Similar to any other personal data, medical or health information, which identifies or is identifiable to an individual, is protected under the Data Protection Act. Such data is termed as sensitive personal data (because it relates to the health of a particular person) and as such attracts more stringent provisions and additional safeguards for the protection of this information.
Any person, individual or organisation, such as a private medical practitioner, a clinic or hospital, who processes data, and simply keeps personal information on record is a data controller; this action constitutes processing, and so there is an obligation to notify this processing to the Data Protection Commissioner.
In relation to records kept manually, but only those operations commenced before July 2003, this obligation for notification enters into force on October 24, 2007. Therefore as from next year, this notification requirement applies to all data, whether electronic or manually kept.
In any case, the other obligations and the rights of the citizen are applicable in relation to all data, and these include the right of access to all his/her personal data, whether past or present. This right of access does not necessarily mean that a patient has a right to have physical access to his medical file or doctor's notes or to be provided with a copy of any document, but has the right to be given the full information contained therein.
Where a data subject feels that he is not granted the opportunity to exercise his right fully, he may have recourse to the Commissioner for intervention. Such access is to be given free of charge.
A data controller shall also be liable, at the request of the data subject, to immediately rectify, block or erase such of the personal data that has not been processed in accordance with the Data Protection Act.
There is also an obligation of data controllers for the conservation of health records and controllers are therefore required to implement appropriate technical and organisational measures to protect the personal data that is processed, against accidental destruction, loss or unlawful forms of processing, thereby providing an adequate level of security.
Any patient, being a data subject, may, by writ of summons filed in the civil court, sue the data controller for damages where his/her personal data has been processed in contravention of any of his/her rights under the Act.
Lifelong health files is a topic that is currently being actively discussed within the EU and a feasibility study under the European Data Protection Law (which has been completely transposed to our Act) is being undertaken by the Article 29 Working Party, a forum where the Commissioner is a very active member.
In Malta, a health record is notionally opened in the Government general hospital for every person born, but these files are limited to persons who use the services of this hospital. However, even Malta is looking at the introduction of the electronic health files (ELHF).
This is the subject of an Integrated Health Information System being considered for Mater Dei Hospital, as the initial phase. We will deal with ELHF in greater detail in a future article.
Other angles of health records that will be dealt with in future may include genetic data, health and life insurance considerations, the dealing of health records by the employer, the medical certificates as currently required for social services or for employment purposes, medical research, and other aspects on the treatment of medical or health data.
Readers are invited to address any queries on data protection, which may be discussed in this column, to the Office of the Commissioner for Data Protection by e-mail commissioner.dataprotection@gov.mt or at its address, 2, Airways House, High Street, Sliema SLM 16.