It is no secret that the European Union (EU) is working hard to ensure that the EU remains one of the top innovators and commercially prosperous areas. One of these initiatives is the European strategy for data, with its key pillar being the Data Governance Act. The European strategy for data aims to strengthen mechanisms to increase data availability and overcome the technical roadblocks to the reuse of data.
The first area the EU is focussing on, is the European Health Data Space (EHDS). The EHDS aims to:
With the overall goal for the EHDS being the foundation of a more resilient and sustainable healthcare system.
In this blog, we will be looking at the impacts on data protection the new EHDS could have and what this could mean for individuals and organisations. The European Health Data Space will be split into two elements; one for patients and the other for clinical trials and research. We will be examining both elements of the EHDS and how they relate to the GDPR, what the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. needs to consider, and potential risks.
The EHDS will help a broad variety of stakeholders, these include:
Looking at this list, we can see that there are a multitude of reasons as to why and how data will be used by different stakeholders. However, the proposed European Health Data Space isn’t popular amongst everyone due to the vast number of stakeholders who will have different interests in the data collected. Many individuals including, patients, doctors, and data privacy rights groups have expressed concerns over the EHDS.
The EHDS aims to minimise the imposing risks that come with sharing vast amounts of health data by anonymising all medical records, meaning that personally identifiable information will be encrypted and not accessible to just ‘anyone’. Researchers, companies, and policymakers will need to obtain a special form of authorisation, this will grant them access to the anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR. and pseudonymised data. These stakeholders will only be able to access the data for specific purposes that will benefit society. This means that if your organisation specialises in clinical trials or medical devices and are considering using/currently use EU health data, then you will need to apply for the form of authorisation to gain access to the data collected from the EHDS.
The EHDS will create a ‘GDPR+’ system, where the EU will move away from the current consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. model and towards a model where residents would not have to give specific consent. This coupled with the pseudonymisation and anonymisation of data will ensure that patients’ data is protected to some degree.
The primary use of the EHDS is to give more power to the patient over their medical records. It will have some aspects of overlap with the rights that are afforded under the GDPR, including the right to portability (which allows patients the right to move their records to another EU country). Individuals will have the right to:
In three years, the EHDS will allow medical records, reports and images, and lab results to be shared on the system. This will eventually be based on a new European standard.
If you have read our previous clinical trials blog, you’ll know that clinical trial data can be reused, if the correct measures are in place. This is something that is common practice as it can help clinical trial organisations with different aspects of trials and development. The EHDS is expected to expand the market for reusing European health data. The EHDS 2 will allow health data to be processed for a specific set of ‘secondary’ reasons. This will be for development and innovation activities for products or services that will contribute to social security and/or public health, or for the purposes of training, testing and evaluating AI algorithms.
Under the EHDS, health data from medical devices, digital health apps, and wellness applications will fall within the scope of data that can be used for secondary purposes. However, there is likely going to be some push back from data rights groups and data protection authorities, as wearable devices and the applications that go alongside them gather huge amounts of data that could be invasive.
Data subjects should be given the choice as to whether their data from these devices are collected and used, they should also be properly informed about the use of their data. This is something the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) agrees upon.
The new EHDS could be big news for life sciences and pharmaceutical organisations who conduct clinical trials within the EU. It could also make the EU a lot more of an attractive place for life sciences organisations to conduct their trials. However, there are currently some uncertainties around certain elements of the EHDS.
From first glance, the European Health Data Space could offer greater clarity around the lawful bases, especially when it comes to the re-use of personal dataInformation which relates to an identified or identifiable natural person.. However, it is important to note that the EDPB have expressed concern over the lack of reference to the GDPR in the EHDS’s text. There is currently no legal basis for processing electronic health data for secondary use.
Different Member States have their own rules around processing health data (this is known as the right to subsidiarity, meaning Member States have the right to control what they do with their health system). Little has been given to how this system will work with national laws and how the EDHS will interact with local laws. This means that clinical trial organisations will have to be mindful of local and jurisdictional requirements, unless better guidance and legislation comes into effect.
There are still a lot of questions on what this will look like for organisations who will want access to data, and we are still unsure what the practical implications will be for organisations. The details and the standards that will be set will be provided later down the line once legislation comes into force. This is definitely an exciting place to keep our eyes on!
If you have questions, feel free to contact us using the form below.
Fill in your details below and we’ll get back to you as soon as possible