Recommendations and joint statement supporting citizens’ interests in the benefits of data driven healthcare in a secure environment
Brussels - 10 March 2014 - Healthcare Coalition on Data Protection
Recommendations and joint statement supporting citizens’ interests in the benefits of data driven healthcare in a secure environment
Representing leading actors in the healthcare sector in Europe, the Healthcare Coalition on Data Protection would like to put forward recommendations designed to clarify and improve provisions related to health as included in the European Commission’s proposal for a General Data Protection Regulation1 and in the European Parliament LIBE Committee’s report2 on this Regulation.Healthcare Coalition on Data Protection
Recommendations and joint statement supporting citizens’ interests in the benefits of data driven healthcare in a secure environment
Representing leading actors in the healthcare sector in Europe, the Healthcare Coalition on Data Protection would like to put forward recommendations designed to clarify and improve provisions related to health as included in the European Commission’s proposal for a General Data Protection Regulation1 and in the European Parliament LIBE Committee’s report2 on this Regulation.
The Healthcare Coalition on Data Protection proposes five key recommendations on the General Data Protection Regulation to facilitate healthcare and health research for the benefit of patients:
- Maintain articles 81 and 83 in the form proposed by the Commission and clarify the exemptions from consent for healthcare and research.
- Clarify the definition of ‘personal data’.
- Avoid excessive administrative burden linked to impact assessment obligations.
- Clarify the exemption to the right to be forgotten and other rights for ‘health purposes’ and research.
- Allow international transfers of appropriately-protected data.
1 http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
2 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2013- 0402+0+DOC+XML+V0//EN&language=en
Page 1 of 7 10 March 2014
DETAILED BRIEFING
- The Healthcare Coalition on Data Protection welcomes the European Institutions’ efforts to modernise existing data protection legislation. The organisations represented in the Coalition fully endorse the goals to (i) harmonise the regulatory environment on the protection of personal data in the EU, (ii) strengthen the protection of personal data while maintaining the free flow of personal data; and (iii) provide exemptions for health and research purposes.
- Access and sharing of data is crucial for the delivery of timely, effective and good quality healthcare to patients and guarantee their safety. Not only is data fundamental to responding to patients’ needs, but it also helps in defining public health policy development and improving patient care. Its value will increase in future in supporting evidence-based decision-making, ultimately contributing to health system sustainability.
- The Coalition urges EU policy makers to take into account the value of improving citizens’ health and healthcare systems through the use of data-driven approaches. These include large disease databases, personalised medicine, medical imaging, eHealth, mHealth, human genome decoding, disease prediction, biobanks, biomarkers and many more. These promising innovations rely on the collection, analysis, and sharing of health data to better understand diseases and treat them as part of an efficient and effective healthcare system.
- Certain provisions3 in the proposed Regulation as put forward by the European Commission and more significantly in the LIBE report will restrict the sharing of health data, create legal uncertainty and increase compliance costs if they remain unchanged, ultimately also delaying development and introduction of innovative treatments and other interventions. We are particularly concerned that the LIBE committee has not found the right balance in their amendments to Articles 81 and 83 and has failed to appreciate the benefits of properly-regulated data- sharing.
- Research for health purposes using personal data must only take place within a robust ethical framework and clear governance rules to mitigate privacy risks. For example, projects must be approved by an independent ethics committee and researchers are given access to personal data only under strict confidentiality controls. These safeguards are very important to protect data subjects and have been effective at preventing misuse and harm to data subjects. The Regulation should recognise that such safeguards are already in place and avoid additional, potentially disproportionate or contradictory requirements.
3
See recommendations below.
Page 2 of 7 10 March 2014
The Coalition therefore recommends:
- Maintaining articles 81 and 83 in the form proposed by the Commission and clarifying the exemptions for healthcare and research. The provisions of the LIBE report would make much valuable research involving personal data at worst impossible and at best unworkable.
In line with the Commission’s proposal, the Regulation must provide a clear legal basis for processing for health and research purposes and:
- Recognise that the use of both identifiable and pseudonymised data are essential to the delivery of healthcare and health research.
- Provide an unambiguous exemption from consent for the processing of personal data for health and research purposes where appropriate safeguards4 are in place.
- Facilitate the secondary use of health data for research by clarifying that it is not incompatible with the purpose data were collected for, where appropriate safeguards are established to protect the interests of data subjects.
- Clarifying the limits of the definition of ‘personal data’. The definitions proposed in the draft Regulation and in the LIBE report are deliberately broad and include data that may help to identify a data subject, directly or indirectly. In some cases, this has led to unintended consequences. For instance the serial number used to identify medical equipment (e.g. a scanner, patient monitor, etc.) may, without legal clarification, be regarded as personal data subject to the Regulation, as may location data. This would bring no additional protection for individual privacy, and will have the undesirable result of increased administrative and compliance costs within the healthcare sector.
- Avoiding excessive administrative burden linked to impact assessment obligations and regular periodic data protection compliance reviews. The proposal by the Commission and the LIBE report provide very prescriptive obligations for carrying out impact assessments. Healthcare organisations should remain able to construct their own assessment, based on the size and type of organisations, legal requirements, contractual obligations, and, where appropriate, internal policies. We support a single assessment for operations that present similar privacy risks as proposed in the LIBE report.
- Maintaining and clarifying the exemption to the right to be forgotten and other rights for ‘health purposes’ and research. Deleting data may run counter to individual treatment and patient safety, as well as to validity of research. Healthcare providers should have access to life-saving information such as an individual’s health record, which is essential for tracking patients’ past history and ensuring the most appropriate medical advice, treatment and care moving forward. Therefore it will be important to:
- Maintain and clarify the exemption for ‘health purposes’ and research in relation to the right to be forgotten.
- Introduce a similar exemption for the right to rectification. 4"These include for example ethical approval, governance processes, technical standards, organisational controls, code of conduct."
Page 3 of 7 10 March 2014
Maintain the exemption for data retention for research.
- Facilitating international transfers of pseudonymised personal data for health and research purposes where appropriate safeguards are in place. The Regulation should permit transfers of pseudonymised personal data for health or research purposes between Member States and to third countries, where safeguards are in place to prevent re-identification. Research increasingly builds upon international cooperation, such as in large-scale trials that may need several thousands of records. It also avoids duplicating research efforts and ensures best use of public financial means.
Page 4 of 7 10 March 2014
ANNEX 1 What examples of type of practices would be ruled out by the LIBE report if adopted, or by disproportionate data protection rules?
- European Medical Information Framework (EMIF) is a €56 million collaboration to link together existing health data from 40 million European citizens across seven EU countries. EMIF will make health data from a range of sources - including hospital databases, cohorts and national registries - accessible to researchers for studies on obesity and Alzheimer’s disease. The development and use of this powerful research resource would be seriously threatened if the LIBE report is adopted because the exemption from specific consent is very narrow.
- Medical image processing software needs to be proven safe and efficient before it can be placed on the market. The development and testing of such software requires actual patient data. Today hospitals strip their medical images from all identifiers (e.g. patient name, address, social security number, etc.) before providing the images to manufacturers for development and testing purposes. Most national privacy laws consider that a medical image stripped from identifiable data is anonymous; therefore no patient consent is needed to use the image for research, development and testing purposes. However six European countries believe that it is not anonymised because the clinician can recognise the image and link it to his/her patient. As such, according to the law of those six countries medical images can never be called 'anonymous' and therefore always require patient consent. This implies a significant cost for manufacturers. Industry estimates a 25% cost increase: The cost of collecting the patient consent is estimated at 100€ per image. 2. A new software algorithm may require thousands of images to develop and test. 3. Minor software updates are tested on about a hundred images. Often there are several releases per year of a particular application. Introducing a consent requirement will increase the development cost of medical image processing softwares, and slow it down, with no benefit to privacy.
Page 5 of 7 10 March 2014
ANNEX 2 Members of the Healthcare Coalition on Data Protection
HOPE:
HOPE, the European Hospital and Healthcare Federation, is an international non-profit organisation, created in 1966. HOPE represents national public and private hospital associations and hospital owners, either federations of local and regional authorities or national health services. HOPE mission is to promote improvements in the health of citizens throughout Europe, high standard of hospital care and to foster efficiency with humanity in the organisation and operation of hospital and healthcare services.
FEAM:
The Federation of European Academies of Medicine’s (FEAM) mission is to promote cooperation between national Academies of Medicine and Medical Sections of Academies of Sciences in Europe; to provide them with a platform to formulate and express their common position on European matters concerning human and animal medicine, biomedical research, education, and health; and to extend to the European authorities the advisory role that they exercise in their own countries on those matters. Our vision: (1) to underpin European biomedical policy with the best scientific advice drawn from across Europe, through the FEAM network of Academies representing over 5000 high level scientists from the whole biomedical spectrum, and (2) to improve the health, safety and wealth of European citizens through research by promoting a nurturing, creative and sustainable environment for medical research and training in Europe. FEAM’s strength lies in its member Academies that give it the authority to provide an EU- wide scientific opinion on the European medical science base and evidence to underpin European biomedical policy. The FEAM Academies represent the following EU Member States: Austria, Belgium, Czech Republic, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Netherlands, Portugal, Romania, Spain, United Kingdom.
COCIR:
COCIR represents the Radiological, Electromedical and Healthcare IT industry in Europe. COCIR encourages the use of advanced technology to support healthcare delivery worldwide and promotes free worldwide trade of medical devices and maintaining the competitiveness of the European health sector.
EFPIA:
The European Federation of Pharmaceutical Industries and Associations (EFPIA) represents the pharmaceutical industry operating in Europe. Through its direct membership of 33 national associations and 37 leading pharmaceutical companies, EFPIA is the voice on the EU scene of 1,900 companies committed to researching, developing and bringing to patients new medicines that will improve health and the quality of life around the world. EFPIA supports a vision of modern and sustainable healthcare systems in Europe, where patients have equal and early access to the best and safest medicines, which supports innovation, empowers citizens to make informed decisions about their health and ensures the highest security of the medicines supply chain.
Page 6 of 7 10 March 2014
Continua Health Alliance:
Continua Health Alliance is a non-profit, open industry organization of healthcare and technology companies joining together in collaboration to improve the quality of personal healthcare. With more than 220 member companies around the world, Continua is dedicated to establishing a system of interoperable personal connected health solutions.
GSMA:
The GSMA represents the interests of mobile operators worldwide. Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators with more than 230 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers and Internet companies, as well as organisations in industry sectors such as financial services, healthcare, media, transport and utilities. The GSMA also produces industry-leading events such as the Mobile World Congress and Mobile Asia Expo.
mHealth is one of the focus areas of the GSMA’s Connected Living programme, a market development initiative that is designed to help operators accelerate the delivery of new mobile connected devices and services. The purpose of the GSMA’s mHealth initiative is to support cost-effective delivery of better healthcare for everyone.
For more information, please visit the GSMA corporate website at www.gsma.com or Mobile World Live, the online portal for the mobile communications industry, at www.mobileworldlive.com.
MedTech Europe
Medtech Europe is an alliance of European medical technology industry associations. The Alliance was founded by EDMA, representing the European in vitro diagnostic industry, and Eucomed, representing the European medical devices industry. Other European medical technology associations are welcome to join the Alliance, established to represent the common policy interests of its members more effectively and efficiently. Our mission is to make value-based, innovative medical technology available to more people, while supporting the transformation of healthcare systems onto a sustainable path. We promote a balanced policy environment that enables the medical technology industry to meet the growing healthcare needs and expectations of its stakeholders. In addition, we demonstrate the value of medical technology by encouraging our members to execute the industry’s 5-year strategy.
Page 7 of 7 10 March 2014