Public health institutions are increasingly required to balance fundamental rights and data protection principles. To address this, WHO/Europe has released easy-to-implement steps to allow any organization in public health to increase its level of data protection compliance.
The document, entitled “The protection of personal data in health information systems – principles and processes for public health”, is part of WHO/Europe’s work to support Member States in strengthening their health information systems (HIS).
Compliance with data protection requirements is particularly challenging for institutions actively involved in the management of HIS. Not only has the regulatory pressure regarding the processing of personal data increased in recent decades, but technological advances affecting surveillance, big data and cloud data storage also pose new challenges.
Empowering citizens through data protection compliance
To ensure full compliance with applicable data protection laws and regulations, public health authorities should ensure that they use personal data – any information relating to an identified or identifiable individual – in a fair, lawful and transparent way, and only to the extent necessary to pursue health-related public interest.
The authors warn that researchers often turn to the informed consent of data subjects to legitimize the processing of personal data. However, informed consent is not the only legal basis for data protection. It also implies that data subjects have a real choice and control and clearly express their will.
As a core principle of modern data protection laws, transparency means being honest with data subjects, for example, by publishing data protection policies on websites and using accessible language. In a world where technology companies process vast amounts of personal data, only educated and empowered citizens will be capable of exercising their rights, such as the right to access their data, the right to be forgotten and the right to object.
Safeguarding data in the context of public health
Considered a vital interest, public health is privileged in terms of the legal basis for data processing, which may include the secondary use of personal data for managing HIS. However, serving a laudable purpose – such as protecting public health – does not justify lowering standards of information technology (IT) security.
To ensure IT security and minimize the risk of data breaches, the authors recommend auditing compliance continuously, ensuring that data are always encrypted, conducting third-party penetration tests and developing disaster recovery plans.
Health-related data, including data on various determinants of health, are an important resource for policy-making, health systems management and research. In public health policy-making, the secondary use of data is of utmost importance. If possible, personal data should be aggregated or anonymized at source; for data to be truly anonymized, the authors emphasize that this process should be irreversible.
Regarding the privileged status of research, which is a constitutional, fundamental right in many countries, research activities should be clearly separated from policy-oriented data processing activities.
Building a data protection management system in public health
The authors conclude that data protection is not rocket science, but it does require legal and technical artisanship, support from the highest management level, the allocation of adequate resources, and the training of all professionals involved in the processing of personal data.
In addition, data protection is not a singular activity – it needs to be embedded into all aspects of the management of HIS. As such, public health authorities should educate their professionals on how to strike a balance between the fundamental rights at stake, to empower citizens by engaging them regarding the value of data processing for public health activities, and to set up ethical and legal benchmarks for exceptional situations such as the COVID-19 pandemic.
Public health authorities across Europe should bear in mind that the risks associated with data protection infringements are manifold, with reputational damage and monetary fines being the primary consequences. Even if applying all the operational and policy considerations sound unrealistic, the most important thing is to start with small steps.
For more information about the work of WHO/Europe on this topic, please contact the Data, Metrics and Analytics Unit (euhiudata@who.int).
The protection of personal data in health information systems – principles and processes for public health (2021)