The GDPR provides the general framework, requirements and rules on health data collection and use which, in large part, apply uniformly to all Member States. However, despite its general application, the GDPR does allow Member States to adopt national-level rules on issues such as professional secrecy, use of data for scientific research, use of data of a deceased person and the processing of genetic, biometric and health data.
The GDPR requires that all processing of data has a legal basis and that appropriate safeguards are in place. The high financial and reputational cost of being in breach of the GDPR is a worry to hospitals. The lack of national or local guidance about the interpretation of how to comply with the GDPR for research adds to uncertainty in many countries today, which will hopefully lessen as countries update their national data protection laws.
In contrast, the use of health data (for example, in EHRs) for direct patient care and internal quality monitoring is less of a problem to most hospitals. Cross-border care transfers are sometimes seen as a cause for concern, but if the transfer is within Europe and the purpose is to support safe continuity to a hospital patient receiving care whilst abroad, the legal basis should be the same as for a hospital’s internal data use for direct care.
It is important to recognise that there are also legal bases that are applicable to scientific research conducted on personal data. These also cover special category data, under which most health data fall. Safeguards such as pseudonymisation can be used, provided that one remembers that pseudonymised data is still personal and has to be kept securely and only used for legally acceptable purposes (such as research). Although it is not always easy to anonymise clinical data whilst retaining its research usefulness; this method can render the data non-personal and not within scope of the GDPR. Good anonymisation practices can be applied to data before it is used for research.
Hospitals should therefore not see the GDPR as an obstruction to making better use of their health data, for learning and for research. However, they should take legal advice to ensure that they are adopting and complying with the right legal basis, and also take ICT security advice on how to safeguard the data being used for research.
The organisation’s healthcare workforce will need to develop new competences and skills and a critical understanding of the need to shift away from the currently prevailing culture of individual responsibility for data stewardship towards shared data use and shared responsibility. Likewise, it is important that legal professionals understand and appreciate the cultural and ethical peculiarities embedded in healthcare systems and provide effective support to decision making on soft law and accompanying measures and safeguards.