DIGITALEUROPE recommendations on health data-processing
80% of health data remains unstructured and untapped after it is created. We need decisive EU action to harmonise conditions for health-data processing across Member States. This is fundamental to creating a Common European Health Data Space. COVID-19, for example, has reminded us that access to health data for scientific research is still subject to various rules and interpretations in the EU.
The European Union is best placed to show global leadership with its strong data protection rules such as the GDPR and experience in driving a single market of 27 connected health ministries in the Member States. It needs to accelerate data sharing across borders and to address fragmentation to boost health innovation.
DIGITALEUROPE recommends to:
Create an EU Code of Conduct on the primary and secondary use of health data
Harmonise different Member State rules governing health data to include:
Establishing a one-stop-shop in each Member State to facilitate the secondary use of health data while preserving patient trust
Issuing EDPB guidance on GDPR interpretation by national Data Protection Authorities (DPAs)
Aligning local and national healthcare regulations with the GDPR to remove inconsistencies, fragmentation and accelerate vital data-driven delivery of care and cross-border research
Please find below more details on our recommendations. Our members stand ready to discuss and share our expertise and experiences.
A Code of Conduct on the primary and secondary use of health data
The EU has the opportunity to demonstrate leadership on public health challenges if it can remove all barriers to health data flows in the Single Market.
Vaccines to cross-border threats like COVID-19, cures for rare diseases and AI-powered diagnostic systems all depend on access to an individual’s health data.
We urge Member States to move beyond consent as a legal basis for primary and secondary uses. Authorities must recognise that other legal bases offer valid opportunities to speed up health solutions for pressing social needs and overcome longstanding data problems. Restrictive interpretations of public interest are hindering medical device real-time access to data for delivery of care. Similarly, in consent-based EU countries, legacy data issues such as patient death or the lack of a direct researcher-patient communication line are slowing down medical research and development.
We stand for the creation of an EU Code of Conduct on the processing of genetic, biometric, or health data that includes:
Public interest as legal basis for circumstances in Article 9.2 of the GDPR. The Code should also give a common interpretation of what is considered “public interest” by national authorities across the EU. The COVID-19 crisis shows us health data collection is crucial for real-time tracking of disease transmission, epidemiological research or discovery and identification of treatment options. Unduly restrictive Member State interpretations of public interest prevent hospitals from sharing important data that can help saving lives.
Common, acceptable de-identification and anonymisation levels for each specific circumstance. They could pave the way for a “relative” anonymisation approach, where traceability back to the source records comes without increased risks of patient re-identification.
An opt-out model for secondary use of data in research fields with higher patient identification sensitivities. This model would suit areas like rare diseases, genomes and personalised medicine, with higher re-identification risks than normal and where complete de-identification may impact the successful research outcome. A robust ethical and security framework would build necessary patient trust in this model and guarantee that vital identifiable data for research progress is handled properly. It would entail patient rights to actively object to their data being processed. Consent in this model should be, if required, an additional “ethical” safeguard, rather than the main legal basis for processing.
Harmonisation of rules and their interpretations
Other decisive actions should complement the creation of a Code of Conduct. Today, companies must navigate a patchwork of local and national regulations to process health data in the EU. Adding to that, Member States have different interpretations of the GDPR on aspects such as legitimate interest or consent for primary or secondary use.
Legal uncertainty ensues from this fragmented picture. Companies miss key opportunities to access and share data to address vital public health challenges.
We welcome the aim of the European Data Protection Board (EDPB) to issue guidance on health data-processing in the context of COVID-19. But the scope of the document should expand beyond health data processing for scientific and research purposes. Processing of health data in non-research circumstances must be clarified too for healthcare companies and hospitals to unlock new treatment opportunities. Real-time understanding of the disease’s patterns, monitoring oxygen levels for immediate medical care or diagnosing COVID-19 from chest X-rays are just a few examples.
We also urge:
The EDPB to give guidelines on GDPR interpretation by national Data Protection Authorities (DPAs). It should give a common understanding of public interest, legitimate interest, consent and the compatibility of primary and secondary use of data, which are key to speed up healthcare innovation.
Member States to establish a one-stop-shop to facilitate the secondary use of health data. Finland’s Act on the Secondary Use of Health and Social Data 552/2019 is a positive example. Other EU countries should replicate it. Based on patient trust, it set up a centralised authority to handle all data requests for research.
Member States to remove inconsistencies and fragmentation in local and national healthcare regulations.It is fundamental to align these rules with data protection provisions at EU level and harmonise as much as possible the regulatory landscape. Data must flow freely across borders if we want to find solutions to Europe’s largest public health challenges and create a successful Common European Health Data Space.