POSITION No. 1/2002
The Act No. 101/2000 Coll on Personal Data Protection and on the Amendment of Certain Other Laws, as amended, (hereinafter referred to as "Personal Data Protection Act") regulates several aspects of personal data processing in the context of health care provision. Personal data concerning the state of a patient's health fall within the category of sensitive personal data and their processing is subject to the conditions stipulated by Article 9 of the Personal Data Protection Act as well as by other provisions. The aforementioned Article authorizes the data controller or data processor to process sensitive personal data only with the express consent of the data subject. Such consent must be obtained in writing, with the signature of the data subject, and it must clearly state what kind of data it concerns as well as for which data controller it was issued and by whom, what purpose it serves and what is the time limit of its validity. The data subject may withdraw the consent at any time. The data controller is obliged to inform the data subject of his or her rights before the data subject is requested to provide the relevant data. The data controller is obliged to file and preserve the written consent of the data subject until the processing of the data for which it was granted has been finished. The processing of sensitive personal data concerning the state of health may take place - in those cases where the processing is necessary for the preservation of life or health of the data subject or of another person as well as for the prevention of immediately threatening serious damage to their property - even without the written consent of the data subject, especially if the consent cannot be obtained for reasons of physical, mental or legal incapacity, because the data subject is missing or for other similar reasons. If such reasons no longer exist, the data controller must terminate data processing immediately and liquidate the data processed, unless the consent of the data subject has been obtained. An important provision can be found in Article 9, letter c) which stipulates that personal data on the state of the data subject's health may be processed also in those cases where health care is being provided or the state of health is being examined in accordance with a special law, particularly for the administration of social security benefits, as well as in those cases where such processing is explicitly authorized by a special law.
The Personal Data Protection Act is therefore a general law which leaves scope for special laws regulating specific procedures, rights and responsibilities of the persons taking part in the processing of sensitive personal data. The fundamental special law in this respect is the Act No. 20/1966 Coll. on Care of People´s Health, as amended (hereinafter referred to as "Care of People´s Health Act"). Part V of this special law regulates "the processing of personal data concerning health care provision" (Articles 67a to 67d). By the processing of personal data the law means the processing of personal data in medical records and further manipulation with the records as well as the processing of personal data in the National Health Care Information System (hereinafter referred to as "NHCIS"). This is a very important provision which was inserted in the Care of People´s Health Act by the amendment No. 260/2001 Coll. Until the adoption of the amendment the duty to keep records was stipulated explicitly (expressis verbis) in the Act No. 160/1992 Coll. on Health Care in Non-Governmental Health Care Establishments, as amended (Article 5, Para. 2, letter d) of the Act) See the Position No. 1/2000 of the Office for Personal Data Protection. At present all health care establishments are obliged under Article 67b, Para. 1 of the Care of People´s Health Act to keep medical records whose scope and extent is defined in Article 67b) Para.2 to 4 of the Care of People´s Health Act. Other rights and responsibilities concerning personal data processing in the context of health care provision are - as stipulated in Article 67b), Para. 9 - governed by special law, i.e. by the Personal Data Protection Act.
As regards the data subject's right to information about the personal data which are being processed, the conditions of access to the data being processed are defined not only by the Personal Data Protection Act, but above all by the Care of People´s Health Act, primarily because under Article 67b), Para. 12, the data subject (patient) is entitled to all information about his or her person, contained in the medical records or in other records relating to his or her state of health. From the information about his or her state of health, the patient must not learn any information relating to a third party. As regards persons under the age of 18 or persons whose incapacity to enter into legal acts has been judicially declared, the right to information, mentioned in the first sentence, passes on to their parents or their next friend.
The right of the data subject to information is frequently discussed in connection with the controversial question whether a doctor may demand payment for providing the patient with an excerpt from his or her medical records. The Czech Medical Chamber as well as the General Health Insurance Company have declared that in their view such a demand is justified, while the Patients' Association holds the opposite view, referring to the provision of Article 12 of the Act No. 101/2000 Coll. on Personal Data Protection and on the Amendment of Certain Other Laws, as amended (hereinafter referred to as "Personal Data Protection Act").
The Office for Personal Data Protection believes that neither party has as yet answered the fundamental question, namely, what "an excerpt from medical records" as a document on the patient's state of health exactly contains and how it is regulated by law. For this reason one cannot judge as correct and accurate the alleged relation of Article 12 of the Personal Data Protection Act, requiring the administrator of a health care establishment once in a calendar year to provide the data subject (patient) upon his or her written request with information on the personal data processed, to the special laws which define the excerpt from medical records.
The Office for Personal Data Protection believes that the key to the solution of the aforementioned issue can be found in Article 11 of the Care of People´s Healh Act dealing with health care provision whose integral part is the issuing of medical opinions (Article 21). Although the Care of People´s Health Act does not contain the term "excerpt from medical records", this concept is defined in the related or implementing legal regulations which deal primarily with the assessment of the state of health and fitness (e.g. Act No. 218/1999 Coll. on the Defense of the State, Act No. 361/2000 Coll. on the Transport on Ground Communications and on the Amendment of Certain Other Laws, Decree No. 127/1996 Coll. of the Ministry of Health Care, Decree No. 324/2001 Coll. of the Ministry of the Interior etc.).
In cases where health care that has been provided is documented by reference to the official list of medical services in which a specific number of "points" is awarded for each service (Methodical Instruction No. POJ 2773/5/95 of the Ministry of Health), the making of an excerpt from medical records is classified as an administrative act performed by a general practitioner or a registrating doctor for another health care establishment or for a new registrating doctor to ensure a proper continuity of treatment. This shows that an excerpt from medical records may contain also other data than the personal data of the patient or the data on the state of the patient's (data subject's) health.
It would be therefore desirable to define the relationship between an excerpt from medical records and information on personal data. The Office for Personal Data Protection is of the opinion that the information on personal data provided under Article 11, Para.1 or Article 12, Para. 2 of the Personal Data Protection Act does not mean that the data subject learns directly the personal data (their content), but rather that it is a communication which includes as its integral part also the information on the "extent and scope of relevant personal data" (Article 11, Para. 1) or information on the "personal data processed in relation to the data subject" (Article 12, Para.2). Consequently, if the patient requested such information, he or she is entitled to receive it once a year free of charge, because special laws (Care of People´s Health Act or the laws on public health insurance) do not limit the scope of this right in any way.
The Office for Personal Data Protection also dealt with the personal data processing issues in connection with the clinical testing and post-marketing monitoring of drugs. Clinical testing of human medication and the related processing of personal data of the relevant data subjects is carried out on the basis of the authorization contained in the Act No. 79/1997 on Medicines and on the Amendment of Certain Related Laws, as amended, and of the Decree No. 472/2000 Coll. of the Ministry of Health and the Ministry of Agriculture, which defines correct clinical practice and specifies the conditions for the clinical testing of drugs. The commissioner of the tests who processes the personal data of the test subjects may carry out this activity on the basis of the aforementioned authorization, but at the same time he must fulfil all the duties of a data controller under the Personal Data Protection Act. The commissioner is therefore in the position of a data controller and all responsibilities of the data controller stipulated by the Personal Data Protection Act apply to him. As for the fulfilment of the notification duty by the commissioner-controller, this procedure is governed by Article 18, letter b) of the Personal Data Protection Act which clearly states that the notification duty of the data controller under Article 16 does not apply to the processing of personal data in those cases where such processing is required of the data controller by law or where such data is necessary for the exercise of rights ensuing from special laws.
In the framework of what it defined as "post-marketing monitoring", i.e. a process during which the performance of the registered drug, administered in everyday medical practice, is evaluated, the processing no longer concerns personal data which could directly or indirectly identify a concrete data subject, but rather "anonymous data", as defined in Article 4, letter c) of the Personal Data Protection Act (anonymous data under this provision are such data which either in their original form or after processing cannot be related to a specific or identifiable data subject). For the processing of such data the law does not require the consent of the data subject, regardless of whether the data in question is personal data under Article 4, letter a) or Article 4, letter b) of the Personal Data Protection Act. The data listed may not, however, bear any identifiable relation to a concrete data subject. It cannot therefore be justifiable to include in the data base also the initials of the data subjects or their identification code with the help of which the identity of the data subject can be established. In this respect it is irrelevant whether such "clues" would actually be used, or not. Such activity would no longer correspond to the definition of anonymous data processing and the data controller would have to observe in the pursuit of his duties all the relevant legal requirements, including the requirement to process data only with the consent of the data subject.
As for the processing of data from the surveys sometimes called "genetic probing", it can be said that if the processing concerns "epidemiological data on population in certain areas of the Czech Republic", it will probably apply to specific kinds of statistical data. In this case one can refer to the provision of Article 3, Para. 5 of the Personal Data Protection Act which states that the processing of personal data for statistical purposes is governed by special laws, with regard to certain other provisions of the Personal Data Protection Act, e.g. to Article 5, Para. 4 thereof which stipulates that the consent of the data subject is not needed if the processing of personal data takes place for statistical or scientific purposes. For these purposes it is, nonetheless, necessary to anonymize the data as soon as possible. The consent of the data subject is, moreover, still required for the processing of sensitive data for statistical or scientific purposes. In the processing of personal data for these purposes it is also always necessary to ensure the required standard of security in accordance with Article 13 of the Personal Data Protection Act.
Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.