In her first State of the Union Address which took place in September, President of the European Commission (the Commission), Ursula von der Leyen, confirmed the Commission’s plan to create a common European Health Data Space (the EHDS) which would allow Member States to share health related data to benefit its citizens.
Given that health data is intrinsically sensitive and confidential, the creation of a common space in which to share such data will be subject to scrutiny, especially from a data protection perspective. On 17 November, the European Data Protection Supervisor (the EDPS) published a preliminary opinion on the data protection issues that the creation of the EHDS gives rise to.
Background
The creation of the EHDS is part of the Commission’s data strategy for Europe which it adopted in February this year. The strategy recognises the growing importance that data plays in society, and is underpinned by the idea of a single data market which the Commission believes will cement Europe’s "global competitiveness and data sovereignty" and benefit the citizens, businesses and public administrations in Europe. A key element of this strategy is the creation of common European data spaces across crucial sectors, including healthcare.
It is also one of the first steps being taken by the Commission to build a European Health Union, which von der Leyen stated would “protect citizens with high quality care in a crisis, and equip the Union and its Member States to prevent and manage health emergencies that affect the whole of Europe”. In November, it was announced that Germany would work with the Commission to set up the EHDS, which both the Commission and Germany’s Presidency of the Council of the EU consider necessary and urgent in the current climate.
What is the EHDS and what is its purpose?
Health data has always been crucial in the provision of healthcare, but the COVID-19 pandemic has highlighted the need for collaborative sharing of and access to health data on a much wider scale in order to track and treat global health threats. The EHDS is intended to be the platform on which health related data can be safely shared to achieve not only better healthcare, which would be the primary use of the data, but also better research and better health policy making, which would be a secondary use.
The hope is that EU-wide collaboration and knowledge sharing will improve public health by accelerating the prevention, diagnosis and treatment of diseases. In addition, it would also allow patients from Member States to share their data with their chosen healthcare professionals when travelling abroad.
The NHS Confederation is supportive of the proposal, stating that the "safe sharing of health data is fundamental to the NHS’s ability to provide world-leading patient care and research […] As such, we welcome the opportunity to collaborate with European counterparts and share learning on this crucial issue".
It is not yet clear which categories of data will be processed, who will be able to provide the data, and who will be able to use it.
The EDPS’ preliminary opinion
The potential risks posed by the EHDS are significant, especially because health data is classed as “special category” data under the General Data Protection Regulation (GDPR) because use of such data could create significant risk to the individual’s fundamental rights and freedoms. Although the UK will no longer be regulated by the GDPR from 31 December, the UK has passed its own version into domestic law.
The data protection issues that the EHDS gives rise to will be considered by the EDPS, the EU’s independent data protection authority. In a preliminary opinion, the EDPS stated that he strongly supported the objectives of the EHDS, but highlighted the need to identify and apply data protection safeguards at the outset.
The preliminary opinion considers these issues under three headings:
- Context and legal basis
The EDPS highlights the need for a robust legal basis on which to process sensitive health data. The preliminary opinion explores the legal bases for processing health data and identifies the most appropriate bases in the context. The EDPS also considers the principle of purpose limitation, highlighting that the "boundaries of what constitutes lawful processing and a compatible further processing of the data must be crystal-clear". It will therefore be necessary to establish mechanisms to ensure data is not processed unlawfully for secondary purposes or other purposes not foreseen initially. To this end, the EDPS states that anonymisation of data might not solve all the problems raised, and that the conditions for further processing of healthcare data should be publically available.
- Governance
The preliminary opinion considers the need for the EHDS to strike a balance between the interests of the data subject, and the shared interest of society as a whole. A robust, GDPR compliant system of data governance will be essential as will ethical management of the data. The EDPS also calls on the Commission to clearly identify the roles and responsibilities of the parties involved, including the identification of the controller, and the precise categories of data to be processed.
- Right to data portability
The EDPS notes the right to data portability which allows a data subject to receive the personal data processed by a controller in relation to them, and to store it for personal use. Although the Commission has already committed to preserving this right, the EDPS encourages the implementation of mechanisms that allow a data subject to exercise this right effectively.
The issues flagged in the preliminary opinion will now need to feed into the development of the EHDS, and it remains to be seen how this will be done, and when the EHDS will be up and running.
Beverley Flynn