Skip to content Skip to navigation


June 1, 1998
by root
| Reprints


A major European Union privacy law goes into effect this October, setting a global standard for tough protection of private information. The EU Data Protection Directive was passed in 1995 to establish a common set of data protection laws governing the access, use and storage of personal data in EU nations. Every EU country must have national laws in place by the fall. A few countries such as Italy and Greece have already enacted laws. Others, such as the U.K., France and Germany, have bills under debate now. "It will considerably strengthen the data protection environment we have in Europe," notes Barry Barber, a consultant with British firm Health Data Protection, Ltd. Barber says the result should be a more uniform policy for data protection from country to country.

The directive establishes detailed rules for the secure processing of personal information. It will require informed consent for release of data to a third party, provides citizens with a host of rights including access to their data and a record of which parties are using it and why, denotes special protection for "sensitive" data which would include medical records, and largely prohibits the export of data outside the EU to countries that do not have comparable privacy standards. In particular, parties in the United States will not be able to receive or process EU personal data without a special contract.

Software providers marketing in Europe will have to make sure their systems incorporate adequate access, tracking and authorization controls. Yet according to Philip Jones, an assistant registrar with the Data Protection Registrar, an independent office in southern England that reports to the British Parliament, software modifications should not be a burden. "I don’t think there’s anything in the bill that would require people to have massive restructuring of their systems."

The U.K. is one of several EU nations that have had legislation for data protection in place for years. The Data Protection Act of 1984 already complies with roughly 80 percent of the directive, according to the Data Protection Registrar. The most significant changes of the directive, says Jones, are the inclusion of manual records (the 1984 Act applied specifically to computerized data), a more stringent registration system for recording transactions of personal information, and the export rules. Jones says it is too early to make any accurate cost estimates of compliance with the new law.

"I personally think that one of the most important things will be the third-party disclosure registrar because healthcare is now being provided by a variety of different organizations and agencies rather than one central one," Barber says. Data controllers at every European organization will have to report details on the use of personal data to a national data protection registrar.

The NHS and the British Medical Association are currently debating how and if to use strong encryption for medical records, according to Barber. He believes it will take a good five to 10 years before a security infrastructure is in place that allows the widespread use of smart cards, encryption and other security tools. Still, Europe has made substantial progress in gaining acceptance for security standards, such as the EU standards body CEN’s 12924 standard for healthcare information systems.

The vital exchange of data between Europe and the U.S. will be hampered greatly--affecting multinationals and the financial community particularly hard. Pharmaceutical and medical device manufacturers may also face difficulty in using patient data from Europe in clinical trials, research databases or marketing purposes--even with certain exemptions in the directive for scientific research and preventive medicine, according to Peter Swire, an associate professor at The Ohio State University College of Law who is co-author of a just-released book on the subject: "None of Your Business: World Data Flows, Electronic Commerce and the European Privacy Directive."

While Jones maintains that the directive does not mean an end to the flow of personal information between the EU and the U.S., Swire says the new privacy laws will potentially affect "hundreds of billions of transactions"--an issue that will not likely be resolved by similar national legislation coming out of the current U.S. Congress. In healthcare, U.S. lawmakers have been dawdling for years on medical records privacy legislation. Yet for Europeans it is much easier to pass sweeping privacy laws, suggests Swire, because the ties between society and government are so much greater. "In the U.S., laissez-faire is still a stronger ideology than in Europe." A copy of the directive can be found at Swire’s Web site:

Polly Schneider is senior editor at Healthcare Informatics.


Patients in Australia can opt for corrective eye surgery that takes advantage of digital decision support and a steady hand. For the past seven years, eye surgeon Noel A. Alpins, MD, of Melbourne, Australia, has used software he developed to guide his laser scalpel as he makes incisions to correct misshapen corneas. His laptop has become as much a part of his operating room paraphernalia as his mask and gloves.

In the past, surgical corrections for astigmatisms could be figured in two ways: the first method gauges the specification based on what kind of corrective lenses improves the patient’s vision; the second measures the actual topography of the cornea. Alpin’s software crunches values from both methods, giving surgeons a set of "what ifs" to examine before and during surgery--and solid numbers to look at following surgery for analyzing outcomes.