A vital principle for the processing of medical data is the respect for confidentiality. It is crucial not only to respect the privacy of a patient, but also to maintain his or her confidence in the medical profession and health services in general. Otherwise, where an individual is in need of medical assistance, but fears that his or her medical data could be unlawfully disclosed to other persons and authorities, he/she could feel deterred from revealing information of a personal and intimate nature. Thus, he or she may avoid necessary treatment, thereby endangering his or her own health and, in the case of transmissible diseases, the health of others, too.
Generally, data concerning your health is only allowed to be disclosed with your written consent. However, there are situations stipulated by law where your consent is not required. Although disclosure in such situations interferes with your private life, it will only result in a violation of privacy if not done lawfully.
Has my medical data been processed lawfully?
To evaluate whether your medical data has been disclosed lawfully and whether your privacy has been sufficiently respected, see the questions below. If, in your situation, your answer to one of these questions is negative, your privacy may have been violated. In such a case, you have the right to complain. Read more about how to complain.
Your medical information may only be disclosed to other persons and authorities without your consent if specifically allowed by the law. The law should also provide you with adequate and effective guarantees to prevent communication or disclosure of your medical data and the opportunity to challenge the particular actions taken. You can find this basis in the General Data Protection Regulation or in other laws, which specifically relate to medical data processing.
If the disclosure of your medical data was not allowed by law the activity was not lawful and your right to private life may be violated. There is no need then to examine the other criteria for lawfulness.
The disclosure or communication of your medical data has to be aimed at the protection of legitimate interests. These legitimate interests can, for example, be:
- the protection of your own health
- the protection of public health, namely, the health of other persons
- the allocation of public funds, such as for disability pensions and other financial support in the context of the economic well-being of the country
- medical science
- the prevention, investigation and prosecution of crime
If the disclosure or communication does not serve a legitimate aim, the particular activity is not legal and your right to private life may be violated. There is no need to examine the proportionality of the data disclosure.
The disclosure of your medical information should be necessary and proportional for the achievement of the other legitimate interests. The disclosure (communication) of your medical information has to be important and relevant.
The following questions should be asked to evaluate the necessity:
- Is the disclosed information important and relevant to secure the legitimate interests?
- Are there any other alternative and less restrictive methods available to achieve the legitimate aim?
example Your medical data was communicated to the court within particular court proceedings, but was not decisive in the adjudication of the case. The court could have still reached the same conclusion without using your medical information. In this case, you can conclude that your medical data was not important and relevant for the achievement of the legitimate aim – the adjudication of the particular case.
The disclosure of your medical information shall be proportional for the achievement of the other legitimate interests. Those legitimate interests are not more important than yours, and therefore a fair balance must be found between these competing interests. The authorities have to give sufficient arguments why the interests of others outweighed your rights and the other way around in the particular case.
The following questions should be assessed within the balancing process:
- Even if not required by law, was your consent to the disclosure required in the particular situation, and, if so, have you given it?
- Was your medical data effectively protected against unauthorized access?
- Was it possible to clarify to whom your data was disclosed?
- Was your medical data made publicly accessible? For example, published in the press thereby causing you public humiliation?
- Were there sufficient protections/safeguards against a possible abuse of the obtained information?
If the authorities failed to balance your right to private life with the interests of the state and other persons, there may be a violation of your right to private life. Read more about how to complain and protect yourself in such situations.
25 February 1997
17 July 2008
15 April 2014
10 October 2006
27 August 1997
25 November 2008
6 June 2013
Article 4 - 42
Applicable as of 25 May 2018
Articles 6 and 9
Joint publication by the the EU Agency for Fundamental Rights and the Council of Europe