Icelandic. Decision of the Supreme Court on the protection of privacy with regard to the processing of Health Sector Databases. Attorney at Law vs The State of Iceland.

Mr. R appealed for a decision by the Court to overturn the refusal of the Medical Director of Health to her request that health information in medical records pertaining to herdeceased father should not be entered into the Health Sector Database. Furthermore, she called for recognition of her right to prohibit the transfer of such information into a database. Article 8 of Act No 139/1998 on a Health Sector Database provides for the right of patients to refuse permission, by notification to the Medical Director of Health, for information concerning them to be entered into the Health Sector Database. The Court concluded that R could not exercise this right acting as a substitute of her deceased father, but it was recognised that she might, on the basis of her right to protection of privacy, have an interest in preventing the transfer of health data concerning her father into the database, as information could be inferred from such data relating to the hereditary characteristics of her father which might also apply to herself. It was revealed in the course of proceedings that extensive information concerning people's health is entered into medical records, e.g. medical treatment, life-style and social conditions, employment and family circumstances, together with a detailed identification of the person that the information concerns. It was recognised as unequivocal that the provisions of Paragraph 1 of Article 71 of the Constitution applied to such information and guaranteed to every person the right to protection of privacy in this respect. The Court concluded that the opinion of the District Court, which, inter alia, was based on the opinion of an assessor, to the effect that so-called one-way encryption could be carried out in such a secure manner that it would be virtually impossible to read the encrypted data, had not been refuted. It was noted, however, that Act No. 139/1998 provides no details as to what information from medical records is required to be encrypted in this manner prior to transfer into the database or whether certain information contained in the medical records will not be transferred into the database. The documents of the case indicate that only the identity number of the patient would be encrypted in the database, and that names, both those of the patient and his relatives, as well as the precise address, would be omitted. It is obvious that information on these items is not the only information appearing in the medical records which could, in certain cases, unequivocally identify the person concerned. Act No. 139/1998 also provides for authorisation to the licensee to process information from the medical records transferred into the database. The Act stipulates that certain specified public entities must approve procedures and process methods and monitor all queries and processing of information in the database. However, there is no clear definition of what type of queries will be directed to the database or in what form the replies to such queries will appear. The Court concluded that even though individual provisions of Act No 139/1998 repeatedly stipulate that health information in the Health Sector Database should be non-personally identifiable, it is far from adequately ensured under statutory law that this stated objective will be achieved. In light of the obligations imposed on the legislature by Paragraph 1 of Article 71 of the Constitution, the Court concluded that various forms of monitoring of the creation and, operation of the database are no substitute in this respect without foundation in definite statutory norms. In light of these circumstances, and taking into account the principles of Icelandic law concerning the confidentiality and protection of privacy, the Court concluded that the right of R in this matter must be recognised, and her court claims, therefore, upheld.