How the GDPR enables 'good' health data sharing
Contrary to popular misconception, the GDPR was never intended to block enterprise and innovation, and particularly not in areas like health where fully leveraging all the potential of data-driven insights has life - and world - changing potential.
Bogdan Barburas of Trace explains why GDPR is actually an enabler and not a blocker of health data sharing for research.
Today’s complex healthcare challenges, whether looked at through the lens of affordability, availability, or efficacy, have become a top priority for both patients and governments worldwide. Our health and well being is our first foundation, and getting healthcare right really is a matter of life and death. Health data is an increasingly vital resource for tackling healthcare challenges by facilitating and advancing medical research, providing the bedrock of patient care improvements, and enhancing public health outcomes.
However, the fragmented nature of health data is a significant barrier; a large number of organisations might hold data about the same individual without knowing what additional data may be held by the others and how that could be used to make more informed decisions or to draw more accurate conclusions. When health data is actively being shared among public or private researchers, it accelerates the discovery of new treatments and the understanding of diseases, leading to more effective and targeted treatments. For healthcare providers, access to additional patient data ensures better coordination and continuity of care, reducing medical errors and improving overall patient outcomes. Public health officials rely on shared health data to monitor and respond to health crises and to plan ahead for populations’ health needs. A collaborative environment where health data is readily available fosters significant progress in healthcare and public health, ultimately benefiting individuals and communities worldwide.
Positive on public health and private enterprise
In Europe, health data sharing practices are crippled by the misconception that the General Data Protection Regulation (GDPR) blocks such initiatives. Although the GDPR is rather complex when it comes to processing health data, it sets some broad exemptions under art. 9(2) that enable processing of health data if it is carried out for certain purposes and if specific conditions are met, with reduced friction. As will be shown in the next paragraphs, these exceptions appear to provide some fertile grounds to the flourishing of EU health data sharing practices for research and research-adjacent purposes.
The legal bases under art. 9(2) that allow health data to be processed include consent, vital interests, substantial public interest and many others, but the key one is art. 9(2)(j) - processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This particular legal basis allows health data sharing to occur with minimum legal friction due to the lack of consent needed, its wide applicability, and due to the derogations to the principles and data subject rights available to data controllers. Even though a legal basis is also needed under art. 6, Article 29 Working Party states in their Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC that processing for research purposes can represent legitimate interests, so potential combinations of these categories of legal bases could be art. 6(1)(f) legitimate interests <> art. 9(2)(j) research, or art. 6(1)(e) public interest <> art. 9(2)(j) research.
‘Research’ can be a very broad church
But first, how broad is ‘research’? Recital 159 provides broad examples of what scientific research can include, such as: “technological development and demonstration, fundamental research, applied research and privately funded research”. Recital 162 defines research for statistical purposes as “any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results”. As can be concluded from the mentioned recitals, the GDPR adopts a broad definition of research, likely to encompass both the activities of public and private entities.
Moreover, the research purpose seems to be decoupled from public interests because both of them are standalone legal bases under art. 9(2), which is supported by Recital 159 that states: “Scientific research purposes should also include studies conducted in the public interest in the area of public health”. This means that not only can private entities use the research exemption under art. 9(2), but they may also do so for non-public interests purposes, such as profit-oriented ones.
But how can an organisation that collects and processes health data for one purpose share it with a third party for further research purposes? Firstly, art. 6(4) allows further processing without consent of the data subject if the initial purpose is compatible with the further purpose. Secondly, art. 5(1)(b) clarifies that “further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”.
This means that health data collected and processed for, say, the provision of health care services can be further processed for research purposes without the consent of the data subjects or without a favourable compatibility assessment. What is not clear is whether such further processing for research purposes may be conducted by a third party, but the definition of “processing” in art. 4(2) includes “disclosure by transmission, dissemination or otherwise making available”, thus meaning that further processing for research purposes by a third party is covered by the provisions of art. 6(4) and 5(1)(b).
Member States can further relax the rules
The GDPR is not only agnostic on the legal bases that can be used for health data sharing, but also allows organisations that use art. 9(2)(j) to take advantage of the following derogations:
Storage limitation, art. 5(1)(e) - health data may be processed for longer than necessary
Purpose limitation, art. 5(1)(b) - health data may be further processed without needing consent of the data subjects or a favourable compatibility assessment
Right to be informed, art. 14 - the data subjects do not have to be informed if the “provision of such information proves impossible or would involve a disproportionate effort”; however, alternatives may be pursued, such as a general notice that specific categories of health data from hospital X are being used for research.
Right to be forgotten - health data does not have to be deleted if it impairs the achievement of the research being conducted.
Member States may provide additional derogations or specifications when the exercise of such rights are necessary and “are likely to render impossible or seriously impair the achievement” of the research purposes:
Right to access, art. 15
Right to rectifications, art. 16
Right to restrictions, art. 18
Right to object, art. 21.
Member States may also introduce further conditions, including limitations, to the processing of health data pursuant to art. 9(4). Although we have presented that the GDPR is not a blocker to health data sharing for research purposes, it will all boil down to Member States’ introduction of additional limitations to the processing of health data under the GDPR, and to their implementation of the upcoming European Health Data Space (EHDS).
Conclusion: The ends really can justify the means
In Europe, sharing health data for research is not as prohibitive from a legal standpoint as one would expect. Despite having to pseudonymise or anonymise the data, and to deal with the wrinkles of national legislation, these represent a small price to pay in the context of the vast amount of health data not being taken advantage of for advancing medical research, providing the bedrock of patient care improvements, and enhancing public health outcomes. Moreover, the EHDS will likely accelerate such sharing, but organisations may get a first-mover advantage by engaging in such crucial sharing of health data from today.
Thus:
Organisations may use art. 9(2)(j) of the GDPR - processing is necessary for scientific research purposes or statistical purposes for frictionless health data sharing.
Research is broadly defined, may be conducted by both public and private entities, and may be conducted for both public interest purposes and profit-oriented ones. Similarly, statistical purposes are broadly defined.
Organisations can rely on the provisions of art. 6(4) and 5(1)(b) of the GDPR to process health data for further research/statistical purposes other than the initial purposes for which the data was collected without needing the data subjects’ consent; or to conduct a compatibility assessment between the initial purpose and the (further) research/statistical one.
Further processing for research/statistical purposes may include “disclosure” to a third party.
Organisations that use art. 9(2)(j) can benefit from derogations (exclusions or relaxations of the law) concerning storage limitation, purpose limitation, and various data subject rights.
EU Member States may provide both additional derogations and limitations to the processing of health data.
This article was authored by Bogdan Barburas CIPP/E | CIPT | CIPM I CIPP/US I AIGP, this article is should not be taken as legal advice.
About Trace:
Trace help global companies navigate global data regulations and implement practical steps for a risk-based and pragmatic approach to data governance and global privacy compliance with the relevant laws and frameworks. We have worked on significant data sharing for good projects, read one of our case studies here.
Looking for support with data governance framework design, data sharing guidance and applied Privacy by Design for your company? Book your free consultancy call now.