This Regulation mostly focuses on secondary processing of data, which is not linked to the primary purpose for which such data was originally collected. This is normally difficult to process by entities due to the Data Protection EU Regulation (2016/679). Nonetheless, according to article 30 of the Health Act, the Minister for Health has the discretion to regulate any matter connected with patients rights. Hence, after consultation with the Data Protection Commissioner, the Minister has made this regulation providing for specific conditions in which this data can be used.
This exhaustive list provides for the following circumstances;
- The processing and analysis of records kept by all entities falling within the ambit of the health sector. These entities have to be licensed to deliver any kind of service to patients or individuals, for the purpose of managing and enhancing the health service
- The analysis of health records supplied to the Ministry for Health in accordance with licensing legislation, contractual obligations, compliance with EU regulations on public health statistics and to safeguard other public health interests, to produce the indicators required for monitoring, to ensure the quality and cost-effectiveness of the health services at national level
- The monitoring of contractual obligations, including the purposes of quality control, management information and monitoring of such services and systems, arising from the public-private partnerships and partnerships with non-governmental organisations which the Ministry for health has entered into, to ensure that the afore-mentioned partners are adhering to their contractual obligations to deliver a safe and accessible service
- The fulfilment of the obligations related to the provision of statistical information, whether to international organisations or local clients
- The compilation of evidence in medico-legal cases and in cases referred by public bodies, in the course of exercising their duties as provided by law
- The investigation and monitoring of health threats, which typically requires the processing of health record data for the protection of public health
- access to health records, for the purpose of research activities
Any other circumstances requiring data access, which are not hereby mentioned, require consent from the subjects concerned. Nonetheless, in cases provided for in 3(c) and 3(g), data; which is not anonymous, may only be provided if it is in the public interest. Researchers will have to obtain authorisation from the Commissioner for Data Protection in terms of article 7 of the Data Protection Act before they start conducting their research activity. Furthermore, the Ethics boards or committees have to approve for the data to be used. There are various ethics boards that can give their approval, however, in cases where the research activity is conducted within the Ministry for Health or its partners, the Health Ethics Committee has to be consulted. If the research activity is conducted by academics or students, or any other NGO or public body which would like to assist patients in need of health services through their research, there are other committees in existence which can be consulted. Nonetheless, all the committees have to be recognised by the Information and Data Protection Commissioner.
In case you would like more information about data protection and require guidance, please send an email to [email protected].