On March 5, 2009, the European Data Protection Supervisor (EDPS) issued an opinion on the directive proposed by the European Parliament and Council on December 8, 2008, which intends to put in place an EU-wide organ donation and transplantation scheme. The EDPS has seized the opportunity to clarify the concepts of traceability and anonymity of donors and recipients, which are essential for determining to what extent EU data protection rules apply in this particular context.
The views of the EDPS might also prove useful to data controllers in other areas where it is not always clear whether anonymous or, what is referred to in data privacy parlance as “pseudonymized” data, should be used to avoid compliance issues.
The Proposed Directive
The directive proposal aims to ensure high standards of quality and safety for human organs intended for transplantation, and fits within the EU approach setting common standards to promote cross-border availability of health care services. The implementation of these standards will inevitably involve the processing (by authorized organizations and health care professionals) of personal data relating to organ donors and recipients.
Although there will be no direct exchange of personal data between organ donors and recipients, under the proposed directive, the competent authorities at the national level will be required to maintain full traceability of the organs from donors to recipients (and viceversa), even in the case of cross-border organ transfers.
To facilitate cross-border exchanges, the proposed directive standardizes the collection of relevant information (including health data) and establishes a mechanism for information transmission. In addition, the proposed directive provides for the introduction of registers of living donors, to evaluate the health of donors as well as the risks to donation.
Anonymous v. Pseudonymous Data
According to the EDPS, some of the provisions in the proposed directive might raise data privacy concerns because of the sometimes conflicting use of the concepts of “traceability” and “anonymity.” The EDPS therefore recalls and clarifies the following key definitions and concepts under EU data protection rules:
- Personal data is any information relating to an identified or identifiable natural person;
- Human organs and other biological materials of human origin (e.g., tissues) are sources of personal data. There is currently no consensus as to whether these materials as such should be considered as personal data;
- Anonymous data relates to a person who is not or no longer identifiable. Anonymous data falls outside the scope of EU Data Protection Directive 95/46/EC; and
- Pseudonymized data refers to retraceable, indirectly identifiable information on a person, which can still be used to backtrack to and identify that person under predefined conditions. Key-coded data is a typical example of pseudonymized data, which is commonly used in clinical trials.
The EDPS has taken the view that EU Data Protection Directive 95/46/EC applies not only to the collection, storage and processing of identifiable organs and the subsequent extraction of information from such organs. In light of the permanent traceability of organs envisaged by the proposed directive, donors and recipients will be kept identifiable, and therefore EU Data Protection Directive 95/46/EC will apply throughout the whole process.
Whereas the proposed directive suggests that use should be made “of the possibilities for pseudonymization or rendering individuals anonymous,” this constitutes a contradiction in terms from a data privacy perspective: it is not possible to process traceable, identifiable data relating to organ donors and recipients after their information has been rendered anonymous. According to the EDPS, the term “anonymous” was likely used in this context to emphasize the need for confidentiality of donors’ and recipients’ information.
Although the traceability requirement inherent to the organ donation and transplantation scheme would not permit personal data to be processed anonymously, strong security measures should be in place to ensure confidentiality.
Strong Security Measures
The processing of personal data relating to organ donors and recipients will mainly take place at the EU Member State level, in specialized procurement and transplantation centers. The EDPS emphasizes the need for strong security-enhancing measures that should be adopted in all EU Member States, and which include:
- Implementing information security policies, as well as specific confidentiality and access control policies that define access rights, roles, and responsibilities for all parties involved. The policies should provide measures to ensure the integrity and uninterrupted availability of the data. Data processors who are not bound by medical secrecy should provide data confidentiality guarantees;
- Applying security mechanisms (such as encryption and digital certificates) in the national databases;
- Establishing procedures to safeguard the data protection rights of donors and recipients, especially their rights of access and rectification, as well as their right to information;
- Ensuring regular monitoring activities, including independent audits by data privacy and security experts.
Sending organs across the border for transplantation purposes will involve the transfer of (coded) personal data, considering that under the proposed directive the competent authorities will be able to (indirectly) identify donors and recipients. Therefore, the EDPS recommends paying special attention to the pseudonymization means used in the case of crossborder exchanges (to make sure, for example, that they are compatible).
Particular security issues might arise when organs—and the accompanying data—are transferred outside the European Economic Area (EEA), to countries with different levels of data protection. The EDPS is of the opinion that at the national level, the competent authority and the national data protection authority should work together to implement a specific framework allowing for secure and efficient transfers of organs’ data to and from third countries (i.e., countries outside the EEA).