MEDICINE, LAW & SOCIETY Vol. 11, No. 1, pp. 29-46, April 2018 Patients’ genetic data protection in Polish law and EU law – selected issues KINGA MICHAŁOWSKA & KAROL MAGOŃ 3 Abstract The article entitled “Patients’ genetic data protection in Polish law and EU law – selected issues” presents issues related to the protection of patients' rights and focuses on the legal basis for genetic testing and genetic data protection. Based on a comparison of regulations of international law and regulations on genetic tests introduced in foreign legal systems, the text analyzes the assumptions for the draft of the Polish act on genetic tests performed for health purposes. It presents the patient's consent to testing, the scope of information provided to the patient, the right to disclose research results to related persons and the protection of genetic data. In reference to the regulations set out in other acts, it was noted that they do not guarantee the protection of information obtained as a result of research. Due to the particular nature of genetic data, they require increased protection, which can be guaranteed through implementation of the Act on Genetic Research. In the final part, authors presented the most important achievements of the judicature of European Court of Human Rights in the field of genetic data protec- tion. Keywords: • genetic research • genetic data • protection of genetic data • patient's rights • medical documentation • CORRESPONDENCE ADDRESS: dr. hab. Kinga Michałowska, Cracow University of Economics, Civil and Business Law Department, ul. Rakowicka 27, pokój 173 A, 31- 510 Kraków, Poland, e-mail: michalowk@uek.krakow.pl. mgr Karol Magoń, Cracow University of Economics, Civil and Business Law Department, ul. Rakowicka 27, pokój 173 A, 31-510 Kraków, Poland, e-mail: karol.magon@uek.krakow.pl. DOI https://doi.org/10.18690/2463-7955.11.1.29-46.(2018) ISSN 2463-7955 © 2018 University of Maribor Press Available at http://journals.um.si/ 30 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 1 Introduction The protection of patients' rights covers issues rooted in the basic area of protection of the existential rights of an individual - the right to dignity. Their complex character is noticeable not only in the diversity of patients' rights, but also in the complex way they are constructed. In the vertical plane, protected by of the Constitution of the Republic of Poland in the form of the right to health guaranteed to every person, the patient's rights are protected in relation to public, institutional medical entities, and in a horizontal plane, in the system of two equal legal entities – the relation between the patient and the doctor. The protection of patients' rights is guaranteed both by international law and internal regulations. Together they, in a fairly uniform manner, protect the patient's personal interests in broadly understood medical activities undertaken in connection with prevention, diagnosis, treatment and rehabilitation. At each stage, interventions into a wide range of patients' rights subject to universal protection and protections of their personal rights are possible. If we limit ourselves only to diagnostics, it should be emphasized that the actions undertaken within this scope involve subjecting the patient to examination, among which genetic testing is of particular importance. The specificity of genetic testing is that the genetic data revealed as a result contain detailed information on the genetic characteristics of both the patients and the persons related to them. As a result, the genetic diagnosis of the patient should be subjected to detailed legal regulations which would guarantee the safety and protection of genetic information of the patients. This particularly sensitive area of medical activities is unfortunately not covered by the statutory regulation in Polish law, which makes it necessary to refer both to the regulations of international law and medical laws of given countries. Due to the fact that Poland, similar to Slovenia, does not have specific regulations regarding genetic protection, the area of protection remains difficult to determine. The aim of the article is to indicate the risks associated with the existing legal loophole in the area of protection of the genetic data of the patient. The presented research includes the analysis of international law, genetic regulations in foreign legal orders and national medical legislation and the draft of the Polish Act on Genetic Tests Performed for Health Purposes. The issues of the legal nature of genetic testing and genetic data, international protection in the field of genetic testing, patient's consent for genetic testing, information provided in connection with testing, availability of the patient undergoing examination in terms of information disclosure and protection of genetic data obtained during the study will be considered. The complement to the subject is the analysis of judgements of the European Court of Human Rights regarding the principles of patient access to genetic data, which constitute a specific type of medical information and the rules of collecting and processing these data by third parties, in the light of international law and EU law. MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 31 2 Genetic testing in the context of the right to healthcare In a broad sense, genetic testing is a part of the general right to health protection, which is a subjective right of particular importance to the individual. 1 Their protection arises from the right to health, which is a fundamental right under Article 35 of the Charter of Fundamental Rights of the EU. This right not only determines the existential situation of a person, but also affects the possibility of exercising other rights and freedoms (Bartoszewicz, 2014, lex. el.). It is connected with other constitutionally guaranteed rights such as dignity and legal protection of life (Article 38 of the Constitution of the Republic of Poland). Its content is the possibility to use the healthcare system and the focus on preventing diseases. 2 In implementing the right to healthcare, the state should provide citizens with the opportunity to take preventive and diagnostic measures that are carried out through research, treatment and rehabilitation. The constitutionally guaranteed protection of the right to health is specified in the Act on Patient’s Rights and Patient’s Rights Spokesman of 6 Nov. 2008. The most important rights of the patient include: the right to health services, including life- saving services, to information on: health, the treatment undergone and the anticipated consequences of the use of a particular treatment method or its abandonment, the right to consent to medical treatments, the right to access medical records, the right to confidentiality and secrecy, and the right to private and family life. The person responsible for implementation of these rights is Patient’s Rights Spokesman. 2.1 The right to health protection with regard to diagnosis Narrowing the considerations on patients' rights to the diagnosis itself (from Greek diagnostikos) i.e. recognizing the diseases, it covers a diverse area of examination, in which laboratory diagnostics is a subgroup. It is the discipline of medicine, 3 which task is to determine the composition and biological and physicochemical parameters of blood and other materials collected from the patient. In Polish legislation, the basic legal act on diagnostic tests is the Act of 27 July 2001 on laboratory diagnostics, 4 which in Article 2 indicates that the laboratory diagnostics activities include: laboratory tests to determine the physical, chemical and biological properties as well as the composition of body fluids, secretions, excretions and tissues taken for prophylactic, diagnostic and therapeutic or sanitary and epidemiological purposes, microbiological laboratory tests of body fluids, secretions, excretion and tissues collected for prophylactic, diagnostic and therapeutic or sanitary and epidemiological purposes and activities aimed at establishing tissue compliance. The Act does not provide a separate category for genetic testing, which, together with other testing, falls within the material scope of Article 2. Therefore, the implementation of the right to health, in the field of genetic diagnosis must be assessed in the context of general regulations of medical laws. 5 32 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues The Body for Molecular Genetic Research and Biobanking in a report commissioned by the Minister of Health recommended establishing genetic diagnostics as a separate research area. 3 International basis for genetic testing and genetic data protection Research related to the understanding of the human genome focuses around information contained within genes. Understanding the genome and decoding the information contained therein has made genetics one of the fastest-growing sciences. The new research techniques employed make it possible to see the change in how the medicine is practiced these days, when in many cases the diagnostic and therapeutic process is based on individualized genetic testing (personalized medicine). The basic legal act regarding genetic testing is the Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine of 4 April 1997 known as the Oviedo Convention, which does not use terms such as genetic research, genetic data or genetic traits, introducing only the term "predictive genetic tests". 6 In accordance with the definition in Article 12 of the Oviedo convention they are the tests that predict genetic diseases or which serve to identify the subject as a carrier of the gene responsible for the disease or to detect genetic predisposition or susceptibility to the disease – the only acceptable goal for carrying out such tests, according to the Convention, is health. 7 The explanatory report to the Oviedo Convention in Chapter 4 on the human genome emphasizes that areas of application of genetic technology include genetic tests and gene therapy serving as an example of medical research (Jasudowicz, Czepek & Kapelańska-Pręgowska, 2014: 39). The special status of genetic data and its importance for the protection of human rights was set out in Article 16 of the 4th additional protocol, according to which the right to protect data derived from the genetic test consitutes lex specialis in relation to the provisions of the European Convention on Human Rights, in particular to Article 8 and 10 of ECHR (Kapelańska-Pręgowska, 2011:329). In the attachment to Recommendation R(97)5 on the protection of medical data, two separate groups were indicated within the scope of personal data: the first is health data and the second one is genetic data. Health data is any personal data related to a person's health, including any data that has an obvious and close relationship to health or genetic data. Genetic data is the data about the hereditary characteristics of a person or related to such characteristics that constitute the heritage of a group of related persons. The definition implies that genetic data falls within the scope of health data. A similar position was expressed by UNESCO in the International Declaration on Genetic Data of 16 October 2003 (Jasudowicz, Czepek & Kapelańska-Pręgowska, 2014: 96), in which it was indicated that human genetic data is information about the hereditary characteristics of individuals obtained as a result of an analysis of nucleic acids or other scientific analysis (Article 2 item i). 8 According to Article 4 of the Declaration "Human MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 33 genetic data has a special status because it can be predictive of genetic predispositions concerning individuals, may have a significant impact on the family, including offspring, and may contain information the significance of which is not necessarily known at the time of the collection of the biological samples". Interestingly, the declaration clearly stresses that genetic information is part of the overall spectrum of medical and proteomic data. Emphasizing the special nature of genetic data, 9 the declaration treats it as medical data (Michałowska, 2015: 314- 317). The UNESCO International Bioethics Committee (IBC) in a document entitled Report on Human Genetic Data postulates the necessity of introducing special protective regulations regarding genetic data, especially due to their intergenerational nature. 4 Genetic data and medical data The information contained within the human genome provides knowledge on the functioning of the organism, the development of diseases and the individual's susceptibility to those diseases as well as the response to the applied treatment. It is also used in the wider context of human procreation, where it gives a person a chance to conceive and give birth to a healthy offspring. For this reason it is extremely valuable and the access to it must be properly secured. This broad spectrum of its use indicates the need to ensure the genetic data protection at the statutory level. In Polish law, information about the genetic code (commonly referred to as genetic data) constitutes, along with health data, a special type of personal data which, in accordance with the Article 27 of the Act of 29 August 1997 on the Protection of Personal Data was classified as sensitive data. 10 Among the "specific categories of data processed" indicated therein were: racial origin, ethnic origin, political views, religious beliefs, philosophical beliefs, affiliation to trade unions, as well as processing of data concerning health and sexual activities. 11 When comparing the scope of Article 27 section 1 of Protection of Personal Data and Article 8 of the Directive 95/46/WE on data protection, 12 it is easy to notice that the Polish legislator decided to expand the catalog of sensitive data to include within its scope, among others, the genetic data, which was referred to as the genetic code. While the separation alone deserves recognition, it is doubtful whether the term "genetic code" should have been used instead of the term "genetic data", which is commonly used in literature and judicature. Separation of genetic data (genetic code), in addition to health data, was intended to emphasize its special character, and at the same time to signal that the ranges of both types of data should be considered as separate. In practice, however, it turns out that health data and genetic data are both included in a common medical documentation, which does not differentiate between the two, blurring their statutory distinctions. It is common to use the collective term "medical data". This 34 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues situation makes one wonder what the relationship between them is and whether the protection of genetic data is sufficient. Problems related to defining medical data encourage to refer to Recommendation No. R(97)5 CMCE on the protection of medical data. According to Article 1 of the recommendation medical data refer to all data relating to the health of an individual, as well as data that in obvious and close way is related to health and genetic data. The concept of genetic data is included in the UNESCO International Declaration on Genetic Data, in which it was indicated that human genetic data is information about the hereditary characteristics of individuals obtained as a result of analysis of nucleic acids or other scientific analysis (Article 2 item i). In addition to genetic data, the declaration distinguishes proteomics, which is information related to the proteins of an individual, including information on their expression, modification and interaction (Article 2 item ii). The declaration clearly stresses that genetic information is part of the overall spectrum of medical data and proteomic data. Emphasizing the special nature of genetic data, 13 the declaration includes it within the scope of medical data (Jackowski, 2002: 27). It should be therefore recognized that medical data is not only information that directly informs about the state of health, but also information from which such information can be derived. The scope of the term "medical data" is therefore broader than of the term "health data" (Jackowski, 2002: 26, differently Mednis 1999: 169). In the light of the documents indicated, it also includes genetic data. In connection with the broad material scope of medical data covered in this way, a question arises about the relationship between this data and the data that relates to the genetic features of a person and how such data is protected. 4.1 Genetic data in medical records In Poland, despite the separation of data regarding health status and genetic data (genetic code) in the Act on the protection of personal data, due to the recognition of both of these types of data within the category of medical data, such data is collected in medical records that constitute a collection of information about the patient's health status. According to Article 23 section 1 of the document, the medical documentation includes information on the patient's state of health and medical benefits provided for the patient. Details of the scope and types of medical documentation are specified in the Regulation on Medical Records. According to § 2 of the Regulation cited, two basic types of documentation have been distinguished: individual documentation and collective documentation; individual documentation, in turn, distinguishes between internal and external documentation. 14 In practice, the medical documentation includes information about research, including genetic research and genetic tests, past diseases, including genetic MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 35 diseases, medical services received, about past or planned medical procedures to which a patient suffering from a genetic disease or a chronic disease is subjected to, including procedures involving genetic modification of the profile of a person or interfering with a specific gene or group of genes, therapies and prognosis for the future (Krekora-Zając, 2014: 250-252). In addition, information about the applied treatment includes information about the gene therapy used or planned for the future 15 and the prognosis for the future (Barańska, Skrętkowicz, 2007: 305–306, Podolska, 2008 el.). The medical documentation presented in such way makes it impossible to distinguish and sufficiently protect genetic data. This state clearly indicates the need to address the issue of genetic data and genetic testing in a separate act. 4.2 Genetic data protection under General Data Protection Regulation Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing of Directive 95/46/EC (hereinafter as: "GDPR") is valid from May 17, 2016 and it will become enforcable directly in all EU Memebr States national legal systems from May 25, 2018. The regulation will bind all those who process personal data in connection with their business. This regulation introduces a number of changes and extends the responsibilities of administrators and data processors. The purpose of the new regulations is also to provide individuals and supervisory authorities with effective tools to respond to violations of the regulation. It is also very important for entrepreneurs to set a maximum level of penalties for infringements, which can reach up to 20,000,000 euros or 4% of the global annual turnover of an entrepreneur from the pre-infringement financial year. According to Article 4 paragraph 13 of the GDPR: 'genetic data’ means “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question". In this scope every genetic data under the GDPR should be percived also as‘data concerning health', which under the GDPR is defined as "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status". The great advantage of GDPR is the introduction of a unified definition of 'genetic data' into the law systems of the EU Member States and a clear inclusion of processing such data under regulations of the GDPR. 5 Genetic testing and protection of genetic data under the legislation of selected European countries and in Poland. The issue of legal regulation of genetic testing has been comprehensively regulated in some European countries. One of the more detailed regulations is the German act 36 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues titled Gesetz uber genetische Untersuchungen bei Menschen – Gendiagnostikgesetz from 31 June 2009, in which, along with the definitions contained in general provisions in § 3, reference was made to the patient's consent to genetic testing (§ 8 of the Act), information and its scope (§9), genetic counseling (§9) as well as to providing access to and protecting genetic data (§ 11 and 12). The principle of autonomy adopted by the German legislator indicates the patient as the sole owner of the patient's genetic data, and a possible condition for the disclosure of the results of genetic testing is a written agreement which indicates persons to whom the access to the results can be granted. The Act also regulates the issues of genetic testing relating to the origin of a person, genetic testing in the insurance sector and genetic testing related to employment. The spectrum of protection outlined in it emphasizes the hypersensitive nature of data which should receive special protection. Genetic testing and protection of genetic information is also regulated in the Czech Act of 1 November 2011 on special healthcare activities, and the issue of genetic testing is discussed in title 2 of part 6. According to § 28 of the Act, genetic tests include clinical and genetic laboratory tests, and their goal is to determine the probability of the occurrence and development of a genetic disease in a patient and in patient's children. The laboratory genetic tests listed in the Act include the analysis of the structure and function of the human genome for possible changes. Legality of the tests conducted depends on the patient's consent and provision of appropriate medical documentation. According to § 28 item 9, genetic tests may be performed for health purposes, in particular to diagnose genetic diseases, congenital genetic defects or acquired genetic changes, to determine indicators for the predisposition to genetic diseases and to optimize the treatment undertaken. In turn, § 28 item 10 indicates that the condition for the effectiveness of genetic testing is the patient's written consent expressed as a cosequence of receiving, by the patient, detailed information about the purpose, nature and impact on the patient's health as well as the risk to the persons related (item 10 a). The Act also indicates the people – relatives considered to be at significant genetic risk (§ 28 items 11 a and b). The Czech Act also regulates issues concerning the technical aspect of the quality of genetic tests performed. Detailed issues regarding genetic testing and protection of data obtained as a result of their implementation are regulated by the Spanish Act of 3 July 2007 on Biomedical Research. According to Article 3 item a of the Act, genetic analysis includes research undertaken in order to determine the presence or absence of genes responsible for the existence of any genetic diseases or their occurrence in the future. Genetic analysis is carried out on the basis of genetic testing. In Article 4 the Act indicates that the basic principle adopted for genetic testing is to ensure full autonomy of the patient. It is implemented by a conscious and informed consent. According to Article 4 item 1, the Spanish legislator has provided written consent, the effectiveness of which depends on the information previously provided. Interestingly, the Spanish legislator introduces the requirement of providing MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 37 information in writing adapted to the patient's perception with possible exceptions, conditioned by the individual predispositions of the patient. As in other countries, consent to genetic testing is revocable at all times, and the revoking does not cause any adverse effects for the medical services provided for the patient (Article 4 item 4). The Spanish law introduces stringent provisions regarding the protection of personal data, privacy and confidentiality. The limit for the use of information on genetic testing is based on the consent given by the patient (Article 5 item 3). In addition to the protection indicated in the Act on biomedical research, the privacy and confidentiality of personal data of people undergoing testing is subject to protection guaranteed by the Spanish Act on Personal Data Protection (Article 5 section 1). In a similar way, the rules for genetic testing and protection of data obtained as a result are regulated by the French Act of 7 July 2011 titled Relative a la bioethique. i 5.1 Disclosure of genetic data to related persons If we limit ourselves to issues concerning the possibility of disclosing genetic data outside the scope of patient's consent, it is necessary to indicate the regulations included in the Swiss law and legal regulations of the United Kingdom. The Swiss Act of 8 October 2004 ii , Sur l'analyse génétique humaine (LAGH), provides for the possibility of exemption of a physician from the obligation of confidentiality by a specially appointed body, in the situation where it is required in order to protect "the overriding interests of family members, spouse or partner". In cases of doubt, there is also the possibility of consulting the Committee of Experts on Genetic Analysis of a Person (Article 19). The possibility of disclosing genetic information can also be noted in the United Kingdom, although the obligation to maintain secrecy and medical confidentiality can be traced back to common law. The obligation to preserve the confidentiality of genetic data is often in contradiction with the obligation to counteract damage, the breaching of which may serve as a premise for tort liability. Despite the lack of unanimity, Human Genetics Commission (Human Genetics Commission, 2002) believes that disclosure of sensitive genetic data for the benefit of family members may be justified in some circumstances, e.g. when the patient refuses to disclose such data and the benefit of disclosing the data significantly exceeds the patient's interest in maintaining confidentiality. In the aforementioned Spanish Act on biomedical research, the possibility of disclosing information is allowed when the results of genetic tests indicate a high risk of the occurence of a genetic disease in relatives of the patient. The scope of the information provided must be limited to what the act defines as "data necessary for the transmission of information" (Article 4 item 5). In addition, the condition for 38 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues providing information is the prior consultation with a specially appointed body (a committee). 5.2 Polish draft of the Act on Genetic Tests Performed for Health Purposes. Due to the lack of detailed regulations on genetic testing and genetic data in Polish law, The Body for Molecular Genetic Research and Biobanking presented a Report containing assumptions for the draft of the Act on Genetic Tests Performed for Health Purposes. The project has clarified the scope of the definition in Article 3 indicating that the term "genetic testing" means any study aimed at determining pre- or postnatal genetic traits. "Genetic characteristics" have been defined as genetic information inherited during fertilization or otherwise acquired during individual development. "Diagnostic genetic testing" should only be carried out to determine the existence of a disease or health condition, assess the possible presence of genetic traits that together with external factors can cause disease or some health problems, assess the prevalence of genetic traits that may affect the reaction to drugs and to assess the occurrence of genetic features that can completely or partially prevent the disease or a health problem. The project assumes a very broad definition of "genetic data" indicating it to be every piece of data related to any genetic features that have been obtained through genetic testing. Based on the Chapter 2 of the Oviedo Convention, the authors of the draft postulate that the patient's written consent should be a condition necessary for securing the patients' rights in the field of genetic testing. Such consent should be expressed both for conducting a genetic test and for collecting genetic material 16 recognized as a prerequisite for carrying out a genetic test. In addition, the consent should include a decision regarding the scope of genetic testing, as well as the right to decide on whether the test results should be disclosed. Although the first two sentences of the Article 8 section 1 of the project do not raise any doubts, the proposed universal nature of the consent and the fact that it would cover every genetic test is debatable. It should be emphasized that the condition for the effectiveness of consent is its clarification and provision of references to a specific action, otherwise it is reduced to a blanket consent (Michałowska, 2014: 36). The consent given by the patient can be withdrawn at any time, and this fact should be immediately recorded in the patient's medical records. The condition for the effectiveness of the consent of the patient undergoing genetic testing is that the physician ordering the examination provides a personalized information that takes into account the situation of a particular patient. According to Article 9 of the project, the scope of information should include explanations as to the nature, meaning and scope of the genetic test, including the right to information about the results of the test and the right to consciously resign from obtaining such information, including the right to demand the destruction of the test MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 39 results. The project also draws attention to the importance of genetic counseling related to the interpretation of the research results obtained (Article 10 of the project). Due to the nature and scope of information obtained as a result of genetic testing, particularly important is the way the genetic data obtained is dealt with 17 . The Body recommended the principle of the autonomy of the patient, stressing that the results of the genetic test can be disclosed only to the person directly involved in the testing, the physician commissioning the testing and the doctor providing genetic counseling. In the statement of reasons to the bill, it was emphasized that the adopted principle pursues the basic purposes of genetic diagnostics for medical purposes and does not cause objectification of the patient. In addition, it does not limit the scope of assistance provided to the patient. Due to the fact that the results of genetic tests may refer to the state of health or predisposition to a specific genetic disease of a person related to the patient, it is important for the relatives to receive appropriate information. The principle of autonomy adopted in the project indicates that the disclosure or non-disclosure of test results to persons related to the patient and members of the immediate family is decided by the scope of the patient's consent. In the event that the patient withdraws the consent or takes advantage of the request to destroy the test results, the information would not be disclosed. In a situation where the patient agreed to store or disclose test results, the project assumes that such information would be stored for 30 years and that this period should be extended at the explicit request of the patient. After the indicated periods the results should be destroyed. If the consent is withdrawn or the results of the tests are destroyed, the test results would not be disclosed. The practical application of the provisions envisaged in the project of the Act will contribute to ensuring safety both in relation to clearly defined health indications for the conduct of the study, the conditions of their conduct and entities authorized to carry out genetic tests. The principle of consent for the study proposed in the project, with the specification of its subject and the detailed information provided to the patient, makes that the genetic testing correspond to the same standards of protection of the tested entity as other medical treatments. In addition, due to the special nature of genetic data, the project of the Act resolves the problem of access to research results and data storage rules, ensuring their safety. At present, genetic information obtained as a result of genetic testing is stored in the patient's medical records, which makes access to them much wider (e.g. an attorney at the Social Insurance Institution has access to this data, the medical examiner from other insurers has access to this data, etc.). 40 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 6 Protection of genetic data in European Court of Human Rights case law In the European Court of Human Rights (hereinafter referred to as: ECHR) case law, medical information constitutes special kind of personal data, 18 which proper processing guarantees respect for the right of every human being to protect his privacy, stated in Article 8 of the European Convention on Human Rights. 19 Medical data should be understood as any information that directly or indirectly concerns the patient's state of health or information about health services provided or intended to be provided to a given patient. 20 Genetic data as a set of information about the genetic code of a given natural person 21 constitute medical information of a specific patient. An analysis of the ECHR's jurisprudence allows conclusion that in connection with the circulation of genetic data of a given natural person, there may be both negative and positive obligations on the side of both the signatory state of the convention and any administrator of such data. Above all, the ECHR obliges public authorities not to interfere with the exercise of the right to decide on the disclosure or other processing of genetic data of everyone to whom they relate. In general, the processing of medical records, that is: collection, recording, storage, development, alteration, sharing and disposal, can only take place with explicit consent of the patient. However, this is not an absolute right, because a convention allows for its limitation in strictly defined exceptional situations, in particular when it is required by ensuring state security, public security or economic prosperity, guaranteeing order protection and preventing crime, health protection and morality or protection of rights and freedom of other people. Such deprivation of the patient's right to decide on his genetic data can only take place on the basis of the proper Act, respecting the principle of proportionality, i.e. the appropriate balance of the two conflicting values and when it is necessary in a democratic society. 22 The above- mentioned values, for which the patient's right may be limited, constitute a fairly wide catalogue, therefore, in order to limit the possibility of state abuses to overly restrict patient rights, the ECHR in its caselaw indicates the circumstances that must be additionally fulfilled as part of lawful processing of these data. 23 According to the patient's right to decide on the collection and processing of genetic data, patient has the right to access such data and request removal and the hospital may refuse to disclose or remove only by showing “valid reasons” – “it is rather the authorities to demonstrate the valid reasons for refusing copies of such documents" [see judgment of 19 October 2005 in Case No. 32555/96, Roche v. the United Kingdom]. In the mentioned judgment, the Court continues: "The Court will have regard to a fair balance, which must be maintained between the general interest of the society and the competing interests of the person concerned, with the objectives referred to in the second paragraph of Article 8 ECHR have a specific meaning. In particular, such a positive obligation arose as regards the provision of an 'effective MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 41 and accessible procedure' enabling complainants to access all relevant and relevant information. In many judgments, the ECHR also referred to the principles of sharing special category personal data with third parties. In its judgment of 4 December 2008 in the case S. and Marper v. The United Kingdom, the ECHR indicated that the entity processing such data “ (...) must also provide sufficient guarantees that the personal data preserved is effectively protected against misuse and abuse (...)”. In addition, national law must provide adequate safety standards to prevent any personal data being used contrary to the guarantees of art. 8 ECHR. “(...) The need for such safeguards is all the greater in the case of protection of personal data subjected to automatic processing, and especially when these data are used by the police. National law should in particular ensure that such data is relevant and commensurate with the purpose for which it is processed; and kept in a form which permits the identification of the persons to whom they relate, no longer than it is necessary for the purpose for which the data are stored.” 24 In its judgments, the ECHR often refers to EU law, in particular to Article 8 sec. 3 of Directive 95/46/EC, which allows the processing of medical data when it is required for preventive medicine, medical diagnosis, care or treatment, or health care management. However, data processing is allowed only if it is processed by a health care professional subject to professional secrecy or another person subject to an equivalent obligation. 25 The Recommendation RE on medical records of 1997 uses the principles contained in Convention no. 108 26 more specifically to process data in the medical field. The proposed provisions are in line with the provisions of the Directive 95/46/EC with respect to the legitimate purposes of processing medical data, professional secrecy obligations that should be imposed on persons using health data, as well as the rights of data subjects, transparency and access, improvement and deleting data. In addition, medical data processed lawfully by health professionals may not be transferred to law enforcement authorities unless “sufficient safeguards are provided to prevent disclosure incompatible with [...] private life guaranteed by Article 8 ECHR”. 27 For reasons to store data when they are no longer needed, scientific research 28 is explicitly recognized, although anonymisation is usually required. 29 Taking above mentioned under consideration, ECHR caselaw recognises genetic data as special category personal data, which in an extraordinary way requires processors to provide secure and sound procedures and requires also processors to proof of "important reasons" on which they refuse access to data to the patient. 30 In addition, the processor of patient’s genetic data should take special care to ensure that these data are not disclosed to third parties unlawfully. Each time the data processor should establish the conditions and a safe procedure for making a copy of the patient's medical documents available to third parties and this is its’ burden of proof not the patient’s. 42 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 7 Conclusions The right to protection of genetic data is one of the fundamental rights of every patient and its source is the inherent and inalienable dignity of every human being. This right is granted to every patient irrespective of their origin, race, age or gender regardless of the stage on which the medical service is provided, both as part of activities undertaken in connection with prevention, diagnostics, treatment and rehabilitation. The area of genetic diagnostics is particularly sensitive. Therefore, the genetic diagnosis of the patient should be subjected to detailed legal regulations, providing the subjects with safety and protection of genetic information. This particularly sensitive area of medical activities is unfortunately not covered by the statutory regulation in Polish law, which makes it necessary to refer both to the regulation of international law and national medical laws. In Polish legislation, the basic legal act regarding diagnostic tests is the Act of July 27, 2001, on laboratory diagnostics, which does not distinguish as a separate category of genetic diagnosis. Such an approach in the light of global tendencies to include special protection of such patient data should be critically assessed. The basic international legal act on genetic research is the Convention of 4 April 1997 on the protection of human rights and dignity of the human being against the use of biology and medicine (Convention on Human Rights and Biomedicine, EKB), which introduce the concept of "forecasting tests" to the international legal order and Recommendation R (97) 5 of the Committee of Ministers of the Council of Europe regarding the protection of medical patients (adopted by the Committee of Ministers on February 13, 1997 during a 584 meeting of the Ministers Delegates), which treats genetic data as a special kind of data about the health of the patient. In addition, the special status of genetic data and their importance is underlined in art. 16 IV of the Additional Protocol, according to which the right to data protection resulting from the genetic test is the lex specialis in relation to the provisions of the European Convention on Human Rights, in particular to art. 8 and 10 ECHR. In Polish law, information on the genetic code, along with health data, constitute a special type of personal data which, according to art. 27 paragraph of 29 August 1997, on the protection of personal data have been included into special category data. However Polish law does not regulate a separate procedure for the processing of genetic data other than that associated with medical documentation. This state clearly indicates the need to include genetic data and genetic research in a separate act. The genetic testing has been already comprehensively regulated in some European countries. Among others in German, Czech, Spanish or French law. As part of the framework over a normative act in this regard, Poland should take advantage of the already well- functioning regulations in other EU countries, in particular from the German solutions due to the similarities between the two legal orders. MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 43 Notes 1 The majority of case law recognizes the right to health protection within the category of subjective law, cf. the judgment of the Constitutional Tribunal of 23 March 1999, K 2/98, OTK 1999, No. 3, item 38, in which the Constitutional Tribunal pointed out that the Article 68 section 1 indicates that "it is necessary to derive the subjective right of the individual to health protection and an objective order of public authorities to take such actions as are necessary for proper protection and implementation of this right. 2 Judgment of the Constitutional Tribunal of 7 Jan 2004, K 14/03, Dz. U. from 2004, No. 5, item 37. 3 Pursuant to the Ordinance of the Minister of Health of 1 April 2009 amending the ordinance on the specialization and obtaining the title of specialist by laboratory diagnostics, four new basic areas applicable in laboratory diagnostics have been introduced: laboratory medical diagnostics marked with the symbol 020, laboratory medical genetics marked with the symbol 021, laboratory medical hematology marked with the symbol 022 and laboratory medical immunology marked with the symbol 023. 4 There are plans to amend the Act, because, as the result of the order of Minister of Health of February 22, 2017, the Body for the drafting of the Act amending the Act on Laboratory Diagnostics was established. (Official Journal of the Ministry of Health of 2017, item 19) subsequently amended by the Ordinance of the Minister of Health of 22 December 2017 (Official Journal of the Ministry of Health of 2017, item 130). The Body is obliged to submit a draft act amending the Act on Laboratory Diagnostics by 30 June 2018. 5 One of key medical analysed is the Act of 6 November 2008 on Patients' Rights and the Patient's Rights Spokesman (i.e. Dz. U of 2017, item 1318), the Act of 5 December 1996 on the Professions of a Doctor and a Dentist (i.e. Dz. U of 2017, item 125). 6 Convention of 4 April 1997 for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine; Poland signed the Convention on 7 May 1999, but has not yet ratified it. The content of the convention and its additional protocols (in:) T. Jasudowicz, J. Czepek & J. Kapelańska-Pręgowska, Międzynarodowe standardy bioetyczne. Dokumenty i orzecznictwo [International bioethical standards. Documents and case law], Warsaw 2014. 7 The content of the 12 Convention clearly indicates that, even with the consent of the person concerned, tests cannot be carried out for purposes other than those indicated therein, and the guidance contained in the explanatory report to the Convention confirms this position (item 82 and item 85). 8 In addition to genetic data, the declaration also distinguishes proteomic data, which are information related to the individual's proteins, including their expression, modification and interaction (Article 2 item ii). 9 The particular nature of genetic data is due to the fact that they are important not only for the person concerned, but also for the family members of that person. 10 Act of 29 August 1997 on the Protection of Personal Data (i.e. Dz. U of 2016 item 922 as amended). According to Article 6 section 1 of the Act, personal information is every item of information about an identified or identifiable natural person. According to Article 6 section 2, an identifiable person is a person whose identity can be determined directly or indirectly, in particular by refererring to their identification number or one or more specific factors describing their physical, physiological, mental, economic, cultural or social features. The text of Article 27 section 1 of the Act was based on Article 8 of the Directive 95/46/EC of the European Parliament and of the Council of 24 Oct 1995 on the protection 44 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal of the UE L No. 281, p. 31). 11 Article 27 section 1 of Data Protection data deemed as sensitive relates to any information revealing racial or ethnic origin, political views, religious or philosophical beliefs, religious, party or trade union affiliation as well as information on health status, genetic code, addictions or sexual life and data on convictions, judgments imposing punishments and penalties, as well as other judgments issued in court or administrative proceedings. In accordance with section 2, an identifiable person is a person whose identity can be determined directly or indirectly, in particular by refererring to their identification number or one or more specific factors describing their physical, physiological, mental, economic, cultural or social features. 12 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, pp. 31–50). 13 Additionally, article 8 in section 5 of Directive 95/46/EC states that the processing "data relating to criminal offenses, convictions or security measures" may only be carried out under the control of official authorities or if national law guarantees appropriate specific safeguards. "However, a complete register of offenses may only be kept under the control of an official authority". 14 The particular nature of genetic data is due to the fact that they are important not only for the person concerned, but also for the family members of that person. 15 § 10 section 5 regulation shows that the individual documentation includes information on health and disease as well as diagnostic, therapeutic, nursing or rehabilitation processes, in particular: description of health services provided, diagnosis of the disease, health problem, injury or pregnancy, recommendations, information on decisions issued, opinions or medical certificates, information on medicines along with the dosage or medical devices prescribed to the patient on prescriptions or orders for the supply of medical devices. The internal individual documentation is intended for the needs of the entity providing health services, and the external individual documentation is intended for the patient benefiting from health services. 16 Treatments performed as part of genetic engineering, gene isolation and recombination, transplantation with the use of genes, cf. A. Muszala, Wybrane zagadnienia etyczne genetyki medycznej [Selected ethical issues of medical genetics], Kraków 1998, p. 32 forward. 17 In the explanatory memorandum to the Report, it was underlined that "the sensitivity of information obtained through genetic tests requires the creation of legal instruments enabling its protection", Raport, p. 10. 18 For “special category data” definition see: Article 6 of The Council of Europe Convention of 1981 for the protection of individuals with regard to automatic processing of personal data (“the Data Protection Convention”). 19 See, inter alia, judgment of the European Court of Human Rights of 29 April 2014, no. 52019/07, case LH vs. Latvia. 20 Judgment of 27 August 1997, no. 20837/92, MS vs. Sweden. 21 Article 4 point 13 of the European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement such data and the repeal of Directive 95/46/EC. 22 See: judgment of 7 June 1989, Case No. 10454/83, Gaskin v. the United Kingdom and judgment of 24 September 2002, Case No. 39393/98, M.G. against Great Britain. MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues 45 23 Judgment of 29 April 2014, Case No. 52019/07, L.H. v. Latvia, judgment of 10 October 2006, Case No. 7508/02, L.L., v. France, judgment of 27 August 1997, Case No 20837/92, M.S. against Sweden. 24 Judgment of 4 December 2008, Case of S. and Marper v. the United Kingdom. 25 Judgment of 25 November 2008, Case No. 23373/03, Biriuk v. Lithuania. 26 Council of Europe, Committee of Ministers (1997), Recommendation Rec (97)5 on the protection of medical data, "Recommendation Rec (97) 5 to the Member States on the protection of medical data", February 13, 1997. 27 Judgment of 6 June 2013, Case No. 1585/09, Avilkina and Others v. Russia, paragraph 53. 28 See: Directive 2011/24 / EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare, OJ L 145, 24.4.2011, p. L 88, 4.4.2011. 29 Article 29 (2007), Working document on the processing of personal data concerning health in electronic health records (EHR), WP 131, Brussels, 15 February 2007. 30 Judgment of 25 February 1997, Case No. 22009/93, Z. v. Finland. i Act of 7 July 2011, Relative a la bioethique, Loi no 814.2011. ii Act of 8 October 2004, Sur l'analyse génétique humaine, Loi no 810.2012. References Barańska M., Skrętkowicz J. (2007) Perspektywy terapii genowej [Prospects for gene therapy], Wiadomości Lekarskie, No. 7–8. Bartoszewicz M. (2014) Konstytucja Rzeczypospolitej Polskiej. Komentarz [Constitution of the Republic of Poland. Comment], In: M. Haczkowska (ed.), R. Balicki, M. Bartoszewicz, K. Complak, A. Ławniczak, M, Masternak-Kubiak, ed. 1. (Warsaw). Gendiagnostikgesetz vom 31/06 2009, BGBl. I S. 2529, 3672. Human Genetics Commission (2002) Inside Information, Balancing the Interests in Use if Personal Genetic Data (London). Human Tissue Act 2004, royal assignment November 15, 2004. IBC, Report on Human Genetic Data, available at: www.unesco.org/new/en/social-and- human. (April 17, 2018) Jackowski M. (2002) Ochrona danych medycznych [Protection of medical data] (Warsaw: Dom Wydaw. ABC). Jasudowicz T., Czepek J. & Kapelańska-Pręgowska J. (2014) Międzynarodowe standardy bioetyczne. Dokumenty i orzecznictwo [International bioethical standards. Documents and case law] (Warsaw: ABC). Kapelańska-Pręgowska J. (2011) Prawne i bioetyczne aspekty testów genetycznych [Legal and bioethical aspects of genetic tests] (Warsaw: Wolters Kluwer Polska). Krekora-Zając D. (2014) Prawo do materiału genetycznego człowieka [The right to human genetic material] (Warsaw: LexisNexis). Ley 14/2007 de Investigacion biomedical, Publicado en BOE núm. 159, 4.07.2007, texto unificado 2.12.2011. Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, BOE no. 298, 14/12 1999. Mednis A. (1999) Ochrona prawna danych osobowych a zagrożenia prywatności – rozwiązania polskie [Legal protection of personal data and threats to privacy - Polish solutions], In: Wyrzykowski, M. Ochrona danych osobowych [Personal data protection] (Warsaw: Inst. Spraw Publicznych). 46 MEDICINE, LAW & SOCIETY K. Michałowska & K. Magoń: Patients’ genetic data protection in Polish law and EU law – selected issues Michałowska K. (2014) Charakter prawny i znaczenie zgody pacjenta na zabieg medyczny [Legal character and meaning of patient's consent for a medical procedure], (Warsaw: Difin). Michałowska K. (2015) Wpływ danych medycznych i danych genetycznych na ocenę ryzyka ubezpieczeniowego w ubezpieczeniach na życie [The impact of medical data and genetic data on life insurance risk assessment], In: Gnela, B. & Szaraniec, M. (eds.) Informacja w prawie ubezpieczeń gospodarczych (Warsaw: Wolters Kluwer Polska). Muszala A. (1998) Wybrane zagadnienia etyczne genetyki medycznej [Selected ethical issues of medical genetics] (Cracow: Wydawnictwo Naukowe Papieskiej Akademii Teologicznej). Ordinance of the Minister of Health of 22 February 2017, JL of Ministry of Health 2017, item 8. Podolska K. (2008) Podstawy terapii genowej (terapia genowa) [Basics of gene therapy (gene therapy)], available at: http://www.biotechnolog.pl/podstawy-terapii-genowej- terapia-genowa (April 17, 2018) Recommendation R (97) 5 of the Committee of Ministers of the Council of Europe regarding the protection of medical patients (adopted by the Committee of Ministers on February 13, 1997 during a 584 meeting of the Ministers Delegates). Regulation of European Parliament and Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement such data and the repeal of Directive 95/46/EC. Regulation of the Minister of Health of 9 November 2015 on the types, scope and patterns of medical documentation and the manner of its processing (JL of 2015, item 2069). The Act of 27 July 2001 about laboratory diagnostics, i.e. JL of 2016, item 2245. The Act of 29 August 1997 on the protection of personal data, i.e. JL of 2016, item 922 with changes. The Charter of Fundamental Rights of the European Union, OJ.UE.C..2007.303.1, with amendments. Working document on the processing of personal data concerning health in electronic health records (EHR), WP 131, Brussels, 15 February 2007. Zákon o specifických zdravotních službách, from 6 November 2011, Zákon č. 373/2011 Sb.