The following article is written about the personal data management in the health care and consists of four parts. The first part of the article gives a short introduction about the personal data management in connection with the health care.
The second part describes the concepts of the health data management. It is worth to note that, this part discussing not just the basic concepts of the data management but also those special notions which emerges rather in the field of the health care data management. First of all, the basic concepts of the GDPR will be discussed. These concepts are in the tight connection with the notions of the Info Act.
The third part of my article gives a short summary about the legal base of the health care data management and their applicable principles.
The fourth part of my article describes of the legal background of the health data management which shall be applied in the health care. This part also discuss those rules of the Health Care Act in force, which are in connection with the data management.
I. About the data management of the health care in general
In today’s information society it is indispensably important the accurate, adequate and safe personal data management. The secure personal data management as also important in the health care as in the other fields of the life. The safe health data management is very important in the health care, because every single (sensitive) personal data will be recorded here. The right to life and human dignity are fundamental rights and because of their delicate nature, they are benefited increased protection. Pursuant to the Fundamental Law of Hungary (hereinafter: FLH) Article II: ,,Human dignity shall be inviolable. Everyone shall have the right to life and human dignity; the life of the fetus shall be protected from the moment of conception.” The same statement can be found in the Act CLIV of 1997 on the Health Care (hereinafter: HCA or Health Care Act). According to the HCA Sec. 10 (1) ,,The right to human dignity of the human shall be kept in respect during the health care.” The patients fundamental rights are protected by the State in this way.
The human, in this case, the patients are embodied by the personal data. The personal data as personality rights show the human as living being, in their full complexity. In the health care the submitted personal data are very sensitive. These personal data make the patients completely identifiable during the health care from the birth data through the determined diagnosis to those data which are contained by the treatment plan. These personal data belong to the patients privacy. No one can know about these personal health data except the doctor or any health expertise.
The Life Science and Pharmaceutical Law (aka. Health Law) is a mixed field of law because it includes the main fields of law, such as: the Administrative Law, the Criminal Law and the Civil Law. In addition to the public law nature of the Health Law it must be taken account its private law nature in detail, during the personal data management too, because the patients are in civil law (aka. private law) relationship with the health care provider when they are receiving the treatment. On the other hand, in legal relationship of the health care institutions (aka. health care provider) and the patients, the primary standpoint is the enforcement of the patients personality rights (e.g.: personal data). These rights are not only fundamental rights, but personality rights too. In this legal relationship, the patients will be identified through their personal data.
The health care is available in the state sphere (aka. public health care sector) or in the private health care (aka. private health care sector). The patients choose any options, but the appropriate and safe data management is the obligation of every single health care provider given by the law.
As the result of the above-mentioned facts, in the further parts of my article will summarize in essence the concept of the personal data, the sphere of the personal data or the method of their storage and management.
II. Legal alignment
Since 25th May 2018 the regulation of the data management has become stricter because the legal framework of the Member State were replaced by the uniform Union legislation. It means that the Data Protection Directive 95/46/EC was replaced by the uniform European Union General Data Protection Regulation No. 2016/679. (hereinafter: GDPR). This decree has been entered into force since 2016 but it shall be applied since last year, 25th May in the Member States of the European Union. During the legal alignment in Hungary, the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (aka. Info Act) was adjusted to the GDPR. The Info Act. Sec. 1 sets out its purpose. Pursuant to the Info Act. Sec. 1 ,,The purpose of this Act is to lay down the fundamental rules for data processing operations within the categories it covers with a view to ensuring that the right to privacy of natural personsis respected by data controllers, and to enforcing the right to have access to and disseminate information of public interest and public information to ensure the transparency of public affairs.” The Info Act Sec 1 is aligned to the GDPR Article 1 which is proved to us by the fact that this Act is intended to protect the right to privacy of the natural person or aka. data subject. The GDPR emphasize the same standpoint, when it describes that it protect personal data of the data subject. Both laws put the protection in the foreground. It can be seen well that the personal data are the part of the privacy. At the same time the concept of personal data and the concept of privacy are synonyms. It can be perceived a small difference between both words. The Info Act determines the notion of privacy in a broader sense because the privacy does not only just exactly includes the personal data of the particular natural person such as name, residence, phone number, political and religious views, body weight, blood type, etc. but it involves also other data which refer to the private life such as the right to protection of privacy or those data which refer to the family life of the particular person. However the legislator considered these two notions synonym in terms of the data protection legislation.
The Info Act follows the provisions of GDPR regarding to the basic concepts, the principles, the lawfulness of processing, the consent to the processing or the rights and obligations of the data subject taking into account its specific characteristic in its Sec. 3-19. These general rules and conceptual definitions shall be applied during the health care data management by the particular health care provider.
Next to the GDPR and the Info Act, the data management is regulated directly by the Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (hereinafter: Health Personal Data Act, aka. HPDA) in Hungary while the other related decrees of the health care regulate indirectly the data management. The direct regulation means that the above-mentioned laws shall be applied to the data management in the health care. For instance: Fundamental Law of Hungary – FLH, Health Care Act – HCA, Health Personal Care Data Act – HPDA, Info Act and GDPR. The indirect regulation means that those laws shall be applied which are needed in a special-part field of the health care beyond the general data of the patients which are characterized to the particular field of health care. Basically the indirect regulation also intended to protect the personal data of the patients but here more special data will be given which are characterized to the professional field of the health care. The legislator also wants to protect these rights by the creation of the relevant legislation. Here is some examples from the sphere of the special data regulation: Decree of Ministry for Human Resources 5/2016 (29 Feb) on the Announcement and Order of the Related Interventions of Particular Prosthesis or Decree of Ministry for Human Resources 1/2014 (16 Jan) on the Report Order of the Infectious Diseases, etc.
It is very important that during the data management, the health personal data of the data subject, in this case, of the patients shall be respected maximally by the health care provider (e.g. clinic, hospital, private practice, center for diagnostic, etc.). Not only the related rules of data management and data subject belong here which are laid down in the GDPR and Info Act, but also those rules which are related to the rights to personality of the Act V of 2013 on the Civil Code (hereinafter: CCA). These rules can be found in its Sec. 2:42-55. Because of the sensitivity of the personal data especially the health care data, it is very important that the listed laws and decrees shall be taken account by the controller and processor.
During the health care data management, the following laws shall be applied by the health care provider:
- Fundamental Law of Hungary (FLH);
- European Union General Data Protection Regulation (Decree No. 2016/679 of The European Parliament and the Council);
- Act CLIV of 1997 on the Health Care (HCA);
- Act XLVII of 1997 on the Management and Protection of Health and Related Personal Data (HPDA);
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
- Act V of 2013 on the Civil Code.
In the second part of my article the general definitions will be discussed.
Source: GDPR, Info Act and the above-mentioned laws and decrees.