Czech Republic: Non-transparent processing of sensitive health data

By EDRi · June 1, 2016

In the past weeks, both the Czech Parliament and the Senate gave their consent to the expansion of the National Health Information System. The system itself is comprised of registers which contain the health data of individuals, directly linked to their personal birth number. Aside from existing registers which typically have a specialised focus – such as oncology, hospital admissions or obstetrics – there will now be a super-register which will collect data from all insurance companies, tracking every insurance claim and payment. Czech EDRi member Iuridicum Remedium (IuRe), warns that this process is actively encouraged by politicians at a time when the Institute of Health Information and Statistics refuses to make public information regarding the access, transfer, retention and suspected commercial exploitation of the data it stores.

................................................................. Support our work - make a recurrent donation! .................................................................

“We have sent the Institute several requests regarding the functionality of their health registers. A majority of the information we have requested should be accessible; as one of the key principles of the processing of individuals’ sensitive data is transparency. The fact that this remains unaddressed is a grave mistake. We all go to the doctor which means we all have the right to know who has access to the data stored in each register, to whom else and in what form the data is transferred onward, whether this data is attributable to concrete individuals, and whether the registers are profiting from our sensitive health data. We did not expect the Institute to have any issue disclosing this information,” said Jan Vobořil, executive director of IuRe. The Institute has however refused to disclose any of this information, stating that it must remain confidential in order to protect the system’s integrity against cybersecurity threats.

“The reasoning given by the Institute is a mockery of the citizens’ right to information regarding sensitive personal data. We cannot fathom what sort of cybersecurity threat would be brought about by the disclosure of this information. With this approach we need to wonder why the existence of health registers, or moreover any registers governed by the state, should be anchored in law. Surely, following that logic, from a cybersecurity perspective, it is altogether safer if we have no awareness of their very existence,” added Vobořil.

In conjunction with recently published information in Dotyk, a website offering downloadable magazines for tablets and smartphones, regarding the strong connection between the Institute for Health Information and Statistics (which oversees the heath registers) and the Institute for Biostatistics and Analysis (shared by the Masaryk University and the private for-profit company IBA which uses heath data for commercial purposes), the unwillingness of the Institute to share information regarding the usage of the data raises suspicions as to the real purpose of these registers. It could well be that they exist chiefly for the financial profit of several interest groups which resell this valuable sensitive data onward.

“During the negotiations of the recently approved legislation, which will extend the coverage of the registers, the Data Protection Office made a promise to investigate the full extent of their functionality. Due to the attitude adopted by the Institute, we sincerely hope that this investigation will take place as soon as possible, and will be truly thorough. Meanwhile, we will of course appeal their refusal to release information,”

concluded Vobořil.

The article was originally published by EDRi member Iuridicum Remedium (IuRe) in Czech at

(Translation by Lucie Krahulcova, EDRi member AccessNow, international)