Enable data-driven healthcare & research for citizen benefit while protecting patient privacy

Similar documents
Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance. Mike Hintze 1

Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations

High Level Pharmaceutical Forum

Big data in Healthcare what role for the EU? Learnings and recommendations from the European Health Parliament

European Solidarity Corps: Ensuring Quality, Impact and Inclusion

The Riga Roadmap Investing in Health and Wellbeing for All

Data Protection Privacy Notice

GDPR readiness at efinancialcareers. Our Responsibilities and the General Data Protection Regulation

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Six Key Principles for the Efficient and Sustainable Funding & Reimbursement of Medical Technologies

Proposal for a new legal framework for data protection in EU

Declaration on a Pan-European Ecosystem for Innovation and Entrepreneurship

UNIversal solutions in TELemedicine Deployment for European HEALTH care

EPF recommendations for the trilogue on the proposal for regulation on Medical Devices

Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

Governance and Sustainability of EOSC Ambitions, Challenges and Opportunities

Assessment of Erasmus+ Sports

Vanguard Programme: Acute Care Collaboration Value Proposition

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Re: Rewarding Provider Performance: Aligning Incentives in Medicare

5 Telecommunication Standardization Sector (ITU-T)

THE SOCIAL CARE WALES (SPECIFICATION OF SOCIAL CARE WORKERS) (REGISTRATION) (AMENDMENT) REGULATIONS 2018

General Osteopathic Council

consultation A European health service? The European Commission s proposals on cross-border healthcare Key questions for NHS organisations

Consultation on developing our approach to regulating registered pharmacies

Our next phase of regulation A more targeted, responsive and collaborative approach

DRAFT OPINION. EN United in diversity EN. European Parliament 2018/0018(COD) of the Committee on Industry, Research and Energy

HHS DRAFT Strategic Plan FY AcademyHealth Comments Submitted

2017 Grant Assurances - Comments Concerning LSC s Proposed Revisions to the 2017 Grant Assurances. (81 FR ) April 5, 2016

Science priorities for Brexit

Document: Report on the work of the High Level Group in 2006

Response to the Department of Health consultation on a draft health information policy framework

Action Plan for Jobs An Island of Talent at the Centre of the World

Health Technology Assessment (HTA) Good Practices & Principles FIFARMA, I. Government s cost containment measures: current status & issues

Beyond Data Breach Notification: What's new in Privacy for Dr Jodie Siganto October 2017

A fresh start for registration. Improving how we register providers of all health and adult social care services

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

Council of the European Union Brussels, 24 February 2015 (OR. en)

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Current and future standardization issues in the e Health domain: Achieving interoperability. Executive Summary

Solent. NHS Trust. Allied Health Professionals (AHPs) Strategic Framework

Draft Code of Practice FOR PUBLIC CONSULTATION

Tax incentives for R&D

Health Select Committee inquiry into Brexit and health and social care

BASEL DECLARATION UEMS POLICY ON CONTINUING PROFESSIONAL DEVELOPMENT

Information and technology for better care. Health and Social Care Information Centre Strategy

Principles of Data Sharing for GPs and LMCs

ACT Alliance FUNDRAISING STRATEGY

Horizon Health

Consultation: Transformation Health and Care in the Digital Single

ERC Grant Schemes. Horizon 2020 European Union funding for Research & Innovation

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

EUCERD RECOMMENDATIONS on RARE DISEASE EUROPEAN REFERENCE NETWORKS (RD ERNS)

Patient Registry Initiative- Strategy and Mandate of the Cross-Committee Task Force

European Startup Monitor Country Report Portugal

GENERAL TENDER CONDITIONS

Memorandum of Understanding between the Higher Education Authority and Quality and Qualifications Ireland

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

Brussels, 7 December 2009 COUNCIL THE EUROPEAN UNION 17107/09 TELECOM 262 COMPET 512 RECH 447 AUDIO 58 SOC 760 CONSOM 234 SAN 357. NOTE from : COREPER

Standard Operating Procedures (SOP) Research and Development Office

APPLICATION FORM EUROPEAN HERITAGE LABEL

Medical devices briefing for patients: Patient safety in the new Regulation

Local innovation ecosystems

Study definition of CPD

Equity and Excellence: Liberating the NHS White paper 2010

March Intent. 1

H2020 Programme. Guidelines on Open Access to Scientific Publications and Research Data in Horizon 2020

London Councils: Diabetes Integrated Care Research

1. Have you or a member of your family had first-hand experience of an adverse event or experienced harm in a healthcare setting in your country?

March 6, Dear Administrator Verma,

COMMISSION OF THE EUROPEAN COMMUNITIES

High level guidance to support a shared view of quality in general practice

DOCUMENT CONTROL Title: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy. Version: Reference Number: CL062

grampian clinical strategy

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document. Proposals for a

Introduction. 3. The law gives the GMC four main functions:

Meeting of the European Parliament Interest Group on Carers

JOINT DECLARATION ON THE PROMOTION AND THE ENFORCEMENT OF CANCER PATIENTS RIGHTS

MISSION INNOVATION ACTION PLAN

United Nations General Assembly s Overall Review of the Implementation of WSIS Outcomes

CLINICAL AND CARE GOVERNANCE STRATEGY

Alberta Health Services. Strategic Direction

EHR REVITALIZED WITH CLINICAL MOBILITY SOLUTIONS

2017 CEF Transport Blending Call. FREQUENTLY ASKED QUESTIONS Blending features Last update 12 July 2017 (new questions in blue)

Patient-Clinician Communication:

The ERC funding strategy

BBRSC, MRC and Wellcome Trust response to the Bateson Review Recommendations. July 2011

St George Private Radiology

CAPACITIES WORK PROGRAMME (European Commission C(2009)5905 of 29 July 2009)

Acting Together: How to continue to provide high quality and universally accessible health services in a financially sustainable way in Europe.

RMC CODE OF PROFESSIONAL CONDUCT

Priorities for exit negotiations

EUROPEAN COMMISSION DIRECTORATE-GENERAL REGIONAL AND URBAN POLICY

CAPACITIES WORK PROGRAMME PART 3. (European Commission C (2011) 5023 of 19 July 2011) REGIONS OF KNOWLEDGE

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

h h e

Document Title: Document Number:

NATIONAL ASSOCIATION OF SPECIALTY PHARMACY PATIENT SURVEY PROGRAM

Frequently Asked Questions

Transcription:

Enable data-driven healthcare & research for citizen benefit while protecting patient privacy Call to Action This Call to Action was created for use by Member State representatives, DPAs, health leaders and is intended to be aligned to the principles, conclusions and direction of Health in the Digital Society, Digital Society for Health in Tallinn, Estonia October 16-18, 2017. The EU s General Data Protection Regulation (GDPR) represents an important step forward for EU residents and the protection of their personal data. The Regulation clarifies data subjects rights, brings more organisations under its remit, and imposes significant sanctions for noncompliance with its terms. Health data, one of the more sensitive types of personal data, is especially called out in the new data protection rules. When GDPR was drawn up, one of the overall goals was to establish harmonized data protection rules across the EU. On some issues, the final text however gives EU member states some flexibility to adapt the rules to their national interests. One area where such flexibility is foreseen relates to the use of health data. We believe it is important that Member State policymakers use this flexibility in order to enable data-driven healthcare and boost research ecosystems. Decisions taken now will govern life-changing moments for patients for years even decades to come: 100 patients in an EU country are treated for a particular type of cancer. Their data is kept in official records Conducting a new study of the historical data holds the key to her getting the best possible treatment If this EU country requires specific consent for all research & treatment uses of data In the next few years, 40% move out of this EU country and become potentially unreachable Olivia presents with a rare variant of the same disease 40% of the data may be unusable unless all identifying (but useful) information is removed. The result of the study may be statistically biased If this EU country does not require consent to justified use of data for research and treatment 100% of the data is usable, and leads to a breakthrough. Olivia is safely treated

When implementing GDPR, EU Member States should take the following four considerations into account: 1. Take Advantage of the Flexibilities in the GDPR to Enable a Wide Range of Beneficial Uses of Health Data. We encourage Member States to exercise the power given to them under the GDPR to allow the processing of health data for healthcare, scientific or statistical research purposes, or reasons of substantial public interest, even in scenarios where consent is not feasible or appropriate. Under the GDPR, organisations must have a legal ground to process personal data. When it comes to health data, the default ground is generally consent. In the medical context, however, the GDPR gives Member States the ability to permit processing of health data without consent in some circumstances. This includes instances where processing is necessary for medical reasons (including treatment, diagnosis, preventive medicine, and workplace health), and the management of health or social care systems and services so-called primary or direct processing scenarios. The GDPR also allows for processing of health data without consent where it is necessary for scientific research purposes, or for public interest in public health known as secondary processing. GDPR foresees that to benefit from these flexibilities for the processing of health data, EU Member States or the EU must pass legislation which permits and enables these uses. Allowing for these uses can make sense. In oncology, for example, cancer registries have enabled numerous advances in cancer treatment and prevention. If such registries were required to ask every patient for consent, participation rates would often be lower than required, and therefore lead to statistically biased results. Moreover, for registries already holding several decades worth of data, it would likely be impossible to retroactively contact each individual data contributor to seek consent for each new research project. This issue is one facing public and private researchers alike. A great deal of valuable healthcare and research collaborations occur outside the public sector; for instance, in consortia mixing private and public entities such as universities and hospital research units. The positive discretion under GDPR presents an opportunity for EU Member States to allow for the best possible health care data use with an appropriate balancing of patient privacy rights. EU Member States, which do not use this opportunity could disadvantage patients, domestic researchers and healthcare providers, in the development of potentially life-saving and cost-saving advances in research and care.

2. Researchers need to be Confident they can Process Health Data Lawfully Besides implementing legislation, EU Member States also have the opportunity to provide supportive guidance and interpretation of key terminology in GDPR. Constructive interpretations of terminology such as scientific research and adequate safeguards by EU Member States can stimulate research and enable public health officials, healthcare providers and patients to benefit from advances that will improve health outcomes and reduce the cost of care. GDPR allows of the use of health data for a range of research purposes including scientific research without specific consent of the data subject where national or EU law so allows. But to be lawful, the processing must be subject to appropriate safeguards. Clear guidance around what constitutes scientific research and what types of safeguards are appropriate will help empower data driven research. The GDPR provides some guidance for the interpretation. For example, it states scientific research is to be broadly construed and can include technological development and demonstration, as well as privately-funded research. We encourage wider affirmation of the basic principle: it is essential that these principles and positions be reflected in guidance, codes of conduct and public discourse, given their essential practical role in day-to-day implementation of the GDPR. In terms of appropriate safeguards, the GDPR mentions pseudonymisation and data minimisation as possibilities, but otherwise does not specify what else would satisfy the requirement. To provide certainty and enable healthcare providers and researchers to rely on the ground with confidence, regulators should identify other examples of appropriate safeguards that will be deemed acceptable. In doing so, they should draw on the substantial research ethics and data guardianship expertise that researchers in both the private and public sector have accumulated over numerous years. In order to ensure compatibility with other countries and maintain the ability to participate in global research initiatives, EU member states should also aim to ensure that their interpretations and guidance remain open-ended and flexible

3. Refrain from Imposing Additional Limitations on Health Data We encourage Member States to be cautious in maintaining or introducing further conditions, including limitations, on the processing of health data, particularly as it relates to processing of health data for primary use. Imposing additional restrictions and requirements on such processing may have the unintended consequence of undermining the delivery of care across Member State borders and hindering development and use of innovative care tools. The EU s primary purpose in replacing the 1995 Data Protection Directive with an EU-wide Regulation was to unify the data protection regimes of Member States, in order to create a more consistent regulatory environment and a single European Research Area. Member States should of course keep that goal of unification in mind as much as possible. Despite that goal, the GDPR does allow Member States some negative discretion to adopt even stricter rules in relation to health data. However, there are important legal limits to how much stricter those can be. For example, the GDPR is clear that local data protection rules must not prevent healthcare providers from processing or storing health data in other EU Member States. For both legal and ethical reasons, Member States should refrain where possible from exercising their negative discretion. Maintaining or adopting new limits on processing of health data would impede the roll-out of many new, emerging and future technologies and studies that promise to deliver better quality, more affordable care. At the very least, Member States should avoid introducing any further rules that would interfere with a healthcare provider s selection of tools or technology for use in treatment of individual patients, including diagnosis, billing or other primary uses of the patient s data. Requiring providers to seek consent to use particular types of technology for purposes such as diagnosis, billing or other primary uses of patient data such as analysing data in the cloud to help inform a diagnosis could impede the provision of high quality care for individuals. Requirements that health data be stored or processed in a particular location (e.g., hospital premises, or the Member State in which care is being provided) have a similarly detrimental effect on care. They are also at odds with the Union s goals in this area, including free movement of data, ensuring health care for a mobile workforce, and an integrated single market for technology and services. In addition to an adverse impact on direct care, policymakers should also be acutely conscious of the adverse effect that localisation requirements have on scientific research. They could in effect ban otherwise legitimate projects or push up compliance costs. They will also disrupt Europe s ambitions to build a common research area, by subjecting multi-country research efforts to a dizzying patchwork of local rules.

4. Provide Guidance Related to Appropriate Security Measures and Codes of Conduct EU Member States should build on the expertise of the private and public healthcare industry and its partners for security controls and safeguards for sensitive health data. The expertise will help EU Member States to adopt security policies and supporting codes of conduct which align with global security standards and best practices. GDPR requires that parties processing personal data must implement security practices that are appropriate to the level of risk. In order to determine the level of security for health data, a number of criteria need to be considered, including state of the art security tools, costs of implementation, and the nature, scope, context and purposes of the data processing. Recognising that the state of the art security and the cyber risk landscape evolve rapidly, GDPR does not mandate specific security practices to be followed. As Member States and organisations contemplate what security practices are optimal, they should look to global best practice standards and default to globally harmonized solutions. In the health sector, regulatory and industry practices in many Member States are increasingly aligned to established global standards. For example, in the Netherlands, the NEN-7510 standard serves as the security baseline for healthcare organisations handling patient health data and is based on the established ISO/IEC 27001 international security standard. Similarly, a new framework being rolled out in France to govern hosting of health data relies heavily on ISO/IEC 27001 and other ISO standards. Industry has already been using ISO/IEC 27001 for many years and can therefore provide expertise to Member States aligning to these global standards. The GDPR also encourages the use of data security codes of conduct and sets out a legal framework for their official recognition. Codes of conducts have the benefit of being adaptable to technological and legal developments and therefore tend to be more future proof than laws. Member States should seize upon that opportunity to leverage the experience and thought leadership of health and technology sector associations in establishing the appropriate security measures for the processing of health data. Ideally, Member States can help industry to enshrine these practices in easily-updated codes of conduct, rather than laws or government policies which may be more challenging to keep updated.

Specific implementation recommendations for Member State Policymakers 1. Take advantage of the flexibilities built into GDPR to allow for wide range of beneficial uses of health data. This includes a full and flexible implementation of the grounds in Article 9(2) of the GDPR. 2. Ensure legal clarity for the research community on the use of health data by providing clear definitions for key terminology. It is of particular importance to define broadly the concept of scientific research as set out in GDPR Recital 159, which ensures that health data can be processed for public research, private research and technological development. 3. Through dialogue with public health authorities, members of the research community, patient stakeholder groups and members of the healthcare and medical technology sectors, clarify the additional types of appropriate safeguards that can be put in place for processing health data for research purposes under GDPR Article 89(1). 4. Resist maintaining or imposing local limitations on use of health data under GDPR Article 9(4), particularly where direct care for patients may be affected for instance, additional local conditions on the use of cloud computing resources by clinicians so that patients can enjoy the full benefit of cross-border healthcare services and international research collaboration. 5. Base any local data security requirements on global security standards and best practices and leverage the expertise of health and industry associations in efforts to define appropriate security measures, including through support for codes of conduct that embody those requirements.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback