Judgment on the Health Sector Database
Excerpt from a judgement by the Supreme Court of Iceland, of November 27, 2003, concerning The Health Sector Database (HSD).
According to the Act on the HSD, health data about all Icelanders can be obtained without the patients' consent and placed in the HSD. However, people can specifically notify the Directorate of Health that they request that data on them will not be transferred into the HSD. Data in the HSD may, according to the Act, be linked to data in a geneaological database and a genetical database. Data in the HSD is supposed to be made unidentifiable by a so-called "one-way encryption" (so that it cannot be decrypted). Also, the results from the linking of the three above-mentioned databases, may not be traceable to individuals.
The database is, according to the Act, meant to be used for the development of "new or improved methods of achieving better health, prediction, diagnosis and treatment of diseases, to seek the most economic ways of operating health services, and for making reports in the health sector". The HSD has not been built yet and is not in operation, but according to the latest design ideas, it will be accessable on the internet so that a large number of people can have access to it, based on contracts made with the HSD's license holder.
The Supreme Court of Iceland passed a judgement, on November 27, 2003, concerning the HSD. In the case in question, the plaintiff demanded her father´s name to be put on the abstainers list held by the Directorate of Health. She was denied of this since the Act on the database only grants this right to the data subject itself.
That judgement demonstrates that constitutional human rights statutes, and statutes in applicable international human rights treaties, have a bearing on the choice of security requirements, which human genetic research databases shall be subject to, and on their implementation. Therefore the court concluded that:
The Act stipulates repeatedly that data in the HSD must not be personally identifiable (linkable to individuals), but it does not contain precise provisions on how to achieve this goal as it should due to the above mentioned responsibilities, which the constitution charges the legislature with, for the purpose of protecting the citizens' personal privacy.
This can not be substituted with provisions on various surveillance measures to be taken by governmental agencies, without these agencies being furnished with clear and lawful parameters on which to base their evaluations. Neither can this be substituted by referring to the Minister of Health for him to put relevant provisions into the operating license; nor to entrust any other governmental bodies with coming up with codes of practice, since such codes could be subject to a variety of changes, given the very vague boundaries set by the Act on a Health Sector Database.
Consequently, the Supreme Court reached the conclusion that the Act on the HSD does not meet the requirements in Article 71, Paragraph 1 of the Icelandic constitution, to provide adequate protection against the risk of the data being traced back to the relevant individuals for the purpose of protecting their personal privacy.
Due to all this, the Supreme Court held that the plaintiff was entitled to not having data on her deceased father transferred into the HSD as the data could indicate her father's congenital characteristics and thus also possibly hers.