28
Thu, Mar
51 New Articles

Does the Public Interest Always Win Against Confidentiality of Personal Data? – The Lithuania Case

Does the Public Interest Always Win Against Confidentiality of Personal Data? – The Lithuania Case

Lithuania
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The limits and understanding of patients’ right to confidentiality of their private personal data usually depend on the extent of the public interest in seeing it – the definition of which differs among EU Member States.

Confidentiality exceptions also exist in the category of sensitive personal data, which includes personal health data. According to Lithuania’s Law on the Rights of Patients and Compensation for the Damage to their Health, any information about a patient’s stay in a health care institution and his/her treatment, including information about the patient’s state of health, diagnosis, and prognosis, as well as any other personal information about the patient, is considered confidential even after the patient’s death. The law provides for an exception to this rule: patients’ personal data may be transferred to another public institution without the patient’s consent where that institution is given the right to receive it by law. Therefore, in the public and health care sector, the protection of patients’ private lives, to the extent it relates to personal data, is quite narrow. The new General Data Protection Regulation supports the current practice, leaving the scope of “public interest” to be defined by the Member States. 

Special Lithuanian laws entitle the Centre of Registers, health care institutions, the social insurance agency, and the disability and working capacity assessment office to receive and use patients’ personal data. The Centre of Registers is the processor of the Lithuanian centralized e-health IT system (ESPBI IS), where all patient data is collected, stored, and used by other health care institutions and public authorities. Still, the problem of data reliability exists because health care institutions delay entering data into the system, and not all institutions are connected to the system because of software or infrastructure incompatibilities. Therefore, the practical and legal reliability of the centralized e-health IT system should be improved. 

That patient data in the centralized database be sufficiently reliable for use in a court of law and other legal relations is important for four major reasons: First, the quality of health care services cannot be measured without reliable data; therefore the public interest in measuring it is not facilitated and the requirement that the public interest be served is not met. Second, reliable data can reduce the burden of proof in courts for patients protecting their rights. Third, reliable data can ensure the transparency of health care processes (i.e., misdiagnoses or inaccurate interpretations of medical data can be detected more efficiently). Fourth, according to data protection rules, all patient personal data should be correct, and patients have the right to its rectification. Therefore, it is worth discussing further whether Lithuania should include in its laws a legal presumption of correctness of patient data processed in the centralized IT system as it has in Lithuanian legislation concerning public registers. 

The OECD Public Governance Review 2015 revealed that Lithuania, like Estonia, suffers from low trust in health care services. According to information from the Lithuanian Ministry of Health, 40% of 15-74-year-old people do not trust the health care system in general. Therefore, reliable data in the e-health system and the functioning of electronic prescriptions, which can also serve as a tool for statistical and policy analysis, could enhance the confidence of patients and the quality of the health care system in general.

Personal data encryption measures are another challenge for future Government policies. It is not necessary to have complete personal data for scientific research or policy evaluation tasks. Art. 32 of the General Data Protection Regulation provides that the controller and processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, the anonymization and encryption of personal data, as appropriate. This security measure, at least, should be applicable to sensitive personal data used for public purposes.

Lithuania has an elaborate legal regime applicable to the use of personal data, which generally strikes a proper balance between private and public interests. However, there are still some limits to the reliability of such data (e.g., in the case of patient data), and there is still some room for improvement in the legal test as well as in how the data is managed by relevant registers. The low level of trust of the public makes it more difficult to justify the use of personal data for activities in the public interest, such as scientific research and policy assessments.

By Daiva Dumciuviene, Head of Health Care Practice, Tark Grunte Sutkiene

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.