Data Protection Legislation

Abstract

Data protection legislation regulates the acquisition, storage, transfer and processing of personal data of all kinds. The article introduces the key distinction between data security and wider data protection, and further explores the key legal requirements for data protection. The approach to data protection differs between the European Union and the United States. These differences and the rules for transfer of data between different data protection regimes are explained. In both Europe and the United States, personal health data are seen as a particularly sensitive type of data and they are therefore protected more strictly than most other types of data. This has implications for the type of consent needed to collect health data, and the type of anonymisation techniques needed to make them nonā€identifiable.

Key Concepts

  • The purpose of data protection legislation is to ensure (1) the security of the data, (2) that the acquisition and processing of data is lawful and (3) that the data subjects have an appropriate degree of control over the use of their data.
  • Data acquisition usually requires informed consent from the data subject.
  • There are different rules for the processing of identifiable and nonā€identifiable personal data.
  • There are specific protections in relation to sensitive data, including health data.
  • Identifiability is only absent if deductive identification is very difficult.
  • The approach to data protection differs significantly between the European Union and the United States.

Keywords: anonymisation; data protection; data protection legislation; data security; general; data protection regulation; health data; HIPAA (Health Insurance Portability and Accountability Act); personal data

References

Council of Europe (1981) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981. European Treaty Series No. 108. Strasbourg, France: Council of Europe Publishing.

Council of Europe Committee of Ministers (1981) Recommendation No. R(81)1 on Regulations for Automated Medical Data Banks. Strasbourg, France: Council of Europe Publishing.

Council of Europe Committee of Ministers (1997) Recommendation No. R(97)5 on the Protection of Medical Data. Strasbourg, France: Council of Europe Publishing.

European Union (1995) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and of the Free Movement of Such Data. Luxembourg: Office for Official Publications of the European Union.

European Union (2016) Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation). Luxembourg: Office for Official Publications of the European Union.

US Congress (1996) Health Insurance Portability and Accountability Act of 1996. Public Law 104–191, tit. II, 110 Stat. 1936, 1991.

Websites

European Commission. Commission decisions on the adequacy of the protection of personal data in third countries http://ec.europa.eu/justice/data‐protection/international‐transfers/adequacy/index_en.htm.

Further Reading

Herold R and Beaver K (2014) The Practical Guide to HIPAA Privacy and Security Compliance, 2nd edn. Boca Raton, FL: CRC Press.

Kosta E (2013) Consent in European Data Protection Law. Leiden: Martinus Nijhoff Publishers.

US Congress (1990) Americans with Disabilities Act of 1990. Public Law 101–336.

Contact Editor close
Submit a note to the editor about this article by filling in the form below.

* Required Field

How to Cite close
Holm, Søren(Aug 2016) Data Protection Legislation. In: eLS. John Wiley & Sons Ltd, Chichester. http://www.els.net [doi: 10.1002/9780470015902.a0005196.pub3]