Privacy Compliance in European Healthgrid Domains

Medical data sharing between different healthcare organisations in Europe must comply with the legislation of the Member State where the data was originally collected. These legal requirements may differ from one state to another. Privacy requirements, such as patient consent, may be subject to conflicting conditions between different national frameworks as well as between different legal and ethical frameworks within a single member state. Whilst most EU member states are now governed by similar personal data protection rules, harmonization remains more apparent than real. First, subject to certain safeguards, the pertinent EU directive [1] allows Member States to lay down simplifications and exemptions to some of the obligations that are mandated. Second, for reasons of substantial public interest, Member States may lay down exemptions to the ban of the processing of sensitive personal data in addition to those laid down in the directive, either by national law or by decision of the supervisory authority. Third, the various definitions do not lead to a uniform understanding of the key concepts underpinning the directive. Member states have had difficulty in interpreting the concept of “Personal Data”; e.g. in the UK some data may not be classified as personal or non personal in abstracto, but may be either according to the circumstances [2]. Overlaps in the interpretation of “Personal Data” have also resulted in different ways of governing anonymised and pseudonymised data.