Since the European Union (EU) began enforcing the GDPR in 2018, citizens have been given considerable power regarding the personal data generated about them. But the reality is that GDPR is open to interpretation. Countries interpret the GDPR rules in different ways, making it very difficult for companies in – say – the digital health space to develop products for the European market. To address this, Germany, which will have the presidency of the European Council in the second half of 2020, has announced plans to push for a GDPR code of conduct providing guidance to healthcare systems and governments on secondary use of data.

This would form part of plans for a European Health Data Space (EHDS) to foster the exchange, and sharing of different kinds of health data, such as electronic health records, genomics and registries. “GDPR is a positive and good tool, but its interpretation has differed throughout the Members States, which has led to fragmentation and a deep lack of understanding in how it works for research purposes,” Petra Wilson, EU programme director for the Personal Connected Health Alliance (PCHA) told Healthcare IT News sister publication HIMSS Insights. “We would welcome any clarity that can be given to the safe sharing of data.”

‘Urgent need for clarity’

Dr Priit Tohver, advisor for e-Services innovation at the Ministry of Social Affairs in Estonia, said there is an “urgent need for clarity” on how to apply GDPR. He highlighted the issue of differing interpretation of what constitutes deidentified health data.

Some experts believe that if a theoretical chance of reidentification exists, then health data cannot be regarded as anonymous. Others, including Tohver, consider factors such as cryptographic techniques to ensure the safety and privacy of data, and therefore negate the need for application of GDPR. He argues this risk-based approach could actually enhance security by focusing on the development and application of cutting-edge cryptography.

“Whereas the first approach may provide some added benefit in the form of determining liability, the second approach offers the same level of data protection without sacrificing the time and resources needed to apply GDPR to each research project,” Tohver says.

A number of stakeholders across Europe, have established their own rules, concepts, and technological tools to implement patient consent. In March 2019, the Italian Data Protection Authority issued a clarification on health data, which states medical staff do not need patient consent to process data for providing healthcare services, although consent is still required for processing data beyond this, such as the use of medical apps, inclusion in electronic health records (EHRs) and marketing purposes. Such a model could potentially provide inspiration for an EU-wide code of conduct.

The European Commission is conducting an expert study to map Member States' rules on the use of personal data in the health sector to support work on a code of conduct, with the final report to be delivered later this year.

Sharing health data

In the European Strategy for Data, published in February 2020, the Commission outlines a key action for the EHDS “to improve safe and secure accessibility of health data allowing for targeted and faster research, diagnosis and treatment” by 2022.

As well as supporting the delivery of primary care, this aims to assist the development of new treatments, medicines, medical devices and services.

Tohver is enthusiastic about the possible benefits of the EHDS for research and innovation. “Imagine, for example, the potential for better regulation and pharmacovigilance at the European Medicines Agency if they had access to deidentified data on health outcomes and side-effects following drug use, or how much faster the European Centre for Disease Control and Prevention could operate if data about disease outbreaks reached them in near real time?

“Empowering these two regulatory agencies alone could lead to better epidemic response and drug safety while increasing the value in medicine,” he says.

The proposed EHDS would build on existing initiatives, such as the cross-border exchanges of electronic patient summaries and ePrescriptions, and co-operation of the European Reference Networks for patients with rare and complex diseases.

“Many of the components required for an EHDS already exist or are in development. For example, the semantic work being done under the eHealth Network is an important pre-requisite for the EHDS,” says Tohver, who is the network's representative for Estonia.

However, he adds that the project might benefit from smaller scale implementations, “between certain countries or within certain regions that are ready to be frontrunners”.

One model for the EHDS could be Findata, the Finnish national authority which grants permits to different data registers. In May last year, a new act on the secondary use of health and social data came into force in Finland, aiming to 'guarantee secure access to data' for authorities, institutions and companies, and allow them to use it in research, development and innovation activities.

“Central to any model will be the need for national data spaces with a single point of contact or national node to interact with other states and third parties,” says Tohver.

‘Complex endeavor’

However, the undertaking of the EHDS is no mean feat according to Dr Saif Abed, founding partner and director of cybersecurity advisory services, AbedGraham.

“It’s a highly complex endeavor that has to capture many vested interests across public and private sectors, straddling multiple jurisdictions to control the arguably most valuable commodity in the 21st century - health data. There will be significant political and security debate attached to this,” says Abed.

He also warned of the looming danger of cyber-attack on a large scale. “The adoption of a unified, consistent approach to storing, leveraging and managing huge datasets for research could have a tremendous impact accelerating the development of everything from therapeutics to care pathways. This by definition paints a target for attackers to exploit the treasure trove of vulnerabilities that will come with the development of an EHDS,” he says.

As the EU grapples to come to terms with these challenges, it is clear that despite the many hurdles, there is the opportunity to change the way health services are delivered, paving the way for personalised medicine, early detection of infectious outbreaks and accelerated development of medicines and medical devices.

This article was first published in the latest edition of HIMSS Insights, Data Meets Privacy. Healthcare IT News and HIMSS Insights are HIMSS Media publications.