On the surface, any individual may decide who used their delicate personal data and how. The reality differs starkly. As is also the case with cancer screening register: a person desiring to close down her data is helpless against a clause in a law, and the health data are used against her will.
«As I looked at the data they are investigating, my hair stood on end,» said Edith Sassian to describe the moment she learnt, while reading the relevant regulation, about data stored regarding her.
A wile before that, in the second half of June, she had discovered in the digilugu.ee health portal that National Institute for Health Development (TAI) had made 16 inquiries regarding her during this year. Looking into it, turned out the queries came from the cancer screening register launched at the beginning of the year.
«I called and asked which data and to what degree have been inquired. I also tried to ask how to close them down. I am really not interested in my data being kept in some other place as well,» said Ms Sassian.
The cancer screening register is the initial health register digitally collecting data from other databases. It probes: population register for information on those called for screening; health insurance fund for earlier examinations; cancer register for malignant tumours diagnosed earlier; E-Health info system for examinations, additional examinations and treatment during screening. On top of that, verification inquiries are made into death cause registers. Data exchange between all said registers happens via X-Road data exchange layer.
All in all, TAI manages five registers: cancer register, tuberculosis register, death causes register, medical birth register, and cancer screening register. The institute claims it is only the latter that gleans its data from the health information system. «The other registers entrusted to TAI processing gain their data directly from the health care institutions,» explained a press rep.
-Will won’t count
«People should have an overview of what is being taken, how and what for. And who wants it to be taken,» said Ms Sassian, among other things referring to the constitutional clause prescribing inviolability of private life.
Unwilling to hand her data for processing, she decided to file a declaration of intention to close her data down. Incidentally, a patient’s right to forbid access to her personal data is prescribed by the healthcare information system statues.
«I do not agree with the cancer screening register at TAI, or any other register, systematically collecting my health data. Health data are delicate and cannot be collected without permission by the individual. I request that my health data be immediately closed for TAI,» said Mr Sassian’s application to social ministry.
These same statutes also prescribe that upon receiving an application the employee in charge or the provider of health service must close access to health data «promptly». This is small help, however, as pursuant to Public Health Act data is forwarded to cancer screening register even when an individual has closed her data in the system.
-Possible and impossible
«Thus, the data reflected in health information system cannot be closed to TAI; however, your participation on in the research is voluntary irrespective the relevant invitation forwarded to you,» read social ministry’s answer to Edith Sassian dated July 8th.
In other words: on the one hand, as application comes from a patient, the personal data is promptly closed but the «closed» data are still accessible on certain occasions. How much actual authority do we have, then, to decide regarding the processing of our very own health data?
«The closing of health data in the information system may in principle not mean that these cannot be processed in the future,» said social ministry health system development department adviser Ingrid Ots-Vaik, adding that the occasons where people’s declarations of intentions will not be considered have been specified in the Act.
As pointed out by Ms Ots-Vaik, the statutes of databases and registers prescribe precise data contents needed for certain other databases or registers, and who are the providers of the data. It is also prescribed if and how data exchange is allowed between various databases and registers.
She said there are also the individual cases where delicate personal data are processed without personal permission. «The classic example would be when a health care worker discovers that a child has been beaten or abused. Or when it is discovered during forensic psychiatric examination that an individual has committed a crime listed in penal code,» said the adviser.
Still, Ms Sassian fails to understand why data has to be collected against an individual’s will, and in such volumes. «Why? What is the goal? And why could I use and command these data myself?» she said, wondering why our current legislation grants such liberties for third parties.
adviser, Data Protection Inspectorate
The overall principle for processing of personal data is that processing (such as collecting data, providing access thereto, forwarding of it etc) may only happen with consent by the individual or pursuant to law. If an individual grants permission for data to be processed, she has the right to withdraw it at any time.
If processing the data is prescribed by law, then an individual has no right to decide whether to allow or prohibit the processing except on occasions where law foresees exceptions. For instance: Health Services Organisation Act prescribes that a patient has the right to forbid access by provider of health service (like a doctor) to personal data found in health information system.
Meanwhile, Public Health Act lays down rights of TAI to obtain data from health information system to perform tasks prescribed by law. Thus, an individual can only restrict access to health data when a health service provider is concerned, but not from other data processers who the law obligates to process certain data.
This, currently, is the lawgiver’s will. Meanwhile, we find that a public debate regarding accessibility of health data is welcome with participation or the various parties (including social ministry).
Katrin Merike Nyman-Metcalf,
technological law professor at Tallinn University of Technology
There is no basis to think that the ministry is misinterpreting the law; rather, this is a much broader issue: what’s the worth of an option to lock data if these can still be used? Isn’t the option then just an illusion? Simply put: they do provide the option of privacy of data but in reality they use them anyway.
The state, for instance, is responsible for the wellbeing of the people, it ensures medical care and other health services. To plan that, data is needed regarding the population. As long as the data is only used for the purpose they were collected for, and the persons using them are competent, the whole thing is in harmony with law and data protection principles. Meanwhile, an individual’s right to decide concerning her own data has still been restricted.
In a modern society, data is increasing in importance and value. Very many public and private services are based on (personal) data: Taxify knows where we are, Google knows what we usually search for, and the state knows what our assets are and where they are located. Services become effective only because data is available about is. This will doubtless be a development that will continue, and at increasing speed. For a single individual to resist this is very hard if not impossible.
Even so, something can be done about it. Firstly, the state should be open and explain explicitly what the options are to protect the data. As technology makes collection and use of data so easy, this cannot be done lightly but there must always be a reason and that according to proportionality: when services, data collection and use systems are created, privacy must be considered – and explicitly so. People may not be underestimated and creators the systems must be able to explain all the aspects, including privacy and proportionality.
As evident in the case at hand, people’s security regarding privacy is an illusion and perhaps misplaced, if in reality the possibility to protect one’s data is smaller than it seems. Is this bad or rather necessary? This can only be discussed in a broader debate.
Data for cancer screening register
From population register:
1) name, date of birth, sex, and identity code
3) residence and communication address
4) contact phone and e-mail address
5) time of permanent exit from Estonia
6) time of death
Cause of death register:
1) time of death
2) initial cause of death
3) other causes of death
1) malignant tumour diagnosis
2) time of diagnosis of malignant tumour
3) method of examination confirming the diagnosis
4) morphological diagnosis of the tumour, and the degree of malignancy
5) degree of differentiation of tumour
6) spread of tumour
Health insurance fund:
1) existence of health insurance
2) name of health service provider and code thereof pursuant to health insurance fund list; name and registry code of provider of health service
3) code of diagnosis according to RHK-10
4) initial date of treatment invoice as written on it by provider of health service
Source: statutes for establishment and keeping of cancer screening register