In 2012, the European Commission put forward a proposal to revise existing data protection legislation, to harmonise standards for data access and processing. After prolonged discussions, the Council and the European Parliament have finally agreed on a proposal to ease restrictions on the use of health data for research purposes, which was welcomed by the European Council of 17-18 December 2015.
Agreement reached on European Commission’s EU data protection legislation
In 2012, the European Commission put forward a proposal revising the existing data protection legislation aiming at a harmonisation of the standards for data access and processing.
Following Edward Snowden’s disclosures on US and British mass surveillance of digital communications in 2013, the European Parliament revised the proposal, adding several amendments in order to increase the protection of personal data.
These amendments led not only to a heated debate at EU member state level, particularly with regard to sovereignty issues, but they have also caught the attention of several stakeholders, including from the health sector, as the measures proposed by the Parliament would have posed a serious threat to the use of health data for research purposes.
Numerous health associations involving medical professionals, researchers, patient advocates and industry representatives called on the EU institutions for a more balanced approach between promoting both ‘privacy and research’ in order to ensure continued access to health data for research purposes.
The ESR has been active on this dossier since the publication of the first proposal in 2012, reiterating the importance of ensuring privacy rights for personal data whilst providing adequate access to such data for research and healthcare purposes.
After prolonged discussions, the Council and the European Parliament finally agreed on a proposal easing restrictions on the use of health data for research purposes, which was welcomed by the European Council of 17-18 December 2015.
The proposal now provides a balanced approach between protecting the personal data and making data accessible for research purposes stating that: “Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.”
However, paragraph 123 emphasises that: “The processing of personal data concerning health may be necessary for reasons of public interest in the areas of public health, without consent of the data subject. … Such processing of personal data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers, insurance and banking companies.”
Moreover, paragraph 53 ensures that any person has the right to have their personal data rectified or ‘the right to be forgotten’ but allows the further retention of data when necessary, by stating: “for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for reasons of public interest in the area of public health, for archiving purposes in the public interest, or scientific and historical research purposes…”
The revised proposal is also welcomed by numerous health stakeholders, including the European Organisation for Research and Treatment of Cancer (EORTC), the European Patients’ Forum (EPF), the European Association of Urology (EAU), Science Europe, the Wellcome Trust, and others.
Following the political agreement reached in 2015, the final texts will be formally adopted by the European Parliament and Council at the beginning of 2016. The new rules will become applicable two years thereafter.
The Commission will work together with the Member States and the Data protection authorities – the future European Data Protection Board – to ensure a uniform application of the new rules.
Further information on the revised data protection framework can be found in the links section.
Moreover, the ESR’s Patient Advisory Group (ESR-PAG) will hold a session dedicated to ‘data-sharing’ during the upcoming European Congress of Radiology (ECR 2016), the ESR’s annual congress, taking place in early March in Vienna/AT.
The session, titled ‘ESR-PAG 2: Mind the gap – data-sharing for better patient outcomes – the key issues for patients and the radiology community’, will take place on Saturday, 5 March 2016, from 10:30 to 12:00h in Room L8.
It will reflect on the above-mentioned issues, providing an overview of the importance of health data for research as well as eHealth and interoperability, particularly in the era of ‘big data’ and yet addressing the legal challenges and issues in the light of data protection and the patient's point of view.
For further information on the ECR 2016 programme, please check the links section.