Under the Commission’s draft EHDS regulation, electronic health data would be able to be further processed for a specific set of purposes, such as scientific research in the health and care sectors, development and innovation activities for products or services contributing to public health or social security, or for the purposes of training, testing and evaluating algorithms.
The EDPB and the EDPS have expressed concerns about secondary use for development and innovation activities, and for training, testing and evaluating algorithms, and strongly recommend that these purposes are further delineated and circumscribed to instances where there is a sufficient connection with public health and/ or social security.
What categories of data will need to be made available, and by whom?
Under the draft EHDS regulation, ‘data holders’ are required to make a very broad spectrum of electronic health data available to data users for secondary use. The definition of ‘data holder’ is wide and includes an entity in the health or care sector, or performing research in relation to these sectors, with the right, obligation or ability, to make available certain data. The EHDS makes clear that private entities are included in the scope of ‘data holders’, so the term could apply to pharmaceutical companies.
The categories of data to be made available include data processed for the provision of health or care services, or for public health, research, innovation, policy making, official statistics, patient safety or regulatory purposes. As currently expressed, this definition appears to cover all electronic health data that an entity may hold without any sort of limitation. For example, health data is not limited to data that is collected for the purposes of providing health or care services, and as such is likely to capture clinical trials and safety related data.
It is unclear whether unstructured data would need to be provided, or whether the data holder would be required to convert the format of electronic health data for secondary use if it is not in an interoperable format. Stakeholders would benefit from more guidance on exactly what data will need to be made available and by whom.
The role of health data access bodies
Health data access bodies, established by EU member states, will play a significant role in the provision of access to electronic health data for secondary use.
Generally, prospective data users will need to submit applications to the health data access bodies for access to datasets, and the health data access bodies will be empowered to decide on applications and authorise and issue data permits. Where a data permit is granted, the data holder will be required to deliver the dataset to the health data access body, who will in turn ensure that electronic health data is shared with the data user in an anonymised format through a secure processing environment, which the health access bodies will be tasked with coordinating.
Where a data user’s purpose cannot be achieved by processing anonymised data, the health data access body will be entitled to provide a data user with access to electronic health data in a pseudonymised format following consideration of the data user’s reasons for requiring such access – which will need to be detailed in the data access application. However, this would not override any national law requirements to obtain, for example, an ethical assessment from a research ethics committee or a data protection authority.
In circumstances where a data user seeks access to electronic health data from a single data holder in a single member state, the data user in question will be able to file a data access application or data request directly to the data holder. In this case, it will be the data holder’s responsibility to anonymise or pseudonymise data, as appropriate, prior to disclosure.
Opportunities and risks to pharmaceutical companies
The opportunities that the EHDS could unlock for the pharmaceutical sector are vast, but there is significant uncertainty too over the way the proposal is to be interpreted and over the protections it offers. We have set out some examples of the opportunities and risks below.
Offers a legal basis for processing health data under the GDPR
The legal basis for processing health data under the General Data Protection Regulation (GDPR) requires careful consideration given its sensitive nature. The draft EHDS regulation seeks to support stakeholders by clarifying the legal bases for processing and the grounds for exception to the general prohibition on processing special categories of personal data, like health data, that applies under Article 9 of the GDPR.
However, the EDPB and the EDPS have expressed concerns that there is no reference to the principles of the GDPR in the draft EHDS regulation’s criteria for assessing data access applications. For example, there is no reference to an assessment of the legal basis on which data users can process electronic health data for secondary use.
There is also ambiguity as to how the draft EHDS regulation will interact with national laws on processing special categories of personal data that EU member states may have drawn up using the powers available to them under the GDPR, which might include local requirements to obtain research ethics committee assessments, for example.
Given the Commission’s express desire to ‘build upon’ the GDPR with the EHDS, it will be interesting to see whether more guidance and legislation will be forthcoming on this subject.
Secure processing environments
The EHDS seeks to ensure that electronic health data is accessed through secure processing environments which comply with high technical and security standards, thereby providing strong technical and security safeguards. Expert groups may be created under the draft EHDS regulation to advise on the minimal requirements and technical specifications of these environments to reduce privacy risks associated with processing health data.
So far, no information has been provided about the functionality of secure processing environments and how they will support the use of electronic health data for secondary use purposes in any meaningful way – for example, how learnings might be extracted from the secure processing environment where a dataset is used to train artificial intelligence systems.
However, there are some examples of ‘secure processing environments’ being set up by some member states already. The development of these programmes may give an early indication of how a centralised EHDS will operate.
The Health Data Lab, established by Germany’s Federal Institute for Drugs and Medical Services, is one such example. It is designed to provide researchers and public institutions with access to anonymised or ‘synthetic’ datasets relating to health claims in a secure processing environment for analysis by artificial intelligence tools.
Data and intellectual property rights
Intellectual property (IP) rights are considered the crown jewels for pharmaceutical companies, so it is not surprising to see that the draft EHDS regulation tasks health data access bodies with taking all measures necessary to preserve the confidentiality of IP rights and trade secrets that might subsist in a dataset. That said, there is very little clarity offered on exactly what measures will be available to protect the rights of data holders when providing data, and data users when generating and extracting data from the secure processing environment.
In terms of the insights generated in the secure processing environment, the results or output of secondary use purposes, including information relevant for the provision of healthcare, must be made public by a data user in an anonymised format no later than 18 months after the processing has been completed or the data user has received the answer to its data request. The draft EHDS regulation provides limited details about how these insights will be protected.
Copyright might protect how an insight has been expressed, but it won’t apply to the insight itself. An insight could benefit from protection if it is patentable, is subject to the duty of confidentiality, or meets the requirements for protection as trade secrets. Database rights are unlikely to offer much protection to a data user’s findings.
A clear position on the protection of IP rights offered under the EHDS will be vital, as prolonged uncertainty risks disincentivising investment in R&D activities.
Looking to the future
More clarity over the way the EHDS is to be interpreted and the protections that apply is needed if the initiative is to reach its full potential.
Public trust also needs to be fostered too. The safeguards offered by proposed secure processing environments might go some way to earning public trust, but transparency and user control are important factors too. Currently, there is no right for individuals to opt-out from their health data being used for secondary use – something that the EDPB and EDPS highlighted needs to change.
If these points are not addressed in full by the Council of Ministers and the European Parliament in the EHDS proposals, guidance and implementing acts will be important in addressing some of the concerns businesses may have with the original proposal the Commission published.
Written by Anita Basi of Pinsent Masons.