Data protection is just one of the many statutory obligations within the public health service. When data protection takes precedence over the patient’s best interests, things are moving in the wrong direction. Responsibility lies with the state as the owner of public hospitals.
Photo: Einar Nilsen
‘Your details will only be used for…’, ‘You can withdraw your consent at any time…’. We have all received such emails since the EU’s General Data Protection Regulation (GDPR) was incorporated into the new Personal Data Act on 20 July 2018 (1). One of the aims of the new regulations is to make it easier for EU and EEA citizens to access personal data on themselves and to request the deletion or permanent erasure of their data. However, the new rules also have repercussions for the processing of health data, including use in quality assurance and medical research.
Those collecting data were previously subject to an obligation to notify and obtain a licence from the Norwegian Data Protection Authority. Appointing a data protection officer was voluntary and organisations that did appoint one could obtain exemptions from the obligation to notify. Since the new rules were introduced, this is no longer the case. All public bodies, and parts of the private sector, must now have a data protection officer. The data protection officer serves as an advisor to the data controller in, for example, hospitals, who in turn must ensure that there is a legal basis for the processing of personal data. The data controller has also been given new responsibilities in the form of requirements for documentation and impact analyses, and in some cases preliminary discussions with the Data Protection Authority.
For research in the field of medicine and health care, prior approval from the Regional Committees for Medical and Health Research Ethics (REC) has previously been sufficient for the processing of personal data. That has all changed. Now, the data controller must also ensure that a basis for processing exists (2).
This winter, it emerged that the legislation on the processing of patient data is being interpreted in different ways (3). Doctors at Oslo University Hospital vehemently disagree with the hospital’s data protection officer and claim that the stringent interpretation of the data protection rules is compromising patient safety and impacting on opportunities for conducting clinical research (4).
With few legal precedents and more responsibility resting with the institutions, different interpretations of the new Personal Data Act are to be expected. There are many indications that this is not just a theoretical problem. For example, Refsum et al. have just completed a national research project on cancer risk involving a considerable number of hospitals (5). Carrying out the research turned out to be very problematic, even with the required REC approvals. The researchers found effective administrative procedures in hospitals where the Norwegian Centre for Research Data (NSD) was the data protection officer. However, in hospitals that used local data protection officers, they came across ‘incredible justifications for strange local rules, procedures and interdicts’ and, not least, ‘hospital managers who allow the data protection officers to operate far beyond their mandate’ (5).
The latter seems to be a common problem. The role of the data protection officers is to advise. In practice, their advice seems to be binding. There are many reasons why this is the case, including possibly a lack of legal expertise in hospitals. Another may be that hospitals risk large fines, up to 4 % of gross turnover, for breaches of the Personal Data Act (6). In contrast, no financial sanctions are applied in the event of patient injuries. This responsibility has been transferred to the Norwegian System of Compensation to Patients (NPE). Pointedly, the hospitals face a greater financial risk from a lenient interpretation of data protection rules than from administering irresponsible medical care. In practice, we have seen examples of how hospitals are not willing to overrule their own data protection officers, even in cases where professional staff have repeatedly pointed out that the decisions of the data protection officer are compromising patient safety (4).
There are also a number of other laws in the health sector that regulate the processing of patient data, such as the Health Personnel Act and the Patients’ Rights Act. In some cases, these will take precedence over the consideration for data protection. In any case, the various laws must always be weighed against each other when making decisions on the use of personal data (1, 7). In the end, all legislation that regulates responsible health care is there to protect the best interests of patients. Consequently, the Personal Data Act can never be interpreted in a vacuum.
The responsibility lies with the health trusts, and ultimately, as pointed out by one of the country’s most experienced legal practitioners in health, with the state as hospital owner (7).