Print   

Recommendation No.R (86) 1 of the Committee of Ministers to Member States on the protection of personal data used for social security purposes

(adopted by the Committee of Ministers on 23 January 1986 at the 392nd meeting of the Ministers' Deputies)

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

Considering that the aim of the Council of Europe is to achieve a greater unity between its member states;

Bearing in mind the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, of 28 January 1981;

Aware of the need to protect the privacy of the individual in relation to the increased used of data processing in the field of social security;

Noting the high proportion of the population of the member states which is affected by the social security system, and the consequential volume of information at the disposal of social security institutions, some of which is sensitive;

Bearing in mind that the increased mobility of labour necessitates co-operation between social security institutions in different member states and a corresponding exchange of social security information across national frontiers;

Realising that the use of personal data is indispensable to the effective administration of the social security system;

Considering that a balance should be struck between the need for the use of personal data in the social security sector on the one hand, and on the other hand the necessary protection of the individual, especially when automatic data processing is involved,

Recommends that the governments of the member states:

Appendix to Recommendation No. R (86) 1

Principles and guidelines

1. Scope and definitions

1.1. The principles and guidelines in this appendix apply to the use of personal data for social security purposes within the meaning of paragraph 1.2 in both the public and private sectors when such data are processed automatically.

1.2. For the purposes of this recommendation:

1.3. The member states may extend this recommendation to other benefits whether administered on a contributory or non-contributory basis as well as to data processed manually.

2. Respect for privacy

2.1. Respect for the privacy of individuals should be guaranteed in the collection, storage, use, transfer and conservation of personal data used for social security purposes.

2.2. Appropriate measures of control sufficient to guarantee the protection of the data should be provided for in each of the social security institutions.

3. Collection and storage of the data

3.1. Collection and storage of personal data for social security purposes should be limited to such as are necessary to enable social security institutions concerned to accomplish their tasks.

The collection and storage of data of a sensitive nature should be carried out only within the limits laid down by domestic law. Furthermore, the collection and storage of personal data concerning racial origin, political opinions or religious or other beliefs should not be permitted unless absolutely necessary for the administration of a particular benefit.

3.2. Wherever possible, personal data should be obtained by the social security institutions from the person concerned.

3.3. Social security institutions may, if appropriate, consult other sources as provided for by domestic law. However, personal data of a sensitive nature may be obtained from other sources only with the informed and express consent of the person concerned or in accordance with other safeguards laid down by domestic law.

3.4. Each social security institution should be required to draw up a list, which should be given adequate publicity, of the categories of data stored as well as the categories of persons covered by the data, the purposes for which they require those data, the authorities to which they regularly communicate data, and the categories of data so communicated.

4. Use of the data

4.1. Personal data obtained by a social security institution for the accomplishment of a certain task may be used for other social security purposes within its competence.

4.2. Exchange of personal data between social security institutions should be permissible to the extent necessary for the accomplishment of their tasks.

4.3. Personal data should not be communicated outside the framework of social security for other than social security purposes except with the informed consent of the person concerned or in accordance with other guarantees laid down by domestic law.

5. Social security numbers

5.1. The introduction or use of a single uniform social security number or similar means of identification should be accompanied by adequate safeguards provided for by domestic law.

6. Access of the person concerned to the data

6.1. Subject to provisions of national law concerning medical data or scientific research and statistics, the right of the individual to obtain and rectify data concerning him should not be restricted unless this is necessary for the suppression of fraud or abuse of the social security system or for the protection of the rights and freedoms of others.

6.2. Adequate publicity should be given to the ways and means of exercising the aforementioned right.

7. Data security

7.1. Each social security institution should implement adequate technical and organisational measures to ensure the security and confidentiality of personal data used for social security purposes.

7.2. The personnel of the social security institution and any other person participating in the processing of the data should be kept informed of such measures and the need to respect them.

8. Transborder flows of personal data used for social security purposes

8.1. The transborder transfer of personal data between social security institutions should be permitted to the extent necessary for the accomplishment of their tasks in application of international legal instruments relating to the social security sector.

8.2. The provisions of paragraphs 4.1, 4.2 and 4.3 are applicable to personal data which are subject to transborder flows. Wherever necessary, additional safeguards should be provided so that respect for the privacy of the person concerned is guaranteed in the state to which personal data are transferred.

9. Conservation of data

9.1. Personal data should not be held by a social security institution for a period longer than is justified by the accomplishment of its task or is required in the interest of the person concerned.

9.2. Storage periods should be laid down in respect of each category of benefit having regard to the particular features of that benefit, the data necessary for determining other types of benefit and the sensitivity of the personal data which it involves.

9.3. Where, however, in the interests of historical research, scientific research or statistics it is desirable to conserve personal data that are no longer used for social security purposes, the data should whenever possible be rendered anonymous. If it should prove necessary to keep the data in an identifiable form, adequate security measures should be taken within the bodies ultimately handling such data.

Explanatory Memorandum

Introduction

1. After the elaboration of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981, the Council of Europe proceeded to reflect on the application and possible adaptation of the basic principles set out in the convention to particular sectors of activity, taking account of the requirements specific to them.

Thus the Committee of Ministers adopted, on 23 January 1981, Recommendation No. R (81) 1 on regulations for automated medical data banks, on 23 September 1983, Recommendation No. R (83) 10 on the protection of personal data used for scientific research and statistics, and, on 25 October 1985, Recommendation No. R (85) 20 on the protection of personal data used for purposes of direct marketing.

2. In this context, the experts acting within the framework of the Committee of experts on data protection (CJ-PD) believed it was necessary to reflect on the problems created by the use of personal data in the field of social security and to examine the appropriateness of drawing up a legal instrument for the protection of these data. With this aim in mind, a working party composed of experts from Austria, the Federal Republic of Germany, Greece, the Netherlands, Sweden, Switzerland and Turkey was set up. Under the Chairmanship of Mr Peter J. Hustinx (Netherlands) the working party met on three occasions.

3. At its first meeting (22-24 March 1982) the working party identified the specific problems in the field of social security and considered the extent to which the basic principles set out in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data were applicable, or needed to be adapted, to the requirements of data protection in the social security sector.

The working party decided to confine itself to the social security field, and not to take social welfare into account.

4. The main questions discussed at this meeting concerned the categories of information needed for social security purposes, the way in which this information was collected, the sources from which it came, the purposes for which it was used, the period for which it was stored, the guarantees existing for preserving its confidentiality and the question of the communication of data to third parties. On 23 March 1982, the working party held a joint meeting with the Steering Committee on Social Security (CDSS), which had shown great interest in its work, so as to discuss these matters.

5. At its second meeting (28-30 March 1983), the working party was greatly helped by a study carried out by Mr S. Walz, consultant, as well as by information provided by the experts in the Committee of experts on data protection on the situation in member states.

6. While confirming the position it had taken at its first meeting regarding the need to confine its attention to the social security sector and not to deal with the social welfare sector, the working party nevertheless considered that the importance of the relationship which could be established between these two sectors, particularly with respect to the transmission of data, should not be overlooked.

7. In view of the importance and special nature of the problems arising in the social security sector as well as the advantage to be gained from pursuing the process of harmonisation by laying down basic rules for this sector to serve as guidelines for national legislatures, the working party drew up, on the basis of a text prepared by the Secretariat and in the light of observations and commentaries sent by the governments, a draft recommendation on the protection of personal data used for social security purposes. This text was finalised at its third meeting (1-3 February 1984).

8. This draft recommendation, accompanied by a draft explanatory memorandum was sent to the Steering Committee on Social Security for its opinion at its meeting in September 1984. The Committee of experts on data protection and the European Committee on Legal Co-operation approved the draft recommendation on 2 October 1984 and 24 May 1985 respectively.

9. Recommendation No. R (86) 1 on the protection of personal data used for social security purposes was adopted by the Committee of Ministers of the Council of Europe on 23 January 1986.

Detailed comments

Preamble

10. The activities of the social security systems in the member states of the Council of Europe touch the lives of a considerable number of people. From birth, right through to death, the schemes administered by the social security system will bring the individual into contact with social security institutions - and on many occasions.

11. The preamble to the Recommendation recognises the extent of contact between the social security system and the individual as well as the consequences: the volume of information at the disposal of social security institutions to enable them to administer the various schemes for which they are responsible. The self-evident need to have personal data for effective administration of the social security system is also stated.

12. However, consistent with the title of the Recommendation, the preamble points to the necessity of ensuring that the privacy of the individual is not threatened once it is admitted that mass collection and storage of personal information, increasingly through automated means, are a necessary consequence of good administration within the social security sector. The preamble draws attention to the sensitivity of some of the information held, although the appendix will also treat the protection of individual privacy from the point of view of collection and storage of data, their use, conservation and so on.

13. Nor are the problems posed by the use of personal data for social security purposes confined to specific national territories.

Problems may also arise in relations between member states as a result of the high degree of labour mobility which requires an exchange of information and the maintenance of co-operation between social security institutions. In other words, transborder flows of personal data used for social security purposes are worthy of examination in the context of guaranteeing the protection of the privacy of the individual.

14. It is in the light of these considerations that the preamble refers to the need to strike a balance between the justified use of personal data in the social security sector and the necessity of protecting the individual, particularly where automatic data processing is involved.

15. The appendix to the Recommendation sets out the guidelines which governments should follow in their domestic law and practice regarding the use of personal data for social security purposes.

Consistent with Article 11 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981, there is nothing to prevent a member state from providing stricter measures or from granting greater protection to the data subject than is laid down in the Recommendation. In addition, it goes without saying that, as these guidelines are founded on the basic principles of the convention and are designed to promote its implementation, they should be read in the light of this instrument, and, accordingly, they should be developed in accordance either with the basic principles set out in the convention or its provisions, even if these principles or provisions have not been expressly incorporated into the Recommendation.

Scope and definition

16. As is explicitly stated in paragraph 1. 1, the Recommendation covers the use of personal data for social security purposes in both the public and private sectors. This is a recognition of the fact that bodies involved in the administration of the social security schemes may not all derive their status from public law. Social security institutions vary widely in regard to their legal status in the different member states, ranging from public law authorities to private law entities with legal personality and government-appointed private institutions.

17. Paragraph 1.1 limits the scope of the Recommendation to data processed automatically. However, as with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, paragraph 1.3 of the Recommendation allows member states the freedom to extend the scope of the Recommendation to manual processing. Such a possibility is important given the fact that both manual and automatic processing pose similar problems in this sector for the privacy of the individual. It would be wrong for the Recommendation to exclude entirely personal data processed manually. Indeed, in some member states manual processing is still very much the system employed.

18. The definition of "personal data" retained in paragraph 1.2 of the Recommendation has been taken over from the convention and Recommendations Nos. R (83) 10 and (85) 20. Data which do not satisfy the definition will obviously fall outside the scope of the Recommendation. The definition is important given the provisions of the Recommendation on the desirability of rendering personal data anonymous in certain cases.

19. The definition of social security purposes in paragraph 1.2 is based on the tasks which social security institutions perform in regard to certain categories of benefits. The list of benefits which figures in paragraph 1.2 has been taken from the European Code of Social Security and its Protocol (16 April 1964) and the European Convention on Social Security (14 December 1972).

20. It is, accordingly, a benefit-based definition: social security purposes are defined by reference to the tasks carried out in regard to the listed benefits which, in the light of the European Code of Social Security, may be taken to include benefits in cash and benefits in kind. Among the tasks which social security institutions perform in regard to these benefits, mention may be made of: the collection of contributions, the distribution of benefits, normal investigations into fraud or abuse of the benefits, in-house research for policy planning, etc. In short, all the tasks related to the administration of the benefits.

21. Paragraph 1.3 makes it clear that member states may extend the application of the principles and guidelines contained in the Recommendation to the social welfare field including medical assistance a) It is noted, however, that in regard to medical data there exists another recommendation (Recommendation No. R (81) 1) which addresses the issue of personal data which are collected and stored in automated medical data banks.

Respect for privacy

22. Paragraph 2.1 lays down the principle of respect for privacy which should be guaranteed at all stages of data processing, including conservation, by means of appropriate control measures. This is a general statement which informs the approach taken in the remaining paragraphs of the Recommendation.

23. The operative part of the Recommendation recommends that the governments of the member states ensure that the Recommendation is widely circulated to the authorities responsible for administering the social security system. These authorities should be made aware of the role which they are to play so as to guarantee protection of the data. Their responsibility in this respect should be emphasised. The governments of the member states could contribute to the provision of the appropriate measures of control referred to in paragraph 2.2 so as to guarantee the protection of the data - for example, overseeing by an independent control body or the appointment of a person to be responsible for the protection of the data in each social security institution. Member states will find additional ways of designing appropriate measures of control.

Collection and storage of the data

24. The principle of proportionality between, on the one hand, the collection and storage of personal data and, on the other, the accomplishment of the tasks assigned to social security institutions is laid down in the first sub-paragraph of paragraph 3.1. To ensure compliance with this principle, it would seem desirable to give publicity to the kinds of personal data which are essential to the discharge of tasks performed by the social security institutions. This would have the added advantage of clarifying for the benefit of the public the kind of tasks which each institution performs. It will be recalled from paragraph 1 of the Recommendation that those tasks are defined by reference to certain benefits. The determination of the information necessary for the discharge of the various tasks could take the form of a list of personal data required for each category of benefit and this is in fact suggested later in paragraph 3.4. What sort of data are "necessary to enable social security institutions concerned to accomplish their task" will obviously involve a weighing of interests, and all interested parties should contribute to this process.

25. In some cases, it will be discovered that data have been collected and stored as they were initially thought necessary for the accomplishment of social security tasks and it later transpires that they are irrelevant. When it is discovered by the social security institutions that they have collected unnecessary and irrelevant data, steps should be taken to erase such data. Pending such a decision these data will of course remain subject to the principles and guidelines of the Recommendation.

26. Paragraph 3.1, second sub-paragraph, addresses the issue of data of a sensitive nature. The types of data referred to in this paragraph which are thought to be sensitive may be those set out in Article 6 of the convention, namely personal data revealing racial origin, political opinions or religious or other beliefs; personal data concerning health or sexual life; personal data relating to criminal convictions.

However, in accordance with the convention, the list in Article 6 is not exhaustive of the categories of data which may be considered sensitive. In the context of a particular social security system, different types of data may be regarded as sensitive. It is a matter for each individual member state to identify such data and to provide the necessary limits to the collection and storage of these data in its domestic law.

27. The general rule with regard to the collection of such data is clearly stated in paragraph 3.1, second sub-paragraph: domestic law should define the limits to collection and storage and in the case of data concerning racial origin, political opinions or religious or other beliefs no collection or storage should be authorised except if indispensable for the administration of a particular benefit. This could be the case, for example, with benefits granted to certain categories of persons having suffered during the second world war or where claimants speak a special dialect and therefore need interpretation facilities to help them claim benefit. However, the exceptional nature of these cases is stressed as well as the fact that practical solutions can be found so as to avoid recourse to storage of sensitive data in the majority of cases.

28. It is important that the data subject is not kept out of the data circuit; in accordance with paragraph 3.2 he should wherever possible be the supplier of information to the social security institutions. However, paragraph 3.3 recognises the appropriateness of social security institutions resorting to sources other than the individual so as to obtain information. Employers offer an example of a common alternative source. Domestic law will often make consultation of other sources obligatory. It is thought appropriate, nevertheless, to treat the individual as a most desirable source of information. However, in accordance with paragraph 3.3, whenever sensitive data are involved sources other than the individual data subject should be consulted only with his informed and express consent or in accordance with other safeguards laid down by domestic law, which may correspond to the appropriate safeguards provided for under Article 6 of the convention.

29. Paragraph 3.4 stresses the importance of giving publicity to the use made by social security institutions of personal data. Publicity is of value in clarifying to the public the tasks of social security institutions and the purposes for which they use data. It allows, for example, a check to be made on whether data collected are really necessary for the accomplishment of particular tasks.

This provision requires each social security institution to draw up a list containing certain information. This list should be displayed on the premises of social security institutions. Alternatively, the relevant details could be listed in a register which is open to the public.

Use of the data

30. Paragraph 4.1 recognises that a social security institution may use personal data obtained for the accomplishment of a particular task (for example, the administration of a particular benefit) for the discharge of other tasks falling within its competence (for example, the administration of other benefits). Respect for the finality of purpose is complied with in such a situation. It should be borne in mind that the administration of a benefit may involve different tasks and therefore the principle of finality cannot simply be limited to one benefit/one task.

31. Similarly, paragraph 4.2 recognises the possibility of an exchange of personal data between social security institutions but only to the extent necessary for the accomplishment of their tasks. It is permissible, accordingly, for one social security institution which has collected personal data for the administration of a particular benefit to communicate those data to a different such institution for the accomplishment of its tasks relating to administration of benefits, or statistical research designed to aid future policy planning or to help with investigations into fraud or abuse of the social security system.

Given this possibility of transferring personal data between social security institutions, the importance attaching to the publicity requirements mentioned in paragraph 3.4 is underscored: the individual should know what constitutes a legitimate social security task so that he can be certain that the principle of finality is being respected.

32. Paragraph 4.3 discusses the situation where personal data collected for social security purposes by a social security institution are to be transferred outside the framework of social security. It will often be the case that fiscal authorities will need access to personal data held by social security institutions to enable them to make tax determinations. Litigation, for example matrimonial proceedings involving the data subject, may similarly require investigation into his social security record. Again, researchers acting outside the social security sector will often seek access to social security data to further their research into social policy fields.

However, in all such cases the transfer of personal data must only be carried out with the informed consent of the person concerned or in accordance with other guarantees laid down by domestic law. Increased safeguards for the individual are justified in this context given the fact that data collected from the individual for a particular purpose are now intended to serve a different purpose.

33. Paragraph 4 concerns the use to be made of personal data as defined in paragraph 1 of the Recommendation. Data which have been rendered anonymous or which do not satisfy the paragraph 1 definition are not subject to the above limitations on use of data.

Social security numbers

34. A social security number can facilitate the interconnection and cross-checking of files and thus greatly assist the discharge of tasks by social security institutions. Paragraph 5.1 states that domestic law should provide adequate safeguards in the event of the introduction or existing use by a member state of a single uniform social security number or similar means of identification. Such safeguards are thought to be desirable given the fears which are aroused by identifiers. For example, it may be feared that the introduction of a social security number would enable authorities operating outside the social security sector to avail of that number for their own purposes. What was originally planned as a number issued for a particular purpose could quickly become a standard number for all purposes. Suspicion may also surround the type of information contained on identification cards which serve a purpose similar to social security numbers.

35. It is to prevent such fears and suspicions arising that paragraph 5.1 speaks of the need to provide adequate safeguards alongside the introduction or the present use of social security numbers. The introduction of all-purpose standard numbers should not be done in a clandestine manner. Safeguards should also be laid down in respect of the information contained on identification cards. For example, such information should be readable and not excessive having regard to the purpose for which it is to be used.

Access of the person concerned to the data

36. In accordance with the general principle laid down in Article 8 of the Data Protection Convention, paragraph 6.1 of the Recommendation specifies that everyone should have access to data concerning him which includes the right to obtain and rectify such data. However, as with the convention, certain restrictions may legitimately be placed on the exercise of such a right. Paragraph 6.1 recognises that national law may have special provisions governing medical data as well as scientific research and statistics which will limit the right to obtain and rectify data. In this context, reference should be made to Recommendation No. R (81) 1 on regulations for automated medical data banks and Recommendation No. R (83) 10 on the protection of personal data used for scientific research and statistics. Both of these legal instruments, which have been adopted by the Committee of Ministers of the Council of Europe and which are addressed to the governments of the member states, refer to exceptions which may be made to the right of access in these fields.

37. In addition to the above-mentioned restrictions, paragraph 6.1 allows limits to be placed on the right to obtain and rectify data where this is necessary for the suppression of fraud or abuse of the social security system or for the protection of the rights and freedoms of others. These restrictions have been inspired by Article 9.2 of the Data Protection Convention. In accordance with Article 9, therefore, these restrictions must be based on law and constitute necessary measures.

A restriction based on the suppression of fraud or abuse of the social security system has as its parallel in Article 9, paragraph 2.a, of the convention: "the suppression of criminal offences". The "protection of the rights and freedoms of others" has been taken over in full from Article 9, paragraph 2.b, although the reference in that article to "protecting the data subject" does not appear in paragraph 6.1 of the Recommendation. This limitation will be covered by provisions of national law which restrict access to medical data where this is necessary for the protection of the data subject.

38. In regard to the position of co-assured - for example a spouse insured by virtue of the other spouse's contribution record to the social security system - it is thought that as a data subject in his/her own right, a co-assured should have the right to obtain and rectify data concerning him/her subject to the restrictions laid down in paragraph 6.1. The rights of co-assured to obtain and rectify their data may therefore be restricted where it is necessary to prevent infringement of the privacy of the other party - for example, to prevent one party from learning that the other co-assured has had a particular operation.

In regard to minors who are insured under a parent's contribution record, it is recognised that the parent's access to personal data cannot be restricted on the grounds of protecting the rights and freedoms of the minor. As legal representative of the minor, his right to obtain and rectify data concerning him should not be so restricted. With the cessation of the parent's right to act on behalf of the minor, for example when the minor attains a certain age, the restriction on access will apply.

39. To facilitate exercise of the rights mentioned above, paragraph 6.2 encourages publicity on how they can be availed of. Social security forms supplied to the individual could, for example, make reference to the possibility of exercising the rights to obtain and rectify data as well as the procedure the individual must follow in order to exercise these rights. Similar information could be publicly displayed on the premises of social security institutions.

Data security

40. Adequate security measures should be taken according to the nature of the information stored, particularly as a considerable proportion of personal data obtained for social security purposes is of a confidential nature. Accordingly, paragraph 7.1 stipulates that such measures must not only be provided for but also be put into practice by social security institutions. Responsibility rests with them.

41. In accordance with paragraph 7.2, the attention of everyone involved in the processing of personal data used for social security purposes should be drawn to the particular importance of such measures in the social security field.

Transborder flows of personal data used for social security purposes

42. As stated in the preamble to the Recommendation, the increased mobility of labour makes co-operation indispensable between states in general and between their social security institutions in particular. This requirement results from the need to guarantee social benefits, whether in the country of settlement or in the country of origin, after the return of the migrant worker and the members of his family.

Such an exchange of information is presently based on multilateral legal instruments, Community instruments and bilateral agreements between states. However, in many cases, these instruments have been drawn up prior to the Council of Europe Data Protection Convention and their drafters may not have given sufficient consideration to the privacy issues created by transborder exchanges of personal data.

43. Paragraph 8.1 and paragraph 8.2, accordingly, seek to ensure that the principles of data protection apply equally to the international level. Paragraph 8.1 stresses respect for the principle of proportionality. Paragraph 8.2 states the conditions in which social security data subject to international transfer may be used by the recipient state and refers in this context to the principle of finality expressed in paragraph 4.

44. Of course, where data are transferred between states which have data protection measures in force no difficulties will arise for the protection of the data in the recipient state as the sort of principles referred to in paragraphs 4.1, 4.2 and 4.3 will be respected. On the other hand, in cases where data are to be transferred to a state which has no data protection legislation, agreements which provide necessary additional guarantees should be concluded between the recipient and sending states so as to ensure data protection in the recipient state. Such agreements need not be formal treaties. They could take the form of, for example, an exchange of letters.

Conservation of data

45. The Data Protection Convention lays down the principle that personal data undergoing automatic processing shall be "preserved in a form which permits identification of the data subject for no longer than is required for the purpose for which those data are stored" (Article 5, paragraph e). This basic principle needs to be adapted to the social security sector, having regard to the special nature and variety of the benefits in issue.

46. Thus paragraph 9.1 stipulates that the storage period should be no longer than is justified by the accomplishment of the tasks concerning a particular benefit or by the interests of the data subject. This should cover the period of payment and supervision and that of conservation bound up with the time taken by litigation including appeal proceedings. This rule applies to the conservation of data not only for the purposes of a particular benefit but also, where appropriate, for the purposes of subsequent benefits connected therewith.

47. Storage periods should be fixed for each category of benefit (paragraph 9.2). The particular nature of each benefit will determine the length of storage (for example, data relating to old-age benefits will be kept longer than those concerning sickness benefits). Particular data may have to be retained longer than is customary if they are essential for working out entitlement to various types of benefit.

48. Data of a sensitive nature should be stored for no longer than is absolutely necessary. It will be recalled from paragraph 3.1 that such data may only be stored within the limits laid down by domestic law.

49. The value of personal data for historical research, scientific research as well as statistics is recognised in paragraph 9.3. In the light of paragraph 4.3, personal data used for social security purposes can always be transferred outside the social security sector to advance such research topics provided the informed consent of the person concerned has been obtained or in accordance with other guarantees laid down by domestic law. Research conducted within social security institutions is subject to different considerations as this is recognised as a legitimate task of social security institutions.

50. Of course, data which have been rendered anonymous may be readily used for outside research purposes and are not subject to any limitation. Should it be necessary to preserve the data in identifiable form in the interests of scientific research and statistics, the provisions of Recommendation No. R (83) 10 on the protection of personal data used for scientific research and statistics will apply.