This Law provides strict rules in the case of processing of personal data, including medical data defined as "all data of a personal nature from which one can deduct information on the physical or psychological, past, current or future health condition of an individual, exclusive of mere administrative or accounting data relating to medical care".
The protection organised by the Law applies when the data are kept in manual files with a logical organisation allowing systematic consultation or are automatically processed, and as soon as the patient to whom the data refer may be identified or identifiable, i.e. even when the processing does not contain the patient's name but only a specific code or any other information enabling, directly or indirectly, the identification of the patient.
In accordance with the Law, the data holder has inter alia the following obligations:
- to inform each patient at the time of collection of the data (and upon the data's first registration except in certain cases) of, inter alia, the data holder's identity and address, the purpose of the collection, and the patient's right of access to and correction of the data, - to draw up a status report on the automated processing with, among other things, information about the nature of the data, the purpose of the processing and the (categories of) persons to whom the personal data are transmitted, if any, - to file a declaration with the Commission for the Protection of Personal Privacy before starting the processing, containing the information specified by the Law, and to report all changes to the Commission, to which the data holder must also pay a fee, - to regularly supervise all software programmes used for the automated processing and to maintain the quality of the data (including its update and the removal of incorrect, incomplete, irrelevant or sensitive data), - to secure the access to the data with an appropriate security system, inform its personnel of the privacy protection legislation and, as far as medical data are concerned, identify all the persons involved in the processing, with indication as to the limits of access for each of them, - to process the medical data under the supervision and responsibility of a physician, unless the patient would give his express written consent otherwise, and - to refrain from passing on the medical data to any third party, unless permitted by law or except to a physician or his staff with the patient's express written consent or in cases of emergency. Violation of the Law is penally sanctioned by a fine the amount of which may be up to BEF 20,000,000. Publication of the judgement requesting to cease the violation may also be ordered, together with the confiscation of the support media and erasure of the collected data. Finally, the data holder may also be prohibited for up to two years to process, directly or indirectly, any personal data.
The provisions of the Law have gradually entered into effect since its implementation and until 1 March 1995, the latest date on which all provisions must have become effective. Existing processing systems, however, have benefited from a transition period which has come to an end for most provisions of the Law and will terminate for the remaining provisions on 1 December 1995.
The content of this article is intended to provide general information on the subject matter. It is therefore not a substitute for specialist advice.
De Bandt, van Hecke & Lagae - Brussels. (32-2)517.94.53.
For further information contact Vincent Macq on + 32.2. 517.94.47.