Declarations on Promotion of Patients’ Rights in Europe

With technological advancement, it became imperative for European nations to pay significant attention to patients’ rights. The “Declaration on Promotion of Patient’s Right” in Europe (1994) laid down the principles of patients’ rights. Clause 4 of the declaration lays down the principle on the confidentiality and privacy of the patients. Perusals of the clause reflect that that patients’ health status, diagnosis or prognosis, and all other private information are paramount, and confidentiality must be maintained, not only during the lifetime but also after death. The confidentiality of a patient’s information is considered so crucial that it can be disclosed only if explicit consent is received from the patient or if the law provides for it; however, the consent of the patient could be presumed in such circumstances where another healthcare facility is jointly involved in the process of treatment. The clause also gives the patient the right to access and receive medical and technical details concerning them but does not extend to third-party data; furthermore, the patient has the right to correct, complete, delete and update such personal medical data which are inaccurate, outdated, incomplete or irrelevant for the treatment and diagnosis of the individual. In addition to the rights of the patients, the healthcare facilities also had specific duties concerning the maintenance of confidentiality and privacy of the patient, such as protection of identifiable data in an appropriate manner of storing; no intrusion in the patient’s private life without the consent of the patient, and even after receiving consent any such intrusion must be justifiable for treatment, diagnosis and requisite care; catering to the expectation of the patient of aforementioned facilities dealing with privacy [12]. After the 1994 “Declaration of Patient’s Health,” the “World Medical Association” came up with a “Revised Declaration of Lisbon on the Rights of the Patient” in 1995, 2005 and 2015. In the 1995 revision, there was a significant shift from the design of the declaration of 1994. The 1995 “Revised Declaration of on Rights of Patient” had moved away from the comprehensive clause on confidentiality and privacy, and incorporated a separate clause on the “Right to Confidentiality” which remains identical in principle to the 1995 declaration. However, specific and significant alterations were introduced, such as providing for the rights of the descendants to access the information, to enable them to be informed about potential health risks they may face; healthcare facilities which are engaged in joint treatment with the parent facility, such additional facility can be given information on a “need to know” basis unless the patient grants explicit consent for the sharing of information. The provisions relating to the privacy of individual also could be found as sub-clauses under the clauses titled “Right to Dignity” and “Right to Information,” wherein the existing rights of the patients regarding privacy are supplemented with due consideration given to the cultural aspect of the patient; and choice of such individuals, relatives, etc. who can be made aware of the medical condition of the patient. However, certain limitations on the rights of patients regarding privacy were incorporated, which provide for the withholding of information from the patient if there is a reasonable belief that such information may be hazardous to the patient’s life. The declaration also gives the patient liberty to refuse participation in research and the teaching of medicine [13]. The declaration was subsequently revised in the years 2005 [14] and 2015 [15]; the clause addressing the confidentiality and privacy relating to patient information remained similar to 1995’s revised declaration.

Opinion of the European Group on Ethics in Science and New Technologies

In 1999, “The European Group on Ethics in Science and New Technologies to the European Commission” opined on issues of ethics in healthcare in the information society after taking due consideration of the actual progress in medical data-related international instruments and the practical aspects intertwined with technology and society. After considering the social, technological, legal and medical factors, the group opined that the medical data of an individual are part of his/her personality and must not be converted into commercial objects. Informed consent is non-derogable for collecting and accessing these data; collection of such data must be limited to the treating medical professional and to such other parties who can justify their role in the treatment process; the authorized users of such data should treat the information as part and parcel of medical secrecy, the only exception being existence of a law' in operation providing for digression from the rule; the confidentiality of medical data should be respected even after the death of the individual; citizens have the right to know' about the data collected, their purpose and who wall be using them and to correct the data; furthermore, the citizen also have the right to oppose secondary use of the data w'hich is not regulated by law'; feature of accountability w'as established over all the parties who engage in medical data; the standard of such accountability must be similar to the accountability of health professionals; the act of collection of the medical data must strictly be premised upon a legitimate purpose and entities who are connected to the healthcare industry but operate independently; a state-of-the-art security system must be provided for safety in the storing and transfer of medical data; accountability of the health information providers over new “Information and Communication Technology” was established; information sought over the Internet regarding drugs and medicine are to be considered as part of personal health data;

health-related consultation over the Internet or the creation of profiles is not to be traded with a third party; health cards are to be dealt with extreme care and caution, as no such data are to be included without consent of that individual (and some not even with the consent of the individual) and the card holder must have the liberty to restrict partial or complete data on the card, including the right to restrain the use of such data; the participatory element of decision making, with regard to medical data, is essential and must be encouraged; education and training of individuals on the aspects of medical data and technology must be undertaken by the healthcare professionals even without any explicit request [16].

Directives by European Parliament

With the rising dependency on technology, and more importantly IT, the European Parliament issued several directives. “Directive 2002/58/EC,” for example, addresses the privacy and safety of personal data in e-communication, and “Directive 2004/23/ EC” addresses processing of privacy-related data, safety, standards of quality, procurement and testing of human tissues and cells. Furthermore, the European Parliament issued a specific regulation addressing the processing and free movement of personal data. However, the regulation governed data protection in the general sense; nonetheless, the “data concerning health,” “genetic data” and “biometric data” were addressed within the ambit of general data protection regulation. The continued development in technology led to the formulation of Opinion of the European Group in Ethics in Science and New Technology concerning the ethical implications of new health technologies and citizen participation in 2015. Therein, the “European Group on Ethics” (EGE) inter-alia recommended that fundamental rights considerations should be integral to EU policy on health data, including big data. Observing that data are deemed to be the new currency of the 21st century, bringing considerable opportunities for economic activity and R&D, and because health data have become both a sensitive and a strategic object of attention, the EGE recommends the EU institutions to clarify the concept of ownership concerning data. Weighing in on the debate of private ownership and public good, the EGE recommends the setting up of measures in order to protect individuals against overreach by third parties with regard to health data [12].

Big Data and Convention 108

The challenge of the protection of data got only more severe with the introduction of artificial intelligence and big data. The Consultative Committee of the Convention, in order to protect automated data privacy rights, laid down comprehensive guidelines wherein the significance of human rights, fundamental freedoms and a necessity for compliance with data protection obligations are laid down. The impacts of big data processing were acknowledged, and the privacy concerns addressed in Convention 108 are reiterated in the wake of the potential implications of big data processing and artificial intelligence. The guidelines laid down specific clauses limiting the use of personal data, consent and education [17].

Regulation on General Data Protection by European Parliament

In 2018. the “European Parliament and Council of European Council” implemented “Regulation (EU) 2016/679,” which deals with protecting medical data concerning natural persons. This regulation repealed the earlier Directive 95/46/EC [18]. The regulation establishes specific principles on personal data processing and is based on transparency, fairness and lawfulness, purpose limitation and limiting data collection; the accuracy of data; temporal limitations on storage; integrity and confidentiality. Chapter III of the regulation provided detailed provisions on transparency, information and access, rectification and the right to be forgotten, the right to object and restriction under different heads, titled as “sections”.

Even though the regulation at present is applicable in the member countries of the European Union, nonetheless the standards have found acceptability in individual other nations beyond Europe, and it is expected that in due course of time they will have a broader impact in shaping accepted international standards on medical data protection with requisite contextualization. Furthermore, the trend of accepting the standards of nations other than European countries may lead to the creation of customary international law, albeit with specific modifications, exceptions and reservations, and successfully remove the void in international law specifically addressing the concerns of medical data protection.

While the EU acted as a collective, some of the major jurisdictions also took significant steps towards data protection law through legislations as reflected in Table

13.2 [4]; though they may not be considered as international law, nonetheless, they can definitely act as inspiration to the nations without such legislation.