Transcript To develop a database with respect to privacyregulations

Legal aspects of incident
reporting and data collection :
Fear of the Dark?
Meeting on “Incident Reporting in Radiotherapy”
3rd of September – Federal Agency for Nuclear Control
1
Clear up misunderstanding:
scope of our Data Protection Act
•
•
Privacy
Protection of privacy(1) in relation to the processing
of personal data (2)
Privacy (1)
Data
Protection
(2)
…
…
2
1. Privacy: article 8 ECHR – art. 22 Const.
•
•
Protection of privacy
“Everyone has the right to respect for his private and
family life, his home and his correspondence”
•
Private life: cultivation, serenity, secrecy, isolation,…
•
Family life: marriage, living together, starting a family...
•
Direct effect – horizontally/vertically
•
Important: protection of privacy is not absolute
3
Specific legal texts
•
•
Besides the general provisions of article 8 ECHR and
article 22 Constitution, there are several specific legal
provisions which protects (certain aspects of) privacy
F.e.:
Act 10/4/1990 concerning private security, Act 18/7/1991 concerning
private detectives, Data Protection Act, Camera Act, Act 30/6/1994
concerning telephone tap,...
4
2. Data Protection Act
•
Act of 8 December 1992 on the protection of privacy in
relation to the processing of personal data
•
•
Protects the citizen against the use of (his) personal
data
States the rights and obligations of the person
who’s data is being processed as of the processor
•
Just a part of “privacy”
•
Penal act (fines)
5
Personal data?
•
any information relating to an identified or
identifiable natural person
•
Identifiable = one who can be identified, directly or indirectly,
•
No legal person (f.e.: company)
•
in particular by reference to an identification number or to
one or more factors specific to his physical, psychological,
mental, economic, cultural or social identity
F.e.: name, photo, telephone number (private/work), national
register number, banc account number, e-mailadress,
fingerprint, code, licence plate,...
6
Personal data versus anonymous data
•
•
Anonymous data = data that cannot be related to an
identified or identifiable person and that is consequently
not personal data
Encoded data = personal data that can only be related
to an identified or identifiable person by means of a code
7
Processing?
•
•
any operation or set of operations which is
performed upon personal data, whether or not by
automatic means
F.e.: collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by means of
transmission, dissemination or otherwise making available, alignment
or combination, blocking, erasure or destruction of personal data
8
Filing system?
•
any structured set of personal data which is
accessible according to specific criteria
• structured set of personal data
•
•
•
Logical classification
Systematic consultation of personal possible
accessible according to specific criteria
•
•
•
Name
National register number
...
9
Controller?
•
any natural or legal person, un-associated
organization or public authority which alone or
jointly with others determines the purposes and
means of the processing of personal data
•
•
•
F.e.: doctor,
organisation,...
company,
local
authority,
non
profit
Important: controller has to comply with all obligations
of the Data Protection Act ( = responsability)
(processor)
10
Scope Data Protection Act
•
•
Processing of personal data (wholly of partly) by
automatic means
Processing of personal data by non automatic means but
only
•
Which forms part of a filing system or
•
Is intented to form part of a filing system
11
Principle of finality
•
•
Personal data has to be processed for specified,
explicit and legitimate purposes
A further processing can (only) be considered
compatible with the original purpose(s), considering
•
The reasonable expectations of the data subject or
•
The legal or regulatory provisions
12
Principle of proportionality
•
•
Personal data has to be adequate, relevant and not
excessive in relation to the purpose(s) of the processing
Personal data has to be kept in a form that allows for the
identification of data subjects, for no longer than
necessary with a view to the purposes for which the
data is collected or further processed
13
When can you proces personal data?
•
“Normal” personal data: 6 cases (exhaustive list!):
•
consent
•
necessary for the performance of a contract
•
necessary for compliance with a legal obligation
•
necessary in order to protect the vital interests
•
•
necessary for the performance of a task carried out in the
public interest or in the exercise of the official authority
promotion of the legitimate interests of the controller
(balance of interest)
14
Special processings are prohibited… but…
•
Special processings?
•
Processing sensitive personal data
•
Processing health-related personal data
•
Processing of judicial personal data
15
Health-related personal data
•
•
•
No definition
In practice: all personal data concerning the former,
present or future physical or mental state of health
Processing prohibited but prohibition does not apply
in some cases (exhaustive list), f.e.:
•
•
•
•
the processing is necessary for the promotion and protection of public
health, including medical examination of the population
the processing is necessary for the prevention of imminent danger
the processing is necessary for the purposes of preventive medicine or
medical diagnosis, the provision of care or treatment to the data
subject, or the management of health-care services in the interest of
the data subject
...
16
•
Always under the responsibility of a health-care
professional, except
•
•
•
When there is a written consent
When the processing is necessary for the prevention of
imminent danger or for the mitigation of a specific criminal
offence
Right of access
•
•
Direct
Through a health-care professional after a demand of the data
subject or de controller
17
Notification with the Privacycommission
•
Notification for any purpose or set of related purposes for which
wholly or partly automatic operations are carried out
•
Controller has to notify
•
Notification prior to processing
•
Content notification = legally determined
•
Modification of notification if important information changes
•
By paper (125 euro) or via internet (25 euro)
•
List of exemptions by Royal Decree
•
Notification is not intended to request an authorization or permission,
but only to notify a processing = apart from very exceptional cases,
in Belgium no authorization is needed to process personal data
18
Content of the notification
•
the name of the processing
•
the purposes
•
the categories of data being processed (not the data themselves)
•
any possible legal or regulatory basis for the processing
•
the categories of recipients to whom the data may be disclosed
•
the safeguards established for disclosure to third parties
•
the way in which the data subjects are informed of the processing
•
the person the data subjects may address to exercise their right of
access and the measures taken to facilitate this
19
•
•
•
the categories of data intended to be transferred abroad, the
countries of final destination and the reason why the data are
transferred even if the destination countries do not ensure an
adequate level of protection
the period of time after which the data must no longer be stored
used or disseminated
organizational and technical security measures
20
Public register
•
•
•
•
Data base of the notifications
Aim: make the processings of personal data in Belgium
more transparant:
•
Data subject can look up information about a processing
•
Privacycommission can audit
Accessible to all: through the internet, in our offices,
request (extract)
The notification contains a
characteristics of the processing
description
of
the
21
Mission Privacycommission
•
•
Since 1/01/2004: independent supervisory authority
under the auspices of the Belgian House of
Representatives (before that: Ministry of Justice)
The Commission's mission is to ensure that privacy is
respected when personal data are processed:
•
Opinion and recommandation
•
Authorization (by sector committees)
•
Inspection, supervision and complaints
•
Information and assistance
22
Authorizations – sector comittees
•
•
Specific sector committees have been established
•
Rapid evolution information society
•
Multiplicity of questions (data subjects and governement)
•
The rise of more complex cases
Advantage
•
•
Specific experts from particular domains
Different sector committees (6)
•
Important: Sector Committee of Social Security and of Health
23
•
Role of such a committee
•
Grants an authorization when data is being exchanged
electronically in the network of social security of health
F.e.: every exchange of personal data by or to the E-health
platform
•
Checks the
authorization
documents
and
grants
yes
or
no
an
24
In practice
•
To go through all this information again (but on your
own pace):
www.privacycommission.be
•
Emailadress for questions:
[email protected]
•
Internet demo
•
Website
•
Notification
•
Sector committees
25