Re-use in the future European Health Data Space regulation

Fecha de la noticia: 21-06-2022

Computer with health data

The Commission's drive to promote data spaces within the framework of a European Strategy is based on the firm commitment to a regulatory framework that provides regulatory coherence throughout the Union. In particular, the aim is to establish a solid regulation that offers legal certainty to a model based on respect for rights and freedoms. Thus, initially, two initiatives have been promoted to, on the one hand, establish the regulatory bases of the governance model - already definitively adopted by Regulation (EU) 2022/868 of 30 May - and, on the other hand, to establish harmonised rules on the access and fair use of data throughout the Union.

However, while recognising the importance of the design of this general legal architecture, the effective opening and exchange of data requires a more concrete approach that takes into account the specificities of each sectoral area and, in particular, the difficulties and challenges to be faced. Therefore, taking into account the general regulatory framework referred to above, the Commission has presented the first regulatory initiative for one of these areas, related to health data, which is currently under public consultation and negotiation in the Council of the EU and in the European Parliament, and which is part of the project to create a European health data area.

In particular, beyond facilitating the development of cross-border e-services, the proposal aims to address a triple objective:

Establish a uniform legal framework to facilitate the development, marketing and use of electronic health record systems by establishing a compulsory self-certification scheme for certain systems, which in any case provides for some exceptions, e.g. general purpose software used in healthcare environments.

Facilitating patients' electronic access to their own data in the framework of healthcare provision (primary use of health data). In this respect, the proposal seeks to strengthen consistency across Member States in protecting health data irrespective of where the healthcare provision takes place or the type of entity carrying it out.

Encourage the re-use of such data for other secondary purposes. To this end, a specific governance model is envisaged with a specific body at the head - the so-called European Health Data Space Board - and the deployment of duly coordinated state administrative structures - health data access bodies.

We will look at this last point in more detail below.

The promotion of secondary uses

With regard to the re-use of data for purposes other than health care, the proposed regulation is based on the following evidence: although health data are already being collected and processed using electronic means, in many cases, however, access to them is not facilitated to satisfy other purposes of general interest. For this reason, in general, it is intended to establish a broad regulation that facilitates secondary uses of health data. For example, the elaboration of statistics, the development of training and research activities, such as technological innovation -including the training of algorithms- or personalised medicine.

However, for the purposes of denying access to health data, some secondary uses are expressly declared incompatible, such as:

•  The adoption of decisions detrimental to natural persons, meaning not only those that produce legal effects but also those that significantly affect them. In this respect, changes relating to insurance contracts, such as an increase in the amounts to be paid, are specifically highlighted.

• The carrying out of advertising or marketing activities aimed at healthcare professionals, organisations in the sector or natural persons.

•  Making data available to third parties that are not covered by the data permission granted.

• The development of harmful products and services, including in particular illicit drugs, alcoholic beverages, tobacco products or goods or services that contravene public order or morality.

With regard to the parties obliged to share data, in principle the proposed regulation extends to those who collect and process data with public funding, who must make them available to the competent bodies for access to health data in order to facilitate their re-use. However, given their importance in some States, the regulation also extends its scope of application to private parties providing health services - except in the case of micro-enterprises - and also to professional associations. Specifically, this regulation would affect "any natural or legal person, which is an entity or a body in the health or care sector, or performing research in relation to these sectors, as well as Union institutions, bodies, offices and agencies who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data, through control of the technical design of a product and related services, the ability to make available, including to register, provide, restrict access or exchange certain data".

Purpose and conditions of access to health data

The proposed Regulation is based on a broad concept of health data, which includes the following categories: 

Data to be considered in the framework of the European Health Data Space: data provided by patients; data related to health effects (social data, environmental data, etc.); data generated by digital applications; data provided by health systems; data resulting from previous treatments (inferred through tests, automated, etc.). Source: Proposal for a Regulation (EU) on the European Health Data Space.

The regulation is based on a general rule: access to anonymised data as a measure to reduce privacy risks, although a specific regime is also envisaged for personal data. In this case, the request must include an adequate justification and the data will only be provided in pseudonymised form.

As regards the form of access, the particular sensitivity of health data determines that it is proposed that they should be made available through a secure processing environment that complies with the technical and security standards included in the proposal. In particular, the proposal does not allow that, except for non-personal data, the data are transmitted directly to the person who will re-use them.  Furthermore, it provides for processing to take place in secure environments under the control of the access authorities.

Access authorities for health data

From the perspective of the governance model underpinning the proposal, States should have at least one health data access body to provide electronic access to health data for secondary purposes. In the case of multiple bodies due to requirements arising from their political-administrative organisation, one of them will have a coordinating role. Beyond the organisational freedom of the States to choose one or another organisational formula, it is essential that the independence of the coordinating body be guaranteed, without prejudice to the mechanisms of financial or judicial control.

As already indicated, the main purpose of this measure is to ensure a uniform and consistent application of the regulatory framework for access to health data for secondary purposes across the European Union, in particular as regards the protection of personal data in this sector. In this respect, it is proposed that these bodies should be given the powers to verify compliance with these rules and, in particular, to impose sanctions and other measures such as temporary or definitive exclusion from the European Health Data Area of those who do not comply with their obligations.

The harmonisation sought by the proposed Regulation is also envisaged in the establishment of a standardised process for the issuing of permissions to re-use data for secondary purposes. In particular, in cases where anonymised access to the data is not enough, reasons should be given as to why pseudonymised access is necessary. In the latter case, the request must specify the legal basis for requesting access to the data from the perspective of personal data protection law, the secondary purposes for which the data are intended to be re-used, as well as a description of the data and tools necessary for their processing.

Finally, the proposed regulation includes active disclosure obligations addressed to these bodies about the available datasets. This is an essential measure, since the existence of a catalogue of datasets at European level - based on the interconnection of national datasets - would be extremely useful for promoting not only research and innovation but also decision-making at regulatory and political level. Specifically, for each set of available data, the nature of the data, its source and the conditions for making it available will have to be indicated.

In short, this is a certainly innovative initiative to address the regulatory diversity existing in each Member State, which is, however, at an early stage of processing. Precisely, a participation procedure is currently open that allows for the submission of allegations against the initial drafting until 28 July 2022 through a simple procedure accessible via this link.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec).

The contents and views expressed in this publication are the sole responsibility of the author.

Related content: