated organizational and technical security measures 20
Public register Data base of the notifications Aim: make the processings of personal data in Belgium more transparant: Data subject can look up information about a processing Privacycommission can audit Accessible to all: through the internet, in our offices, request (extract) The notification contains a description of the characteristics of the processing 21
Mission Privacycommission Since 1/01/2004: independent supervisory authority under the auspices of the Belgian House of Representatives (before that: Ministry of Justice) The Commission's mission is to ensure that privacy is respected when personal data are processed: Opinion and recommandation Authorization (by sector committees) Inspection, supervision and complaints Information and assistance 22
Authorizations – sector comittees Specific sector committees have been established Rapid evolution information society Multiplicity of questions (data subjects and governement) The rise of more complex cases Advantage Specific experts from particular domains Different sector committees (6) Important: Sector Committee of Social Security and of Health 23
Role of such a committee Grants an authorization when data is being exchanged electronically in the network of social security of health F.e.: every exchange of personal data by or to the E-health platform Checks the documents and grants yes or no an authorization 24
In practice To go through all this information again (but on your own pace): adress for questions: Internet demo Website Notification Sector committees 25