EU Policy. What personal info may be shared by Europe's new Health Data Space?

The new European Health Data Space opens access to personal health data to third parties and raises new privacy challenges.
The new European Health Data Space opens access to personal health data to third parties and raises new privacy challenges. Copyright John Locher/Copyright 2017 The AP. All rights reserved.
By Marta Iraola Iribarren
Share this articleComments
Share this articleClose Button

A new European Health Data Space opens access to personal health data to non-medical third parties, raising new privacy challenges.

ADVERTISEMENT

EU institutions last month reached a deal on rules governing the new European Health Data Space (EHDS), setting a common European framework for the sharing of health data.

The agreement envisions the sharing of sensitive health data across the EU for research, innovation, public health, policy-making and regulatory purposes.

One issue divided lawmakers throughout the negotiations: the secondary use of data. This means re-use of data already registered by health services by third parties for research, innovation and public health purposes. These third parties can be public, private and non-profit entities as well as individual researchers.

What kind of data will be shared?

The most common types of health data are from health systems, such as electronic health records, data from disease registries, genomic information, claims data and medicines dispensing data.

However, the scope of the EHDS also covers any data that has an impact on health like information on the consumption of certain substances, socio-economic status, behaviour, and even environmental factors, including pollution and radiation among others.

This also includes data that was initially taken for research, statistics, patient safety, regulatory activities or policy-making, data automatically generated from medical devices and wellness applications and data from clinical trials or investigations as long as these have been completed.

The collected data can later be used for policy-making and regulatory activities, to create statistics, for educational activities in health or care sectors, scientific research and public health surveillance, amongst others.

Other uses that were more controversial among stakeholders and lawmakers include development and innovation activities for products or services and training, testing and evaluating algorithms, including in medical devices, in-vitro diagnostic medical devices, AI systems and digital health applications.

Given its sensitivity, personal electronic health data should only be made available in pseudonymised format, and requests for data use must include justification for seeking access to this type of data.

“When providing access to an anonymised or pseudonymised dataset, a health data access body should use state-of-the-art anonymisation or pseudonymisation technology and standards, ensuring to the maximum extent possible that natural persons cannot be reidentified by the health data user,” reads the EHDS deal.

The text stresses that health data users should not attempt to re-identify natural persons from the dataset provider, subject to fines and possible criminal penalties.

Prohibited secondary use of electronic health data

In addition to the long list of purposes the EHDS can give to electronic health data, the rules also set red lines and absolute prohibitions against use.

Collected health data cannot be used to make decisions detrimental to an individual or group of natural persons, including decisions about job offers and to assess the contribution and benefits to insurance, credit contracts or conditions on loans.

Third parties will not be allowed to use data to develop products such as illicit drugs, alcoholic beverages, tobacco and nicotine products, weaponry or products or services which are designed to foster addiction or pose a threat to public health or risk to human health.

Use of this data for advertising or marketing activities is also prohibited.

Can I refuse to share my data?

The main disagreement during the negotiations surrounded the mechanisms for personal consent to data use, and whether opt-out or opt-in would be the better option.

In the end, the EU Council and the Parliament agreed to grant patients the right to withdraw their consent for their electronic data to be processed by third parties at any point, a clause not foreseen in the Commission's original legislative proposal presented in 2022.

However, the deal also contemplates the potential for override of the opt-out in certain public interest circumstances such as cross-border health threats and use for specific scientific research.

ADVERTISEMENT

Scientific research for important reasons of public interest might include research addressing unmet medical needs, including for rare diseases, or emerging health threats.

Share this articleComments

You might also like