11

Legal aspects of incident reporting and data

collection :Fear of the Dark?

Meeting on “Incident Reporting in Radiotherapy”

3rd of September – Federal Agency for Nuclear Control

Clear up misunderstanding:scope of our Data Protection Act

• Privacy

• Protection of privacy(1) in relation to the processing of personal data (2)

2

Privacy (1)

DataProtectio

n (2)

…

…

1. Privacy: article 8 ECHR – art. 22 Const.

• Protection of privacy

• “Everyone has the right to respect for his private and family life, his home and his correspondence” • Private life: cultivation, serenity, secrecy, isolation,…

• Family life: marriage, living together, starting a family...

• Direct effect – horizontally/vertically

• Important: protection of privacy is not absolute

3

Specific legal texts

• Besides the general provisions of article 8 ECHR and article 22 Constitution, there are several specific legal provisions which protects (certain aspects of) privacy

• F.e.:

Act 10/4/1990 concerning private security, Act 18/7/1991

concerning private detectives, Data Protection Act, Camera Act, Act 30/6/1994 concerning telephone tap,...

4

2. Data Protection Act

• Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data

• Protects the citizen against the use of (his) personal data

• States the rights and obligations of the person who’s data is being processed as of the processor

• Just a part of “privacy”

• Penal act (fines)5

Personal data?

• any information relating to an identified or identifiable natural person

• Identifiable = one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity

• No legal person (f.e.: company)

• F.e.: name, photo, telephone number (private/work), national register number, banc account number, e-mailadress, fingerprint, code, licence plate,...

6

Personal data versus anonymous data

• Anonymous data = data that cannot be related to an identified or identifiable person and that is consequently not personal data

• Encoded data = personal data that can only be related to an identified or identifiable person by means of a code

7

Processing?

• any operation or set of operations which is performed upon personal data, whether or not by automatic means

• F.e.: collection, recording, organization, storage, adaptation

or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data

8

Filing system?

• any structured set of personal data which is accessible according to specific criteria• structured set of personal data

• Logical classification• Systematic consultation of personal possible

• accessible according to specific criteria • Name• National register number• ...

9

Controller?

• any natural or legal person, un-associated organization or public authority which alone or jointly with others determines the purposes and means of the processing of personal data

• F.e.: doctor, company, local authority, non profit organisation,...

• Important: controller has to comply with all obligations of the Data Protection Act ( = responsability)

• (processor)

10

Scope Data Protection Act

• Processing of personal data (wholly of partly) by automatic means

• Processing of personal data by non automatic means but only

• Which forms part of a filing system or

• Is intented to form part of a filing system

11

Principle of finality

• Personal data has to be processed for specified, explicit and legitimate purposes

• A further processing can (only) be considered compatible with the original purpose(s), considering

• The reasonable expectations of the data subject or

• The legal or regulatory provisions

12

Principle of proportionality

• Personal data has to be adequate, relevant and not excessive in relation to the purpose(s) of the processing

• Personal data has to be kept in a form that allows for the identification of data subjects, for no longer than necessary with a view to the purposes for which the data is collected or further processed

13

When can you proces personal data?

• “Normal” personal data: 6 cases (exhaustive list!):

• consent

• necessary for the performance of a contract

• necessary for compliance with a legal obligation

• necessary in order to protect the vital interests

• necessary for the performance of a task carried out in the public interest or in the exercise of the official authority

• promotion of the legitimate interests of the controller (balance of interest) 14

Special processings are prohibited… but…

• Special processings?

• Processing sensitive personal data

• Processing health-related personal data

• Processing of judicial personal data

15

Health-related personal data

• No definition• In practice: all personal data concerning the

former, present or future physical or mental state of health

• Processing prohibited but prohibition does not apply in some cases (exhaustive list), f.e.:

• the processing is necessary for the promotion and protection of public health, including medical examination of the population

• the processing is necessary for the prevention of imminent danger

• the processing is necessary for the purposes of preventive medicine or medical diagnosis, the provision of care or treatment to the data subject, or the management of health-care services in the interest of the data subject

• ...16

• Always under the responsibility of a health-care professional, except

• When there is a written consent

• When the processing is necessary for the prevention of imminent danger or for the mitigation of a specific criminal offence

• Right of access• Direct

• Through a health-care professional after a demand of the data subject or de controller

17

Notification with the Privacycommission

• Notification for any purpose or set of related purposes for which wholly or partly automatic operations are carried out

• Controller has to notify

• Notification prior to processing

• Content notification = legally determined

• Modification of notification if important information changes

• By paper (125 euro) or via internet (25 euro)

• List of exemptions by Royal Decree

• Notification is not intended to request an authorization or permission, but only to notify a processing = apart from very exceptional cases, in Belgium no authorization is needed to process personal data

18

Content of the notification

• the name of the processing

• the purposes

• the categories of data being processed (not the data themselves)

• any possible legal or regulatory basis for the processing

• the categories of recipients to whom the data may be disclosed

• the safeguards established for disclosure to third parties

• the way in which the data subjects are informed of the processing

• the person the data subjects may address to exercise their right of access and the measures taken to facilitate this

19

• the categories of data intended to be transferred abroad, the countries of final destination and the reason why the data are transferred even if the destination countries do not ensure an adequate level of protection

• the period of time after which the data must no longer be stored used or disseminated

• organizational and technical security measures

20

Public register

• Data base of the notifications

• Aim: make the processings of personal data in Belgium more transparant:• Data subject can look up information about a

processing• Privacycommission can audit

• Accessible to all: through the internet, in our offices, request (extract)

• The notification contains a description of the characteristics of the processing

21

Mission Privacycommission

• Since 1/01/2004: independent supervisory authority under the auspices of the Belgian House of Representatives (before that: Ministry of Justice)

• The Commission's mission is to ensure that privacy is respected when personal data are processed:• Opinion and recommandation

• Authorization (by sector committees)

• Inspection, supervision and complaints

• Information and assistance

22

Authorizations – sector comittees

• Specific sector committees have been established

• Rapid evolution information society

• Multiplicity of questions (data subjects and governement)

• The rise of more complex cases

• Advantage• Specific experts from particular domains

• Different sector committees (6)• Important: Sector Committee of Social Security and of

Health23

• Role of such a committee

• Grants an authorization when data is being exchanged electronically in the network of social security of health

F.e.: every exchange of personal data by or to the E-health platform

• Checks the documents and grants yes or no an authorization

24

In practice

• To go through all this information again (but on your own pace):

www.privacycommission.be

• Emailadress for questions:

commission@privacycommission.be

• Internet demo• Website

• Notification

• Sector committees

25