The multi-stakeholder Healthcare Coalition on Data Protection has stepped up pressure on lawmakers in the EU to preserve, re-instate or clarify research-friendly provisions in the European Commission’s proposal for a General Data Protection Regulation.
Among the changes sought by the Coalition, which was set up to “facilitate health-data processing for health purposes, in a reliable and responsible manner”, are the removal of amendments to Articles 81 and 83 of the Commission’s proposal; clarity on exemptions from consent to use personal data for healthcare and research; and a clearer definition of ‘personal data’.
The Coalition, which includes among its members the European Federation of Pharmaceutical Industries and Associations (EFPIA), has adjusted its original recommendations, made in January 2013, on the Commission’s proposal for a general regulation covering the bulk of personal-data processing in the EU.
The package of reforms to the EU's data protection framework also includes a directive on processing data to prevent, investigate, detect or prosecute criminal offences or to enforce criminal penalties.
The revised recommendations take into account the position adopted last October by the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE) on amendments to the data-protection regulation introduced by rapporteur Jan Philipp Albrecht.
These amendments have already raised concerns about undermining the effectiveness of health research and the delivery of patient-focused care among other interested parties such as the UK’s Royal College of Physicians and the European Office of the NHS Confederation.
Parliament’s aim was to reach an agreement on the data-protection reforms before the May 2014 European elections. That now looks unlikely, although the plan is to have the reforms agreed and signed off by the end of this year.
Last week EU justice ministers debated aspects of the proposed data protection regulation at a Council of the European Union meeting in Brussels, where it was evident work still needed to be done on issues such as data transfer to third parties and pseudonymisation.
The Healthcare Coalition on Data Protection says it fully endorses efforts to harmonise the regulatory environment for the protection of personal data in the EU; to strengthen this protection while maintaining the free flow of personal data; and provide exemptions to data-protection requirements for health and research purposes.
However, certain provisions in the Commission’s proposals, and “more significantly” in the LIBE report, “will restrict the sharing of health data, create legal uncertainty and increase compliance costs if they remain unchanged, ultimately also delaying development and introduction of innovative treatments and other interventions”, the Coalition warns.
It urges EU policy makers to “take into account the value of improving citizens’ health and healthcare systems through the use of data-driven approaches. These include large disease databases, personalised medicine, medical imaging, eHealth, mHealth, human genome decoding, disease prediction, biobanks, biomarkers and many more”.
Articles 81 and 83
The Coalition is especially concerned that the LIBE committee “has not found the right balance in their amendments to Articles 81 and 83 and has failed to appreciate the benefits of properly-regulated data-sharing”.
These two Articles define specific conditions for processing personal data related to health (Article 81) and data used for historical scientific and statistical research (Article 83).
According to the Royal College of Physicians, the net impact of the LIBE amendments has been to introduce much more stringent requirements for explicit consent to use personal data for health or scientific research than under current legislation.
The Healthcare Coalition on Data Protection takes up this baton, claiming that the “provisions of the LIBE report would make much valuable research involving personal data at worst impossible and at best unworkable”.
Article 81 as amended, for example, stipulates that member-state laws may provide an exemption to the consent requirement where personal health data are processed for research purposes, but only if the research serves “exceptionally high public interests” and “cannot possibly be carried out otherwise”.
The data in question would have to be “anonymised or, if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects”.
Article 83 applies the same strictures to personal data “processed for historical, statistical or scientific research purposes”.
The Healthcare Coalition on Data Protection wants to see Articles 81 and 83 returned to the original text proposed by the Commission, with clearer exemptions for healthcare and research.
The proposed regulation, it insists, must provide a clear legal basis for processing of personal data for health and research purposes while:
- Recognising that the use of both identifiable and pseudonymised data is essential to the delivery of healthcare and health research.
- Providing an “unambiguous” exemption from consent for processing of personal data for health and research purposes where appropriate safeguards (e.g., ethics approval, technical standards, codes of conduct) are in place.
- Facilitating the secondary use of health data for research by “clarifying that it is not incompatible with the purpose data were collected for, where appropriate safeguards are established to protect the interests of data subjects”.
As far as definitions of ‘personal data’ are concerned, those proposed in the draft Regulation and in the LIBE report are “deliberately broad” and include data that may help to identify a data subject directly or indirectly, the Coalition notes.
In some cases, though, this cautious approach has led to unintended consequences, it adds. For example, the serial number used to identify medical equipment (e.g. a scanner, patient monitor) “may, without legal clarification, be regarded as personal data subject to the Regulation, as may location data”.
This would “bring no additional protection for individual privacy, and will have the undesirable result of increased administrative and compliance costs within the healthcare sector”, the Coalition says.
Other concerns expressed by the Coalition revolve around:
- Excessive administrative burdens tied to impact-assessment obligations and regular periodic data-protection compliance reviews.
- The need to maintain and clarify exemptions from the ‘right to be forgotten’ and other rights in the context of healthcare and research.
- Facilitating international transfers of pseudonymised personal data for health and research purposes where appropriate safeguards are applied.
On the second point, the Coalition argues that healthcare providers should “have access to life-saving information such as an individual’s health record, which is essential for tracking patients’ past history and ensuring the most appropriate medical advice, treatment and care moving forward”.
That should include maintaining the exemption for data retention in the context of research, it adds.