As noted in the section on core human rights issues across public governance sectors, Article 8 ECHR protects health-related personal data,[1] which constitute a key element of private life.

Article 10 of the Oviedo Convention states that everyone a) has the right to respect for private life in relation to information about his or her health and b) is entitled to know any information collected about her or his health. Health-related personal data is explicitly considered sensitive under Convention 108 (Article 6) as well as under regional and domestic regulatory frameworks.[2] The Committee of Ministers of the Council of Europe has issued specific guidelines on the protection of health-related data, by its Recommendation CM/Rec(2019)2, which seeks to ensure the principles of Convention 108, including its modernised version, are fully applied to the exchange and sharing of health-related data.

AI systems in healthcare may rely heavily on sensitive patient data, including medical records and biometric information, for both training, testing and validation and when being used in relation to decision-making and prediction. Data security, confidentiality, and potential misuse, such as breaches or unauthorised sharing are among the concerns.[3] Moreover, individuals may face challenges in exercising control over their data, particularly when it is included in AI training datasets. The disclosure of health data can profoundly impact private and family life, as well as social and employment situations, risking stigma and exclusion. Therefore, domestic laws must provide safeguards to prevent unauthorised sharing or disclosure, ensuring compliance with Article 8 guarantees.[4]

 


[1] Surikov v. Ukraine, No. 42788/06, 26 January 2017, §§ 70 and 89.

[2] For instance, see Article 4 and Article 9, and Recital 35 and Recital 53 of the General Data Protection Regulation (GDPR), with definitions of the terms “health data”, “genetic data”, “biometric data”.

[3] See also the CDBIO Report on the role of health professionals and healthcare providers in collecting, generating and enriching, as well as safeguarding health data, pp. 21-23, referring to a 2017 ruling by UK’s Information Commissioner’s Office (ICO) finding a breach of the applicable data protection law and the right to privacy with respect to a healthcare institution granting to a private company access to over 1 million pseudonymized patient data files in order to test an AI system under development.

[4] Z. v. Finland, No. 22009/93, 25 February 1997, § 95