The protection of personal data in health information systems - principles and processes for public health (2021)

In recent years, countries across Europe have implemented either new or considerably stricter data protection and cybersecurity laws. These laws continue to have a substantive impact on health information systems (‎HISs)‎ and most public health activities in a wider sense. This document aims to explore the conceptual implications and to give some guidance on how specific decisions that are unavoidable to balance the rights and interests at stake should be taken.With a few easy-to-implement steps, any organization in public health can increase its level of data protection compliance significantly. As data protection is based on principles that have evolved over time, section 2 gives a short historical overview, followed by a deep dive into the legal principles behind data protection. Section 3 covers the practical implications of these principles and addresses the rights of data subjects, as these are at the heart of the regulatory framework. Section 4 examines the elements that need to be balanced against these rights – in particular, the right to health and to public health in general. Section 5 looks again at the secondary use of data for public health purposes, and at how the balancing of the interests at stake works in this context. Finally, section 6 gives an overview of the steps to be taken to make this happen, such as empowerment and oversight mechanisms.This guidance document is part of the WHO Regional Office for Europe’s work on supporting Member States in strengthening their health information systems. Helping countries to produce solid health intelligence and institutionalized mechanisms for evidence-informed policy-making has traditionally been an important focus of WHO’s work and continues to be so under the European Programme of Work 2020–2025.