National Health Data Space: a strategic project for the country

Building the European Health Data Space is one of the challenges of our generation. The COVID 19 pandemic put us in front of the mirror and brought back at least two images. The first was none other than the result of the application of formalistic, bureaucratised and old-fashioned models of data management. Second, the enormous potential offered by data sharing, collaboration of interdisciplinary teams and the use of health information for the common good. The European Union is clearly committed to the second strategy. This article examines the challenges of building a National Health Data Space as an instrument to enhance the reuse of health data for secondary uses from a variety of perspectives.

The error of focusing on formalist visions

The data processing and sharing scenario prior to the deployment of the European data strategy and its commitment to data spaces produced not only counter-intuitive, but also counter-factual effects. The framework of the General Data Protection Regulation (GDPR) instead of favouring processing operated as a barrier.  Strict enforcement was chosen, based on the prevalence of privacy. Instead of seeking to manage risk through legal and technical solutions, the decision was made not to process data or to use technically complex anonymisations that are unfeasible in practice.

This model is not sustainable. Technological acceleration forces a shift in the centre of gravity from prohibition to risk management and data governance. And this is what Regulation of the European Parliament and of the Council on the European Health Data Space (EHDS) is committed to: finding solutions and defining guarantees to protect people. And this transformation finds Spain's healthcare sector in an unbeatable situation from any point of view, although it is not without risks.

Spain, a pioneer in the change of approach

Our country did its homework with the seventeenth additional provision on the processing of health data in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD, in Spanish acronyms). The regulation circumvented most of the problems affecting the secondary use of health data and did so with the methodology derived from the GDPR and the jurisprudence of the Constitutional Court. To this end, he opted for:

• A clear systematisation and normative predetermination of use cases.
• A precise definition of treatment entitlements.
• Procedural, contractual and security guarantees.

The Provision was five years ahead of the EHDS in terms of its aims, objectives and safeguards. Not only that, it puts our healthcare system at a competitive advantage from a legal and material point of view.

From this point of view, the National Health Data Space as the backbone is a project that is as essential as it is unpostponable, as reflected in the National Health System's Digital Health strategy and the Recovery, Transformation and Resilience Plan. However, this assertion cannot be based on uncritical enthusiasm. Much work remains to be done.

Lessons learned and challenges to overcome

European research projects managed by the ecosystem of health foundations at the Carlos Tercero Institute, university and business, provide interesting lessons. In our country we are working on precision medicine, on the construction of data lakes, on mobile applications, on high capacities of pseudonymisation and anonymisation, on medical imaging, on predictive artificial intelligence..., and we could go on. This ecosystem needs a layer of governance innovation. Part of it will be provided directly by the EHDS. Data access bodies, the supervisory authority and cross-border access structures shall ensure the lifecycle from the formation of catalogued and reliable datasets to their actual processing. These governance infrastructures require an organisational and human deployment to support them. Previous experience helps to anticipate the risks that a stress test may pose for the whole value chain:

1. The training of human resources in crucial aspects of data protection, information security and new ethical requirements is not always adequate in terms of format, volume and profile segmentation. Not 100% of the workforce is trained, while voluntary continuing education for health professionals is of a high legal standard, causing an effect that is as counterproductive as it is perverse: curtailing the capacity to innovate. If instead of empowering and engaging, we offer an endless list of GDPR obligations, research staff end up self-censoring their ability to imagine. The content and the training target are confused. High-level training should focus on project managers and technical and legal support staff. And in these, data protection officer plays a vehicular role, as it is the person who must provide non-binary advice - of the legal or non-legal type - and cannot transfer all the responsibility to the research team.
2. Governance of treatment resources and processes needs to be improved. In certain research areas, and universities are the best example of this, information systems are segmented and managed at the smallest project or research team level. These are insufficient resources, with little control over risk management and security monitoring, including support for the management and maintenance of the treatment environment. Moreover, data access procedures are based on rigid models, anchored in the case study or clinical trial. Thus, more often than not, we handle datasets in very specific environments outside the main data processing centres. This multiplies the risk, and the costs, in areas such as data protection impact assessments or the deployment of security measures.

Lack of expertise can pose systemic risks. To begin with, Ethics Committees are confronted with issues of data protection and artificial intelligence ethics that overwhelm their habits, customs and knowledge, and mothball their processes. On the other hand, what we commonly refer to as big data is not something that happens by magic. Pseudonymisation or anonymisation, annotation, enrichment and validation of the dataset and the processes implemented on it require highly skilled professionals. 

Effects of EHDS

We should reflect on whether our leading position in digitisation could also be our Achilles' heel. Few countries have a high degree of digitisation of every level of healthcare, from primary to hospital. Virtually none have regulated the use of pseudonymised data without consent, nor the broad consent model of our LOPDGDD. In this sense, under the umbrella of the EHDS there could be two effects that we need to manage:

• New opportunities in research projects. Firstly, as soon as Spanish health institutions publish their data catalogues at European level, requests for access from other countries could multiply. And, therefore, the opportunities to participate in research projects as information providers, data holders, or as data users.
• Boosting the ecosystem of innovative companies. Moreover, the wide range of secondary uses foreseen by the EHDS will broaden the profile of actors submitting data access requests. This points to the possibility of a unique ecosystem of innovative companies for the deployment of health solutions from wellness to artificial intelligence-assisted medical diagnostics. 

This forces those responsible for the public health system to ask themselves a rather simple question: what level of availability, process capability, security and interoperability can the available information systems offer? Let us not forget that many trans-European research projects, or the deployment of Artificial Intelligence tools in the health sector, are backed by budgets running into millions.  This presents enormous opportunities to deepen the deployment of new models of health service delivery that also feed back into research, innovation and entrepreneurship. But there is also the risk of not being able to take advantage of the available resources due to shortcomings in the design of repositories and their processing capabilities.

What data space model are we pursuing?

The answer to this question can be found very clearly both in the European Union's data space strategy and in the Spanish Government's own strategy. The task that the EHDS attributes to data access bodies, beyond the mere granting of an access permit, is to support and assist in the development of the processing. This requires a National Health Data Space to ensure service level, anonymisation or pseudonymisation standards, interoperability and information security.

In this context, individual researchers in non-health settings, but especially small and medium-sized innovative companies, do not possess the necessary muscle and expertise to meet ethical and regulatory requirements. Therefore, the need to provide them with support in terms of the design of regulatory and ethical compliance models should not be neglected, if they are not to act as a barrier to entry or exclusion. 

This does not exclude or preclude regional efforts, those of foundations or reference hospitals, or nascent data infrastructures in the field of medical imaging of cancer or genomics. It is precisely the idea of a federation of data spaces that inspires European legislation that can bear fruit of the highest quality here. The Ministry of Health and public health departments should move in this direction, with the support of the new Ministry of Digital Transformation and Public Administration. The autonomous communities reflect and act on the development of governable models and participate, together with the Ministry of Health, in the governance model that should govern the national framework. Regulators such as the Spanish Data Protection Agency are providing viable frameworks for the development of data spaces. Entire hospitals design, implement and deploy information systems that seek to integrate hundreds of data sources and generate data lakes for research. Data infrastructures such as EUCAIM lead the way and generate high-quality know-how in highly specialised areas.

The work on the roll-out of a National Health Data Space, and each and every one of the unique initiatives underway, show us a way forward in which the federation of effort, solidarity and data sharing ensure that our privileged position in health digitisation stimulates leadership in research, innovation and digital entrepreneurship. The National Health Data Space will be able to offer differential value to stakeholders. It will provide data quality and volume, support advanced compute-intensive data analytics and AI tools and can provide security in software brokering processes for the processing of pseudonymised data with high requirements.

It is necessary to recall a core value for the European Union: the guarantee of fundamental rights and the human-centred approach. The Charter of Digital Rights promoted by the Spanish government proposes successively the right of access to data for scientific research, innovation and development purposes, as well as the right to the protection of health in the digital environment. The National Health Data Space is called to be the indispensable instrument to achieve a sustainable, inclusive digital health at the service of the common good, which at the same time boosts this dimension of the data economy, promoting research and entrepreneurship in our country. 

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. . The contents and points of view reflected in this publication are the sole responsibility of its author.