After months in the pipeline, it looks like the European Health Data Space (EHDS) is finally entering into force later this year. But what does this mean for your organisation?
This is the third post in our EHDS series. In this post, we focus on the change that has been generating all the headlines: a new pathway to access health data for secondary uses like research and innovation. We examine the impact of this pathway on intellectual property rights and GDPR compliance.
Take a look at our previous post for analysis of key terms, such as “data holder”, “data user” and “electronic health data”. In this series, we examine the latest publicly available draft, dated 24 April 2024.
As a reminder, the EHDS introduces a new regulatory pathway through which âdata holdersâ (defined widely to include hospitals, public health bodies, CROs, pharma, and medtech) must make a wide range of âelectronic health dataâ available to âdata usersâ for a defined list of permitted secondary uses. These permitted uses include scientific research, certain development and innovation activities, and training algorithms. This will be great news for AI developers, who need vast amounts of data to train and validate their models. This pathway is all about facilitating friction-free access to health data for researchers and innovators in the post-Covid world.
The mechanics: how does the pathway work?
Data access applications: New health data access bodies are to be set up in each Member State, and these effectively act as gatekeepers in accessing electronic health data under the new framework:
- Application: A health data user must submit an application to an access body, in order to access electronic health data from a health data holder. This should be accompanied by the fee chargeable by the access body.
- Review by health data access body: The health data access body may then grant or refuse the application within three months of receipt, although this may be extended by a further three months if an application is particularly complex or given volume of requests.
- Data permit and data sharing: If the access body grants the application, it will issue a data permit and request the relevant data from the holder. The holder has up to three months from receipt of request to make the requested data available to the access body (although this may be extended by a further three months in justified cases).
- Data user access in secure processing environment: The access body will then make the electronic health data available to the data user within two months of receipt from holder, unless the access body specifies a longer period of time. Data users may access and process the electronic health data within a secure processing environment, in accordance with the terms of the data permit. Users may only download anonymous data. Data users are prohibited from re-identifying any individuals in the datasets, and must publicise the results or outcomes of their use of the data within 18 months of completing processing of the electronic health data in the secure processing environment.
Health data requests: There is a streamlined process for âhealth data requestsâ. These are requests to access electronic health data in an anonymised statistical format, and require a less detailed application. The access body will assess the application within three months and provide the results to the user within three months.
âSimplified procedureâ for access from a trusted health data holder: There is an alternative pathway to access electronic health data from certain âtrustedâ holders. Rather confusingly, this is called the âsimplifiedâ procedure. In reality, it is more complex and it is unclear what the benefits are to holders. This pathway allows health data holders to be designated as a âtrustedâ holder, provided that they meet various conditions around expertise and compliance with the EHDS.
If a data user wishes to access electronic health data from a âtrustedâ holder, it would then submit its application to an access body as usual. The access body will then forward this onto the trusted holder, who will have two months to assess the application and provide a proposal for a decision on whether to grant the request. However, the health data access body retains responsibility for the final decision and is not bound by the trusted holderâs proposal. If successful, the trusted holder may make the data available through its own secure processing environment.
Anonymised vs pseudonymised data
The default position is that data users may only access anonymous information. However, if a data user can demonstrate that personal data is necessary in order to fulfil their permitted purpose, that user may access pseudonymised data.
According to the recitals, data should be anonymised or pseudonymised as early as possible in the chain. In practice, this means that the data holder will often be responsible for anonymisation, but a health data access body may assume this responsibility too.
The elephant in the room is that there is little agreement across data protection authorities or industry on the line between anonymisation and pseudonymisation for health data â this is going to be a huge issue. Standards for anonymisation are going to be developed under the EHDS, but practitioners will be forgiven for feeling a healthy degree of cynicism as to whether these will solve current uncertainties.
Protecting your IPR as a data holder
The previous drafts had some big gaps in IPR protection â previously, this meant that data holders may be required to provide access to proprietary data even if protected by copyright, trade secrets or regulatory data protection rights. This undermined the rights of IP holders, who may be compelled to share sensitive and valuable information with direct competitors.
In the latest draft, there is now a procedure for data holders to preserve protections in electronic health data. The data holder must inform the access body and identify data protected by intellectual property rights, trade secrets or regulatory data protection rights. The access body must then decide which protections to apply, such as applying conditions (including contractual arrangements) which may limit the data user. The access body may even refuse to grant the application if there is a serious risk of infringing IPR. There is also a dedicated complaints procedure, if a holder disagrees with a decision.
This procedure is based on the Data Act, but in some ways, it appears weaker than the Data Act. Under the Data Act, it is the data holder that makes the decision on whether protections are required, whereas here it is the access body that decides your fate.
Opt-out from secondary use
Patients have a reversible right to opt-out from use of their personal electronic health data under this pathway. If a patient exercises the opt-out, that patientâs data may not be shared with users, even in anonymous form. The opt-out must be implemented by Member States in an accessible and easily understandable form, although there are open questions on how this could work from a practical perspective. For example, the text does not clarify how granular this opt-out should be, or who will be responsible for implementing this opt-out.
How does the GDPR apply to this pathway?
This pathway involves the processing of personal data: data users may access pseudonymised data, and even where data users access anonymous information, the holder or access body may still be processing personal data in order to create anonymised datasets. This means all parties need to consider how the GDPR applies to their scenario.
The recitals set out the GDPR designations of the various parties, as well as legal bases for processing:
- the data holder acts as controller if sharing personal data with an access body. Its legal basis for sharing personal data is compliance with a legal obligation (Article 6(1)(c)), combined with Article 9(2)(i) on public interest in the area of public health, or scientific research purposes under Article 9(2)(j).
- the health data access body is a controller in respect of preparing personal data and making it available to the user. An access body may rely on a task in the public interest (Article 6(1)(e)), together with Article 9(2)(g), (h), (i) or (j).
- the data user is deemed a controller, to the extent it processes pseudonymised health data for its permitted purposes in the secure processing environment. The userâs legal bases for processing are likely to be either legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)). In respect of Article 9 conditions for processing special category data, a number of Article 9(2) grounds are potentially available.
- confusingly, the health data access body is also deemed a processor of the data user for the purposes of processing under a data permit in the secure processing environment. However, it can be argued that the access body is better categorised as a controller in this capacity â the access body is responsible for determining whether a permit is granted in the first place and the conditions attached to the permit (i.e. the âpurposesâ of processing) and the means of processing through the secure processing environment. Nevertheless, the processor designation means that an Article 28 processor agreement will be required between the access body and data user.
Data localisation requirements
Previous drafts of the EHDS were strongly criticised for creating de facto data localisation requirements. Whilst the latest draft is an improvement, commentators still argue that these represent âoverregulationâ when it comes to data storage requirements. With regard to personal electronic health data:
- health data access bodies must store and process either in the EU or in a third country covered by an adequacy decision.
- Member States may maintain or introduce further conditions on international transfers in accordance with Article 9(4) of the GDPR. Given that the international transfer of personal data is already addressed in the GDPR in considerable detail, it is not clear why this also needs to be addressed in the EHDS.
With regard to non-personal electronic health data:
- this is deemed âhighly sensitiveâ under the Data Governance Act. If transfer to a third country presents âa risk of re-identification through means going beyond those reasonably likely to be usedâ, we may see further requirements on international transfers in future secondary legislation.
- access bodies and data users must take all reasonable measures, including contractual arrangements, to prevent transfer of data to a third country where that transfer would conflict with EU or national law.
What do you need to do to prepare for the EHDS?
All organisations in the health and care sectors are likely to be health data holders. As holders, organisations will need to begin efforts to:
- map out in-scope electronic health data within their systems and wider infrastructure. This will facilitate compliance with the requirement for holders to provide a catalogue of in-scope data to a health data access body on an annual basis. This catalogue will be publicly available and feature in-depth descriptions of datasets, including the source and scope of data, main characteristics and the conditions for making data available. Whilst organisations should have detailed data maps for personal data under the GDPR, the EHDS also captures non-personal data, which will add a layer of complexity.
- build the capability to make those datasets available to an access body within three months of a request. This will require the right personnel and technical capabilities, including the ability to anonymise electronic health data.
- consider strategy for preserving IPR. Given the sensitivity of in-scope data, organisations should consider in advance which protections apply to various electronic health data, and the arguments they will run in order to advocate for an access body either rejecting an application or applying rigorous protections. In the life sciences industry, intellectual property rights represent the crown jewels. Although data protection teams should be involved in reviewing requests, intellectual property specialists will be key.
The flipside is that an organisationâs researchers and product developers may now choose to take advantage of the opportunity to access electronic health data for research and innovation, in their capacity as a data user. These potential data users should ensure there is a governance structure in place to facilitate compliance with a userâs responsibilities, such as access controls, prohibiting any attempt to re-identify individuals in a dataset, and ensuring results or outcomes are made public.
Organisations will already have existing bilateral and multilateral arrangements with various parties on accessing and using electronic health data for secondary purposes. The recitals make clear that these existing arrangements may continue and are not affected.
Whatâs next?
The draft text is undergoing lawyer-linguist revision. Once this has been completed, the European Parliament will need to (re-)confirm the final text. The Council is then be expected to formally adopt the finalised text and the EHDS will be published in the EUâs Official Journal before it enters into force (likely to be in the coming months).
These provisions on secondary use of data have a transition period of four to six years before they apply (with four years applying to certain data categories, and six years to others). This generous grace period reflects the intensity of effort that will be required in order to set up the necessary digital infrastructure at both the Member State and EU level.
