IJE Advance Access originally published online on February 26, 2008
International Journal of Epidemiology 2008 37(3):678-682; doi:10.1093/ije/dyn022
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Epidemiological research labelled as a violation of privacy: the case of Estonia
1Department of Epidemiology and Biostatistics, National Institute for Health Development, Hiiu 42, 11619 Tallinn, Estonia.
2Estonian Centre of Excellence in Behavioural and Health Sciences, Tartu-Tallinn, Estonia.
3European Centre on Health of Societies in Transition, London School of Hygiene and Tropical Medicine, Keppel Str, London WC1E 7HT, UK.
*Corresponding author. Department of Epidemiology and Biostatistics, National Institute for Health Development, Hiiu 42, 11619 Tallinm, Estonia. E-mail: mati.rahu{at}tai.ee
 |
Abstract |
|---|
 Top Abstract IntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
Since 1996, the Republic of Estonia has had data protection legislation that omits any of the exemptions for the processing of personal data for historical, statistical or scientific purposes provided by EU Directive 95/46/EC. This article describes the consequences of this legislation for public health monitoring and research. It assesses how the work of the Estonian Cancer Registry has been impaired, so that available data are now misleading, and examines the impediments that have been placed in the way of legitimate medical research. The article explains how this legislation came to be enacted and considers the reasons why this happened and why there is resistance to remedy the situation. It provides a cautionary tale about the overzealous implementation of data protection as it affects health surveillance and research.
Keywords Cancer registry, data protection, epidemiology, Estonia, law, medical registries, negative consequences, research
Accepted 16 January 2008
|
Introduction |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
Before they could join the European Union, the new Member States in central and Eastern Europe were required to incorporate into their national legislation the accumulated body of existing European law that, under the European Union's Treaties, takes precedence over national law. However, recognizing the need to adapt legislation to national circumstances, the most widely used European legal instrument, the Directive, sets out objectives to be achieved while giving national legislatures discretion as to how to transpose them into domestic law.1
From a public health perspective, one of the most contentious aspects of European law had been the 1995 Directive on Data Protection.2 Its initial drafts failed to take account of the importance of data linkage and secondary analysis of existing databases and, as a result, would have effectively precluded much epidemiological research in Europe. However, following an unprecedented campaign by the European public health community,3–6 the final version incorporated a provision to allow processing of sensitive personal data without the consent of the individual, as long as it is carried out for reasons of public or general interest, including legitimate epidemiological research. This reflected the experience of many countries, in particular Estonia's Nordic neighbours,7,8 where imaginative use of registry data had done much to inform policies that had contributed to some of the longest life expectancies in Europe.
The Directive does, however, allow Member States to impose more strict provisions. This is what has happened in Estonia. In this article we describe the reasons why this was done and the alarming consequences for Estonian epidemiological research. We believe that this article provides a warning of the real dangers of overzealous application of data protection and thus may contribute to future debates elsewhere.
|
How did this situation arise? |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
Estonia was the only one of the former Soviet republics to be included in the first wave of excommunist countries to be accepted as a candidate for European Union membership following the political transition that began in 1989.9 Consequently, as it embarked on the process of state building, a high priority was placed upon compliance with European law.
In 1996 it enacted a law on personal data protection,10 which the government described as being in conformity with the EU Directive 95/46/EC. In reality, it reflected much more closely the 1990 and 1992 drafts of the directives, which predated the provisions for epidemiological research. A textual analysis of the Estonian legislation and that enacted by neighbouring countries starkly reveals the exceptional nature of the former (Table 1).
|
From the outset, it was apparent that some interest groups were strongly opposed to any access of sensitive personal data except in the most limited circumstances. In a newspaper interview published in September 1998, Hillar Aarelaid, the Head of the Department of Data Protection (a predecessor of the current Data Protection Inspectorate) of the Ministry of the Interior, made clear his distrust: ‘If you pay enough to an employee of the Ministry of Social Affairs, you will get a copy of the [medical] register’.13
An opportunity arose to remedy this situation in 2003 when a new Personal Data Protection Act was being debated in the Estonian Parliament. Its initial draft permitted some forms of ‘scientific studies and research’, but these were rapidly removed.
During its passage through parliament, the significance of the original 1996 Act had essentially been missed by Estonia's few epidemiologists, even though they were aware of the ongoing debate about the European Directive. Epidemiologists played no part in the discussions leading up to the promulgation of the Act. The Act was supported by the Ministry of Social Affairs, which at that time did not appreciate any of the looming problems. By 2003, when the draft of the new Act was circulating, epidemiologists were more wary but the legislative process advanced very rapidly. On November 10, 2003, a diverse group of 14 institutions (including universities, the Statistical Office of Estonia and the National Institute for Health Development) sent a joint letter proposing amendments to the draft Act to the President, the Chairman of the Parliament and the Prime Minister. In addition, in an attempt to stimulate public debate, the adverse consequences of the draft Act were discussed in a newspaper article based on a round table discussion between a statistician, clinician, epidemiologist and two demographers.14 By now the Ministry of Social Affairs was more engaged in the process and initiated negotiations with other ministries to change the law. It was, however, unable to prevail against the strong opposition from the Ministry of the Interior and its Data Protection Inspectorate, which is charged with interpreting the Act.
|
The consequences of the data protection law for public health |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
The following paragraphs illustrate just how the law in Estonia has become progressively more effective in suppressing epidemiological research, both now and for the future.
The Estonian Cancer Registry, founded in 1978, was an internationally recognized countrywide population-based registry. An essential and universal element in the operation of any cancer registry is the linkage of registration and mortality data.15,16 This is necessary both to improve estimates of incidence by detecting ‘death certificate (only)’ cases that have been missed by routine registration, and to measure cancer survival by linking it with data on the eventual death of all cancer patients. The 2003 Act prevents linkage of the Cancer Registry's files with the death certificate database. As a consequence, 
5% of incident cancer cases have been lost each year. This inevitably affects reported incidence after 2000, with one consequence that reported cancer survival rates in Estonia, hitherto very low,17 are now artefactually higher than expected.
Estonian cancer data had not been included in the WHO's international compendium Cancer Incidence in Five Continents series during the Soviet period because of a prohibition on releasing population and health data.18,19 Ironically, given the political determination in Estonia to reject the legacy of Soviet occupation, whilst data from the Soviet period can now be published, the most recent data, for 1998–2002, must be accompanied by a warning about their validity.
In response to this situation, data protection officials suggested in November 2005 the ad hoc linkage of death certificate data purely for the purpose of preparing the annual report of the Cancer Registry, but with the immediate and complete removal of those cases thereafter, a policy that is inadequate to ensure the utility of the registry.
A further consequence of these developments is the wider constraint placed on register-based cancer research. Thus, even the linkage of identifiable cancer registrations with medical records, simply for the purposes of validating the data and without any intention to contact the patient or his/her relatives, is specifically forbidden. Formally, it is possible for researchers to undertake studies based on cancer registrations if the subject gives informed consent. However, the researcher cannot first check the population or death registry to determine whether the subject is still alive. Furthermore, 20% of addresses in the population registry are incorrect, making it difficult to know whether non-response is due to refusal to give consent, death or an incorrect address. Thus, the challenges to conducting robust and valid research are almost insurmountable. Unsurprisingly, scientists contemplating a career in (cancer) epidemiology, who are now confronted with a choice between using biased data and breaching the law,20 look to other areas of study. Similar problems face those responsible for the Estonian Medical Birth Registry and the Estonian Tuberculosis Registry, both once valuable epidemiological resources.
Another resource that has suffered because of the legislation is the Estonian Health Behaviour Survey among Adult Population, conducted biennually since 1990.21 For the 2006 survey, the National Institute for Health Development sought to obtain informed consent to use individual identifiable records as a basis for future research. The Data Protection Inspectorate refused to allow subjects to be asked to permit their data to be linked to other databases, even on the basis of informed consent. The reason given for refusal was that the researchers had not specified the exact topic of each separate question that might be the subject of research in future years—a Kafkaesque requirement.
At one stage, the law even obstructed Estonia's obligations as a WHO Member State to report its mortality data. After the 2003 Act came into force, the original medical death certificate, based on recommendations by the WHO, was declared as an illegal document, and the Statistical Office of Estonia had to cease entering deaths into the database between November 1, 2003 and January 11, 2005.22
It is necessary to consider not only the letter of the law but even the spirit in which it is implemented by the Data Protection Inspectorate. It is now apparent that the Inspectorate, in its decisions, invariably adopts the most restrictive interpretation possible, consistent with the way that it sees its role (Table 2).
|
In Estonia, any form of record linkage is considered by the authorities as inevitably violating the privacy of individuals, on principle and regardless of the bona fide of the researchers involved. Although the Data Protection Inspectorate may, formally, give permission for linkage to take place, it has never done so.24
All of this takes place in a climate where some legislators and data protection officers treat scientists in health research as if they were unqualified individuals who want to satisfy a prurient personal curiosity. They frequently resort to the argument that ‘The Constitution of the Republic of Estonia declares that everyone has the right to the inviolability of private and family life’—as if such rights do not apply in, say, Finland, where the public health research output is in such stark contrast to that of Estonia.
|
What explains this situation? |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
From the time when the first Personal Data Protection Act was promulgated in Estonia, several explanations have been offered by officials as to why it is important to be so restrictive. The need for medical registries has been rejected on the grounds that the country is not able to safeguard them against unauthorized access. If one cannot guarantee the absolute safety of the information stored, it is argued, it would be better not to have registries at all or to have them with anonymous data. In the autumn of 1998, during parliamentary debate about the Termination of Pregnancy and Sterilization Act, it was stated that, ‘since data have leaked from all the registries [in the world], even from those in the Pentagon, there is no possibility to keep registries safe’. Registry employees are portrayed as potentially corrupt and unethical, ready to blackmail registered individuals.25
In October 2004, a novel argument emerged: exemptions for research and statistical purposes do not inherently belong under data protection law, but should be written into specific laws. This was presented as the fundamental logic of Estonian legislation.
Inevitably, reference is made to the country's totalitarian past and, in a young democracy, registries present a grave danger lest, in the event of a political change, they might end up in the wrong hands. However, another quite remarkable consideration was revealed by the Director–General of the Data Protection Inspectorate on March 23, 2004 (meeting notes), who stated that a number of persons ‘have attained high positions in society’ and they do not want their personal health data to be kept in the registries.
|
Why this kind of law? |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
The legislative process is influenced by multiple factors. Which factors came into play in the creation of the current Estonian legislation to take it so far from the intentions of EU Directive on the processing of personal data?
First, the legislation has been subjected to only limited parliamentary scrutiny. Those who were responsible for this task were unaware of the debates taking place at a European level.5,6,26,27 Only 26 of the 101 members of the Estonian Parliament participated in the vote on the 2003 Act.28
Second, those responsible for data protection steadfastly avoid any direct discussion about the consequences of the current law for epidemiological research and associated activities. Any attempt to engage in debate is rapidly redirected to issues such as the importance of protecting privacy, the benefits of the law, the responsibility of the Data Protection Inspectorate, the reactionary nature of researchers and, most often, the dangers if information on health was to be mishandled.
Third, it is increasingly clear that some important elements in society are hostile to science, in Estonia and elsewhere.29 When such individuals are involved in shaping legislation, the resulting laws inevitably reflect their attitudes. There is anecdotal evidence that, when the 2003 Act was being debated by the relevant Parliamentary Committee, the term ‘scientific study’ was removed from the draft because it was not possible to reach agreement about what it meant. It later transpired that the legislators involved had only a vague idea of the existence of research councils and research ethics committees in Estonia.
Fourth, the Estonian research community is fragmented between specialties and has, on the whole, been passive in relation to these events. Thus, very few clinicians are willing to explain to the public and legislators why access to identifiable health data is needed.
Some other considerations are relevant. The Estonian legal system is influenced more by the German than the Nordic system. The former has traditionally taken a more restrictive approach to data protection, reflecting historical considerations. Preparations are now under way to replace personal identifiers in all disease registries with pseudonyms, a practice used in Germany.30 This will have further detrimental effects on health-related research and thus development of evidence-based health policy in Estonia.
Finally, one cannot ignore the quest for institutional power. After the 1996 Act came into force, a data security specialist argued that the law gave too much power to the data protection supervisory authority.31 Yet, the current legislation strengthens the authority's powers even further. This has been contrasted with the situation in neighbouring Finland, which ‘only has an ombudsman, with no such strong powers as we have here’.32
|
Conclusion |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
The debate about how to balance privacy and public health research in some other countries, such as the UK, have been characterized by a view that many excesses have been due to misinterpretation of the law.33,34 In the case of Estonia, such an explanation can be completely rejected: the data protection law provides for almost no mechanisms to process sensitive personal data for scientific and statistical purposes. Where, de jure, this might be possible, it is rejected by the custodians of the law. Notwithstanding the right of a country to enact stricter laws than in the Directive, it is at least plausible that their actions are ultra vires under European law, given the suggestion that ‘national laws which attempted to provide a stricter standard of privacy protection by not recognizing or limiting’ the Directive 95/46/EC exemptions ‘would breach the Directive’.26
The consequence of this situation is that the work of population-based medical registries and epidemiological research in Estonia is being seriously hampered. This inevitably impedes the development of evidence-based health policies, which in the best of circumstances can be difficult. Worse, it creates a situation in which powerful interest groups can easily conceal hazards to health.35
A regressive experiment is being undertaken in Estonia today. The outcome will determine whether medical registries and epidemiological research can survive the implementation of a law that is claimed to protect the fundamental rights of individuals in Estonia, but which actually does the exact opposite, by creating insurmountable obstacles to the development and monitoring of policies to improve their health.
|
Acknowledgements |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
The research of M.R. at the institute is financed by the Estonian Ministry of Education and Science target funding (SF 0940026s07). Many thanks to Edward Gelb, Ilmar Part and Michel Coleman for their valuable comments on an earlier draft of this article.
|
References |
|---|
|
TopAbstractIntroductionHow did this situation...The consequences of the...What explains this situation?Why this kind of...ConclusionAcknowledgementsReferences |
|---|
1 McKee M, Mossialos E, Baeten R, eds. The Impact of EU Law on Health Care Systems (2002) Brussels: Peter Lang.
2 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. OJEC (1995) 38(L. 281):31–50.
3 Bang O. EC proposal for directive can destroy the possibilities of cancer research. Eur J Cancer (1992) 6/7:1012–13.
4 Knox EG. Confidential medical records and epidemiological research. Br Med J (1992) 304:727–28.
5 Walker J. Government Statistical Service views on the European Community draft data protection directive. J R Stat Soc [Ser A] (1993) 156:335–38.
6 Lynge E. European directive on confidential data: a threat to epidemiology. Br Med J (1994) 308:490.
7 Adami HO. A paradise for epidemiologists? Lancet (1996) 347:588–89.[CrossRef][Web of Science]
8 Rosén M. A Finger on the Pulse – Monitoring Public Health and Social Conditions in Sweden 1992–2002 (2003) Stockholm: National Board of Health and Welfare.
9 McKee M, MacLehose L, Nolte E, eds. Health Policy and European Union Enlargement (2004) Buckingham: Open University Press.
10 Personal Data Protection Act 1996. Available at: http://www.esis.ee/legislation/protection.pdf (Accessed on December 20, 2007).
11 Rahu M. Disease maps: travels from the Glavlit era up today. [In Estonian]. Publicationes Instituti Geographici Universitatis Tartuensis (2004) 89:195–208.
12 Privireal. Data protection by country. Available at: http://www.privireal.org/content/dp/countries.php (Accessed on December 20, 2007).
13 Karpa K, Piirsalu J. State collects intimate secrets of women. [In Estonian]. In: Eesti Päevaleht (1998) September 18.
14 Do we kill national statistics and research? [In Estonian]. In: Postimees (2004) March 24.
15 Parkin DM, Chen VW, Ferlay J, et al. Comparability and Quality Control in Cancer Registration. In: IARC Technical Report No. 19 (1994) Lyon: IARC.
16 Parkin DM, Whelan SL, Ferlay J, et al, eds. Cancer Incidence in Five Continents. Vol. VIII. In: IARC Scientific Publications No. 155 (2002) Lyon: IARC.
17 Coleman MP, Gatta G, Verdecchia A, et al. EUROCARE-3 summary: cancer survival in Europe at the end of the 20th century. Ann Oncol (2003) 14(Suppl 5):v128–49.[CrossRef][Medline]
18 Rahu M. Cancer epidemiology in the former Soviet Union. Epidemiology (1992) 3:464–70.[CrossRef][Medline]
19 Davis C. Commentary: the Health Crisis in the USSR: reflections on the Nicholas Eberstadt 1981 review of Rising Infant Mortality in the USSR in the 1970s. Int J Epidemiol (2006) 35:1400–5.
20 Roberts L, Wilson S. Argument for consent may invalidate research and stigmatise some patients. Br Med J (2001) 322:858.
21 Puska P, Helasoja V, Prättälä R, et al. Health behaviour in Estonia, Finland and Lithuania 1994–1998. Standardized comparison. Eur J Public Health (2003) 13:11–17.
22 Rahu M, Rahu K, Baburin A. The mortality register of Estonia: its formation and utilization of data for research. [In Estonian]. Eesti Arst (2006) 85:449–55.
23 Kukk U. Data Protection Inspectorate – whose friend, whose enemy? [In Estonian]. In: PowerPoint presentation on November 25 (2003) Available at: http://www.aripaev.ee/temp/seminar/25112003/seminar.html (Accessed on December 20, 2007).
24 Lillemaa PF. Remarks on the draft Personal Data Protection Act. [In Estonian]. Juridica (2002) 7:447–52.
25 Riigikogu. Resumption of second reading of the draft Termination of Pregnancy and Sterilisation Act (900 SE). [In Estonian]. (1998) Tallinn: Riigikogu. Available at: http://web.riigikogu.ee/ems/stenograms/1998/10/t98102105-01.html (Accessed on December 20, 2007).
26 Greenleaf G. The European Privacy Directive – completed. In: PLPR (1995) 2:52. Available at: http://www.austlii.edu.au/au/journals/PLPR/1995/52.html (Accessed on December 20, 2007).
27 Pearce G, Platten N. Achieving personal data protection in the European Union. J Common Mark Stud (1998) 36:529–47.[CrossRef][Web of Science]
28 Rahu M, McKee M. Effect of Estonian law on prospects for public health research [letter]. Lancet (2003) 362:2122.[Medline]
29 Gabriel SE. Threats to population-based research. Curr Opin Rheumatol (1997) 9:87–89.[CrossRef][Medline]
30 Pommerening K, Miller M, Schmidtmann I, Michaelis J. Pseudonyms for cancer registries. Methods Inf Med (1996) 35:112–21.[Medline]
31 Praust V. On the legality of data sets, or from computer to prison bars. [In Estonian]. Arvutimaailm (1997) (10):12–17.
32 Mathieson S. Data protection in the new Europe: interview with Estonia's data protection chief, Urmas Kukk. In: Infosecurity Today (2004) (July–August) [Digital edition: Features & Contents.]. Available at: http://www.infosecurity-magazine.com/features/julyaug04/data_julyaug.html (Accessed on December 20, 2007).
33 Coleman MP, Evans BG, Barrett G. Confidentiality and the public interest in medical research – will we ever get it right? Clin Med (2003) 3:219–28.[Web of Science][Medline]
34 Iversen A, Liddell K, Fear N, et al. Consent, confidentiality, and the Data Protection Act. Br Med J (2006) 332:165–69.
35 Olsen J. The European Union ponders the tasks of conducting epidemiologic research. Epidemiology (1995) 6:460–61.[CrossRef][Medline]
CiteULike 
Connotea 
Del.icio.us What's this?
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||