by Pierre Mallia MD MPhil PhD FRCGP
Director, Centre for Bioethics, Medical School

My past experience as President of the Malta College of Family Doctors has taught me how much doctors try to interpret the law; especially when it comes to EU directives in relation to medicine. This is quite understandable. Yet if the cautiousness of lawyers had never taught me anything, my other experience on a fifth framework project, PRIVIREALA, which dealt with the EU directive on Data Protection as applied to medicine and in particular DNA, has taught me even more how tricky it can be to try to interpret the law. I was privileged to work with over sixty lawyers from different EU states, and they were all humble in their dealing with laws. They treated the law with the respect with which we treat our patients – no hasty interpretations.

I am certainly no expert, but along with those who went into some detail regarding Data Protection, I have seen myths being created that perpetuate into illegality. Data Protection laws are there to protect the fundamental rights and freedoms of the individual. The EU directive on Data Protection is not. It takes for granted that EU states do indeed protect fundamental rights and freedoms1. In itself the directive is in fact wrongly often referred to as the ‘privacy act’, which it is not. In fact, the directive is there to facilitate transfer of information between EU states. The raison d’etre of the EU is to do away with economic barriers, and this is what the directive is all about. It is primarily not concerned with medicine, but takes medicine, statistics and historical matters to task as well. The fact that it gives exemptions to medicine, does not mean that privacy does not exist when it comes to doing research on samples. This is what PRIVIREAL was all about. It simply means that doctors can make use of files to treat patients.

Therefore the act in itself is there to prevent us from impeding transfer of information within EU states. Even if we feel that a country does not protect data sufficiently, it is this act which stops us from not allowing information transfer. Protests can only be done through the EU itself. The Data Protection Law in Malta conforms to the Directive.2

Data protection laws within EU states vary in their degrees of definition of what is a person. Some would include the fetus and dead people, others only seem to imply it, whilst others directly exclude these criteria. Also there seems to be divergent views of definitions such as anonymity. One myth is that once something is anonymised, then one can do what one wishes with the data. But if someone has the key, or a reference, to which we can go back to find the subject, even if it is not the researcher himself,  then this data cannot be considered anonymous.

Conversely Recital 263 of the directive allows for individual control even of anonymized data. A person has a right to disallow his or her data to be used for research to which they would have moral objection to. In this regard the directive does not allow broad consent to samples being used for research purposes. Informed consent imposes that we would still have to go back to patients to explain what the research is all about. This has been hard to digest by the medical profession, which has a considerable amount of samples stored over the years. However, the directive seems to allow an exception where this is not feasible – such as using samples obtained before the local act was adopted, where it would be difficult to trace the individuals to obtain their consent. However the Data Protection Commissioner would have to give his approval; which may be done through a Research Ethics committee which he allocates for the purpose.


A. Acronym for ‘Privacy in Medical Research and Law’, PRIVIREAL is a European Commission funded project examining the implementation of Directive 95/46/EC on data protection in relation to medical research and the role of ethics committees in European countries. The project is co-ordinated by Prof. Deryck Beyleveld, Faculty of Law, University of Sheffield.


1. Beyleveld D, Rouille-Mirza S, Townend D  et al. ‘Introduction,’ in Beyleveld D,  Townend D, Rouille-Mirza S et al (eds). Implementation of the Data Protection Directive in Relation to Medical Research in Europe. England: Ashgate, 2004: p.1-2.

2. Mallia P, Refalo I, Cauchi M et al. ‘The implementation of the Data Protection Directive 1995/46/EC in Malta’, in Beyleveld D,  Townend D, Rouille-Mirza S et al (eds).  Implementation of the Data Protection Directive in Relation to Medical Research in Europe. England: Ashgate, 2004: p.255-72.

3. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities. L281: p.31-50.