The implementation of the proposed organ donation and transplantation scheme requires the processing of personal data relating to health of the organs’ donors and receivers by the authorised organisations and healthcare professionals of the different Member States, which are deemed as sensitive and fall under the stricter rules of data protection. In his report, published in the OJEU on August 21st 2009, the ESPD sets some recommendations in order to ensure confidentiality and security in organ processing.

On December 8th 2008, the Commission adopted a Proposal for a Directive of the European Parliament and of the Council on standards of quality and safety of human organs intended for transplantation. One of the main objectives for this Proposal was to ensure high standards of quality and safety for human organs intended for transplantation, in order to ensure a high level of human health protection.

The proposal will advance organ donation and transplantation procedures, with a final aim of increasing organ availability and decreasing mortality in organs waiting lists. It is complementing the existing legislative framework with regard to the use of biological materials of human origin, and it can also be seen as part of the overall EC approach towards setting different types of common standards for the provision of healthcare services at the Member States, with a basic aim of promoting cross-border availability of these services across Europe.

The proposal has already considered the data protection needs arising for the donors and the recipients of organs, especially with regard to the requirement for keeping their identities confidential. The European Data Protection Supervisor (EDPS) regrets however that some of these provisions are vague, ambiguous or general and, for this reason, he recommends a number of amendments to enhance the proposal’s data protection related content.

EDPS proposed security principles in relation to organ transplantation

• Adoption of an information security policy to ensure confidentiality, integrity, accountability and availability of the donors’ and recipients’ personal data.
• Definition of a specific confidentiality and access control policy, together with data confidentiality guarantees for the persons involved in the processing.
• Addressing security mechanisms in the national databases, based on the principle of ‘privacy by design’.
• Establishing procedures to safeguard the data protection rights of the donors and recipients, especially the rights of access and rectification and the right to information, paying special attention to the cases of donors who wish to withdraw their consent or are not accepted as donors.
• Provision of measures to guarantee integrity and uninterrupted availability of the data.
• Ensuring regular monitoring and independent audits of the security policies in place.

The EDPS also made a series of recommendations on cross-border exchange of organs for transplantation from different Member States and certain third countries, to ensure that the transfer of data to and from organs third countries performed safely, but also quickly and efficiently.

Traceability versus anonymity of human organs. The need for Confidentiality

Traceability of a biological material is the possibility to backtrack to the holder of the material and, thus, identify him/her. To put it in other words, whenever traceability of the holders of the biological materials is possible, either in a direct or indirect way, these can be considered as identifiable and vice versa.

The concepts of ‘traceability’ and ‘identifiably’ are therefore in principle strongly connected to each other. On the contrary, traceability and anonymity of data cannot appear at the same time. They are opposite to each other. If certain information is truly anonymous it is not possible to identify and trace back the individuals.

The EDPS understands that the term anonymity is actually used to stress the need for enhanced confidentiality of the donors’ and recipients’ data, meaning that information is accessible only to those authorised to have access.

The EDPS assumes that anonymisation is more specifically used as implying an indirect identification scheme used for the donors and recipients, which can also be distracted from the way in which this term is used in Directive 2004/23/EC on tissues and cells. Therefore, anonymity is not the correct term to be used.