Introduction, scope, and aim
True to their tradition and the tasks appointed by law, the 7 Belgian university hospitals combine top care with top scientific research and top education, building on evidence-based medicine. Today more than ever, university hospitals do so in a data-driven landscape. High expectations and ambitions with regard to the secondary use of health-related data collected in the real world, including routinely collected data, characterise today’s society. With clock-like regularity and increasing variability in purpose, scope and nature, university hospitals receive internal and external requests for the secondary use of health-related data. Examples include the support of evidence-based medicine and value-driven healthcare strategies, the development of medical devices, including those relying on machine learning and artificial intelligence, the conduct of projects that ensure the safe and high-quality care we all deserve…
The commitment of the Belgian university hospitals remains unchanged: providing excellent specialist healthcare and excellent clinical care for patients with complex or rare medical conditions. The contributions made to the collection of meaningful data are an essential part of that commitment. When not only high in quantity but also quality, data are an important ingredient in building knowledge, creating innovation, and, ultimately, providing better care for all.
The 7 Belgian university hospitals support the secondary use of health-related data. They offer a wealth of domain expertise required to assess the relevance of data and data analytics, considering the potential and limitations that characterise data collected in care. Domain experts can moreover assess the relevance, correctness, and scientific underpinning of the conclusions resulting from the processing of health-related data.
At the same time, the 7 Belgian university hospitals are well aware of and accept the responsibility connected to their role as a guardian of electronic patient health records. The pressure to see to the protection of patient data and increase the attention for the rights of the patient as a data subject is high – and rightfully so. The lack of a clear framework that allows the evaluation of the secondary use of data is experienced as a bottleneck.
To that end, the Belgian university hospitals developed a framework for handling requests for the secondary use of data collected in the real world, including routinely collected data (hereinafter abbreviated as RWD).
The aim of the framework is not to hamper the secondary use of RWD. RWD should be available to support non-commercial and commercial initiatives. However, a race to the bottom in the safeguards applied when processing health-related data for secondary purposes is something we wish to call a halt to. The developed framework clarifies the conditions for the secondary use needed to provide an answer to the call for patient empowerment and ensure GDPR compliance.
How to understand the framework
The common position expressed in this document establishes a framework to which the 7 Belgian university hospitals have committed. The framework was developed within De Raad van de Universitaire Ziekenhuizen van België – La Conférence des Hôpitaux Académiques de Belgique in close consultation with each of the individual hospitals. It was presented for advice to the respective medical ethical committees.
Through three elements specifically, the Belgian university hospitals are committed to seeing to their responsibility as the guardian of health-related data collected in the real world, including routinely collected data:
- the common understanding of three key concepts: anonymization versus pseudonymisation, public interest, and compatibility;
- the appreciation that secondary use of data collected in patient health records does imply a duty of discretion; and
- the agreement on the implementation of six conditions for the secondary use of RWD.
The framework as presented in this document must be considered a blueprint. It clarifies the methodology the Belgian university hospitals will use to assess requests for secondary use of RWD. It may be used by bodies and staff within the university hospitals as well as parties interacting with them.
One of the framework’s goals is to keep hospitals and healthcare practitioners from accepting the illegitimate proposals they may be confronted with. Where helpful, explanatory notes are added to allow a better understanding of underlying legal and ethical considerations especially.
All Belgian university hospitals have accepted the commitment to translate this framework into their internal procedures. Particularities in the organisational processes and ICT context, in which the individual hospitals are operating, may create slight differences in the practical implementation of the framework.
However, the framework cannot be considered a stand-alone answer to the secondary use of RWD.
First of all, this blueprint document must be translated into guiding documents addressed to, on the one hand, the individuals behind that data, our patients, and, on the other hand, the healthcare practitioners and other hospital staff.
Secondly, the necessary contractual agreements such as data processing or -transfer agreements have to complement the framework and the accompanying internal hospital-specific procedures. Such agreements should, for example, forsee in commitments to purpose limitation, the return or destruction of data, the sharing of results…
Thirdly, any opportunity to allow the framework to evolve into a sector-specific charter, code of conduct, or good practices should be considered. The Belgian university hospitals expressly wish to encourage any other initiative that allows the framework to grow. Thereto the university hospitals have expressed their commitment to:
- participate in initiatives that allow the implementation of the framework’s methodology in other segments of the healthcare sector (such as general hospitals, healthcare organisations, healthcare professionals associations, healthcare industry… );
- allow the framework to grow in terms of the development of tools that foster practicable implementation. Such initiatives may include the development of model agreements, recommendations on minimum contractual requirements, impact assessments, best practices… ;
- explore the methodology’s potential to formulate a common position in other areas such as MDR and IVDR, biobanking, or the regulatory framework for clinical research.
Framework for secondary use of real-world data (routinely) collected in hospitals
I. Six conditions for the secondary use of routinely collected data
The university hospitals have formulated six rules of thumb for the consideration and evaluation of requests for the secondary use of RWD. These rules of thumb are considered essential to achieve a balanced approach taking into account legal and ethical principles, patient expectations as well as interests of all stakeholders, including the general interest of the public. It concerns:
- Registration
- Privacy and compatibility assessment
- Right to information
- Legal basis and exemption to process health-related data
- Right to opt-out
- Security
1.1 Registration
All requests for secondary use, and the decisions that followed these requests, are to be registered by the hospital. The register is considered the reference database that must allow for fulfilling specific obligations that follow from the secondary use of RWD, such as data subject requests.
Explanatory note
Keeping an overview of the purposes for which data are collected and for which data are re-used is a requirement imposed by GDPR. Any guardian of electronic patient records must keep a record of primary processing activities and activities of further processing, including data transfers (art 30 GDPR).
1.2 Privacy and compatibility assessment
Following a request for the secondary use of health-related data for a purpose other than patient care, a privacy and compatibility assessment is to be carried out. The goal of the assessment is to see to:
- the lawfulness of the request; and
- the relevance, correctness, and scientific underpinning of the request.
It is essential to understand that university hospitals will not allow the use of RWD for purposes that may cause harm to their patients or society in general.
Specific points of attention include the meaningfulness of the request for RWD, proportionality and relevance of the requested data, proposed technical and organisational measures to protect the data and data subjects, and compatibility with informed consents previously expressed. Moreover, especially in health-related data, the requirement for a data protection impact assessment (DPIA) may be triggered. In that case, the privacy assessment should also consider the provided impact assessment, including the requirement to involve domain experts to prevent misinterpretations of the data or the risk of drawing incorrect conclusions with a potential impact on data subjects. Context-specific templates (research, non-research, domain-specific… ) may structure this assessment.
It should be stressed that the privacy and compatibility assessment is required independent of the legal basis for the data processing. The privacy and compatibility assessment is, more specifically, required in situations where informed consent is obtained and in situations of public interest or compatible further processing under article 6.4. GDPR.
A multidisciplinary body carries out the privacy and compatibility assessment. University hospitals commit to ensuring that the assigned body has the necessary expertise amongst its members to evaluate medical, scientific, legal, ethical, technical, and other relevant aspects of the request. Given the end-responsibility on the keeping of the medical records in hospitals, it seems desirable to involve the chief medical officer. Patients (or associations) should be included in evaluating the privacy and compatibility assessment to ensure patient involvement in the decision-making process.
Depending on the hospital-specific operational structures and the context of the request for secondary use (e.g., research, non-research, domain-specific… ), a medical ethical committee or another multidisciplinary committee such as an internal data protection or -processing board, a data access committee,… can carry out the privacy and compatibility assessment.
1.3 Right to information
Apart from a specific data subject right under the GDPR and an essential condition to create an opportunity for patient empowerment, transparency is an essential condition to receive and preserve trust. Given that the patient’s trust is an essential condition for the university hospital to deliver the best possible care, the patients’ right to information should not be disregarded.
As much as possible, patients should be informed about the secondary use of data concerning them. In practice, transparency is achieved by combining different stages and different levels of information:
- General information about the secondary use of RWD can be provided in the hospital’s privacy policy and information brochures (print and digital). Adopting a layered approach, whereby more detailed information can be found after clicking a link or obtaining the correct reference, is recommended.
- In addition, patients have to be informed individually on the specific projects that use data concerning them. In an ideal situation, one can imagine the digital solutions that allow patients to obtain direct access to their health record, which the hospital may already provide, will also allow presenting patients with a personalised overview of the secondary use of data. Where such an approach is not (yet) feasible, other digital or printed solutions can ensure that personalised overviews are at the patient’s disposal.[1]
- Finally, in the specific case of a prospective (interventional) experiment on the human subject, which typically entails a contact moment with the patient, it seems readiest to provide an information notice on the processing of personal data together with informed consent for participation in the study.[2]
The information should be readily available and easily findable for all patients at every level. The possibility to also foresee digital push notifications can be considered in consultation with patients.
Finally, the adopted solutions must also consider the specific situation of minors. When at an age and a level of maturity that favors involvement in the decision-making process, it is recommended to make information on data processing directly available also to the minor. Specific brochures can be used.
Explanatory note
To understand the rationale of the proposed approach, it is critical to recognise that the GDPR imposes the transparency principle as a general obligation. The obligation to provide patients with transparent information is not linked to the applicable legal basis (informed consent or any other legal basis). It must be complied with in primary and secondary (further) processing.[3]
Nevertheless, university hospitals are awaiting further clarification on the exception to the transparency principle following article 14, 5. b) GDPR.[4] Today, we understand that information is to be provided to the individual data subject except for the rare occasion that providing information to the individual patient is impossible, would cause a disproportionate effort, or imply ethically undesirable risks. In that case, information can be made publicly available at a more general level, for example, on a website, in a brochure… However, such solutions can meet the requirements of GDPR only when the data are not collected directly from the data subject.
Following the European Data Protection Board guidelines, situations of “impossibility” and “disproportionate effort” are given a restrictive interpretation. A situation of “impossibility” arises only when the data controller demonstrates the factors that prevent it from providing the information to data subjects. Impossibility and disproportionate effort seem to directly connect with the fact that the personal data was obtained in a way other than from the data subject.[5]
An undesirable ethical risk could arise when the transparency obligation would cause patients to be informed about their medical condition despite having expressed a right not to know. In this case, the advice of a medical ethical committee should be sought.
1.4 Legal basis and exemption to process health-related data
One of the basic principles of data protection law is that personal data can only be collected and processed when lawful. The processing of health-related data is prohibited unless an exemption applies.
Firstly, GDPR requires data controllers to specify the legal basis in the case of primary processing and to carry out a compatibility test in the case of secondary processing. When RWD is further processed for scientific research, the compatibility is presumed, and the compatibility test can be limited to assessing applied safeguards such as pseudonymisation and encryption. A more extensive compatibility assessment is required when RWD is further processed for other secondary purposes.
Additionally, an exemption to the general prohibition to process health-related data must be specified.[6] This second step is caused by the additional layer of protection GDPR provides for processing special category data. The applicable exemption must be specified in the case of primary and secondary processing. The most relevant exemptions in relation to the secondary processing of RWD include medicine[7], substantial public interest and public interest in the area of public health[8], research[9] and the patient’s explicit, specific, and informed consent[10].
Whereas controllers do have a general obligation to provide information, they do not have a general obligation to obtain informed consent. The GDPR does not compel informed consent as the legal basis for the (secondary) processing of personal data (article 6 GDPR) or as an exemption to the general prohibition to process special category data (article 9 GDPR).[11] Imposing such an obligation could potentially be considered not in line with the non-absolute character of the fundamental right to data protection or the lawfulness principle provided by the GDPR (articles 6 and 9 in particular).[12]
If hospitals were to rely on informed consent as the (new) legal basis for the (further) processing of RWD, they must be able to meet the requirements for valid consent as provided in the GDPR. Article 4 (11) defines consent as a freely given, specific, informed, and unambiguous indication of the data subject’s wishes […]. If the requirements cannot be met, informed consent fails as a legal mechanism. If the requirements can be complied with only by stretching their interpretation, informed consent fails as a mechanism for patient empowerment.
Moreover, suppose informed consent is used as the legal basis or exemption to the general prohibition. It should be acknowledged that unwanted bias may complicate the success of the secondary use.
From a short-term perspective, obtaining informed consent for the further processing of RWD may seem to have advantages for hospitals and patients. Nevertheless, it is crucial to acknowledge that it would, in the long term, have a baleful effect not only in terms of legal certainty for hospitals but also in terms of patient empowerment.
Explanatory note on the application of articles 6 and 9 GDPR
GDPR specifies that when data are further processed, the processing can be considered compatible if article 6.4. GDPR is fulfilled. Following Recital 50, a new legal basis is not required in that case.[13]
The compatibility of scientific research with RWD follows from article 5, 1. (b), especially when pseudonymisation is applied (as mentioned by article 6.4. (e)).
In all other cases of secondary use, the compatibility assessment requires an assessment under article 6.4. (a) to (e).[14] As part of the assessment, we suggest involving patients (associations) to evaluate patients’ reasonable expectations.
Given that for the processing of RWD articles 6 and 9 GDPR must be applied cumulatively, it should be noted that article 9 GDPR must be complied with next to article 6.4. GDPR.
Article 9 GDPR foresees that special category data, including health-related data, can, for example, be processed for scientific research in accordance with Article 89(1) based on Union or Member State law (art 9, 2. (j)) or other purposes of (substantial) public interest (art 9, 2. (g) and (j)).
Explanatory note on informed consent under the articles 6 and 9 GDPR
Before adopting informed consent under article 6 or 9 GDPR, consider the following concerns:
– Consent cannot be considered freely given in lack of a genuine choice or in the case of a clear imbalance of power between the data subject (patient) and controller (party wishing to further process the data). The vulnerability that characterises the position of the patient and research participant raises questions in this regard.
– Consent cannot be considered specific nor informed unless the specific purpose of the processing is defined and transparently communicated. Even when limited to scientific research, the implementation of broad consent for further use of RWD is not considered valid. The false sense of security that might follow from obtaining broad consent risks creating wrong expectations in healthcare practitioners and researchers.[15]
– It should also be noted that if hospitals were to rely on informed consent for the primary data collection, the pressure to request re-consent for the further processing of these data would be high. The use of data beyond what a patient has initially consented to seems problematic. Although not explicitly required by GDPR, it seems that, at least ethically, hospitals would then need to obtain re-consent. Failing to request re-consent could hurt patients’ trust because sensitive data are further used for purposes beyond the expectations created in patients based on the original consent form.
The patient’s consent has a role to play when, under the general prohibition to process health-related data (article 9 GDPR), no alternative exemption is available. For these cases, the law foresees that the autonomy of the individual patient should prevail. The patient’s wish, expressed through informed consent, should be respected. Such a situation may, for example, rise when the request to further process RWD has purely commercial objectives that cannot be qualified as research nor an obligation of public interest.
1.5 Right to opt-out
As a custodian of electronic health records, university hospitals understand possible concerns about the (commercial) secondary use of RWD in patients. To foster patient empowerment, the university hospitals commit not only to involving patients (organisations) at the level of the evaluation of the compatibility assessments. The university hospitals allow the individual patient to express an opt-out from secondary processing insofar as the purpose of the secondary processing causes the patient’s individual interests to prevail over the general interest of society.
University hospitals accept the responsibility to evaluate the request for secondary use based on the conditions 1 to 4 described above and a balancing exercise evaluating individual and general interests. Parties requesting the secondary use of RWD will have to perform a balancing exercise when they deem the project of general interest and wish not to consider the opt-out. The balancing exercise will have to be presented as part of the privacy and compatibility assessment described under condition 2.
In order not to create false expectations, we consider it correct to specify that individual interests tend not to prevail when the processing is necessary to:
- comply with legal obligations in the area of public health (e.g., transfers to authorities, patient safety, the conduct of academic scientific research… );[16]
- comply with other obligations of the hospital that override the individual interests of the individual patient (e.g., quality management… ).[17]
In these situations, university hospitals are particularly concerned by any bias that may be created due to individually expressed opt-out.
On the condition that the balancing exercise shows that the patient’s individual interests prevail (due to the context, the sensitive nature of the data, and the resulting commercial interests… ), the opt-out, as previously expressed by the individual patient, will prevent the secondary use of the patient’s data for this purpose.[18]
University hospitals, therefore, commit to providing, in advance of contact with or admission to the hospital (for consultation, treatment…), all their patients with the possibility to express the wish to opt out from the secondary processing of RWD unless the general interest prevails over the individual interest. The university hospitals
- accept the responsibility to not only correctly register but also duly detect opt-outs before clearing RWD for secondary use and implement the necessary technical and organisational measures to it;
- will openly communicate and explain to patients the possibility of activating (or deactivating) the opt-out and allow them to, at any point in time, review their decision;
- foresee the opportunity for patients to receive more information on the impact of an opt-out at the moment of their choice.[19]
The university hospitals wish to reiterate the general importance of secure tools for electronic communication. While this may depend on the organisational structure of the particular hospital, the technical solutions that provide patients with direct access to their electronic health records can ideally be used to provide patients with the option to set preferences, such as the opt-out from secondary processing of RWD.
Explanatory note on the right to object
Whereas the proposed opt-out must, in any case, meet the requirements of the right to object as foreseen in article 21 GDPR, we expect that the right to opt-out as implemented by the university hospitals may extend beyond it. A broadening of the scope may occur when article 21 §1 is not applicable due to the specification of a different legal basis or when article 21 §1 or §6 allow for an exception to the right to object, that is, for ethical reasons, not applied. In this case, the right to opt-out is applied as an additional safeguard to enhance trust.
Explanatory note on opt-in versus opt-out
Unlike an opt-in mechanism, an opt-out mechanism is always additional to the safeguards foreseen in articles 6 and 9 GDPR. Requests for the secondary use of RWD can only be considered lawful after a positive compatibility test (art. 6.4) and a positive evaluation of the applicability of an exemption as provided in article 9 GDPR. In their role of custodian of an electronic health record and evaluator of requests for secondary use, university hospitals have to always thoroughly assess the lawfulness of the request next to the need to apply the opt-out mechanism. In that sense, opt-out mechanisms are essentially different from opt-in mechanisms in terms of how they work and the protection they offer to the patient. The university hospitals always build on the domain expertise required to assess the relevance of a request for secondary use and the relevance, correctness, and scientific underpinning of conclusions resulting from the secondary use to make their evaluations.
1.6 Security
Since information security is a core concern for university hospitals, the implementation of additional security measures should not be an issue in relation to the secondary processing of RWD. Pseudonymisation should be considered standard. It must be applied in as many scenarios as possible, whether small or large databases.
When university hospitals collaborate with external parties for the secondary use of RWD, the external party will often be considered the data controller. In that case, the hospital acts on the instructions of the external party. Nevertheless, as foreseen in GDPR, hospitals will take up their responsibility and screen for potential non-compliance and question the instructions received from data controllers where necessary. University hospitals will require a data transfer agreement that clarifies and limits the purpose of the secondary processing. Such an agreement will be required even when data are transferred between independent controllers.[20]
Explanatory note on pseudonymisation
Traditionally, data protection law requires data controllers to protect the data subject from the unwanted or unnecessary continuation of processing activities. Therefore, it is emphasised that personal data need to be anonymised or pseudonymised when the identification of the data subject is no longer necessary for the purpose of the processing.
Pseudonymisation is a functional separation technique that lowers the risk for data subjects by ensuring that they can only be re-identified through additional information. It, in other words, reduces the risk that the identity of data subjects is revealed to those unqualified to obtain the information. Since data subjects continue to be (re-)identifiable, GDPR applies.
Although many definitions exist and different techniques can be applied to pseudonymise data, its application essentially requires two steps:
– First, although not broken, the direct link between the data subject and the data must be coded. Typically the key to this code is kept by a senior profile or third party. The use of a single key that is unique per patient across different purposes should be avoided to evade linkability.
– Secondly, specific elements in the data that allow the indirect identification of the data subject must be replaced, generalised, or deleted. For determining the indirect identifiers, US HIPAA can provide inspiration.[21]
2. Secondary use of data does not always imply (direct) access to the electronic health record
Discretion is a duty generally imposed on all healthcare practitioners and staff working in university hospitals. Next to the professional secrecy, which is by law imposed on specific categories of staff, all categories of staff are contractually bound by the obligation to keep any information they learn throughout their professional activities discrete. This includes information that they learn when processing RWD for secondary purposes.
In the case of secondary use, it is not always required to provide staff or the requesting party with direct access to a patient’s electronic health record. Automated pseudonymisation tools responding to specific queries or federated learning models, for example, can offer a solution to unlock RWD in a privacy-preserving way.
If the secondary processing does require direct access to electronic health records, ample attention should be paid to the principles of professional or contractual confidentiality. The university hospitals commit to setting up transparent internal procedures describing the access rights and applicable conditions.
3. A common understanding of three key concepts
The conditions for secondary use of RWD outlined in this proposal build on three essential assumptions with regard to the GDPR’s considerations of the concept of personal data and the principles of legality and lawfulness of secondary use. These assumptions are further explained below.
3.1 Anonymisation versus pseudonymisation
Although the GDPR does not define the concepts “anonymous” or “anonymised”, it does clarify the concepts “identified”, “identifiable”, “pseudonymous” and “pseudonymisation”. These clarifications indicate a rather broad interpretation of “personal data”. The GDPR provides that when data allow to “single out” an individual, the information cannot be considered anonymous data and is to be protected.
It is essential to understand that data can be considered anonymous or anonymised only when the applied mechanisms are irreversible. Additionally, data protection authorities have stressed that in the qualifying of data as personal versus anonymous, data readily available in a particular dataset have to be considered, and data that can, in combination with that particular dataset, allow the (re-)identification of individuals.[22]
The unicity of health-related data, the need to at all times keep source data, and the (legal) requirements to ensure traceability are three critical elements that seem to cause incompatibility with the concept of anonymisation. Therefore hospitals face an important concern in terms of legal security when requested to qualify RWD as sufficiently anonymous and, consequently, outside of the scope of GDPR.
Keeping in mind the vulnerable position of patients and the potential impact on their fundamental rights, university hospitals consider individual-level data typically as pseudonymous rather than anonymous. Aggregated data, however, can be considered anonymous provided that a small cell risk assessment has been considered.
As indicated above, the university hospitals consider pseudonymisation a key measure when processing RWD, independent of the purpose of the secondary processing. Although pseudonymised data deserve the necessary level of protection, pseudonymisation can be considered a measure that significantly lowers the risk of breaches of the patient’s fundamental rights. Therefore, the sixth conditions described above include pseudonymisation as an essential security measure.
3.2 The concept of public interest in GDPR
As indicated above, university hospitals are, by law, required to organise teaching, research, and patient care. To improve clinical care, all university hospitals aim for maximal interaction between these different undertakings. The role of university hospitals in developing and evaluating new treatments, therapies, and medical technologies… is incorporated into their specific legal statute.[23] The legal obligations also create the necessity to process personal data. University hospitals build on their legal statute to apply the exemptions foreseen in article 9, 2. (g), (h), (i), or (j).
It should be acknowledged that, by requiring a basis in Union or Member State law, GDPR adheres to a strict interpretation of “public interest”. To rely on the exemptions mentioned in article 9, 2. (g) or (i), it is not sufficient to merely perform a balancing exercise that considers individual interests next to general interests. An obligation to process must follow from Union or Member State law. Consequently, the notion of “public interest” cannot be compared to a more general idea of what can be of general interest to society.
University hospitals would urge the authorities to not only consider secondary use on the initiative of academia of general interest. Although conscious of potential commercial interests in other parties, the importance of collaborations with private companies, in particular when qualified as scientific research, should be acknowledged. Therefore, the Belgian university hospitals wish to continue to support these initiatives. On the condition that an equal return for society is contractually foreseen, the university hospitals will be open to evaluating whether, also in these situations, the general interest of society can prevail over the individual interest of the data subject.
The university hospitals wish to point out that the exemptions as foreseen under article 9 GDPR may not be sufficient to cover the sharing of RWD for secondary purposes that are in the general interest of society but cannot be qualified as scientific research. Examples thereof include secondary use for patient safety and quality of healthcare purposes. Hospitals and other healthcare practitioners are legally obliged to ensure high-quality care and monitor their performance. It is unsure if similar obligations are imposed on private companies and, if so, whether these obligations can be considered sufficiently specific to serve under article 9. Especially when private companies assess organisational or procedural aspects of healthcare, it is not sufficiently clear if an exemption other than the patient’s consent can be relied on.
3.3 The concept of the compatibility test in GDPR
As indicated in point 1.2., a legal basis is required for the lawful collection of personal data under GDPR. However, Recital 50 GDPR clarifies that in case of a positive compatibility test, “no legal basis separate from that which allowed the collection of the personal data is required”. Instead, article 6.4. GDPR imposes the obligation to perform a compatibility test (unless the processing is based on the data subject’s consent or a Union or Member State law). Hence, when considering the conditions for secondary use of RWD data, article 6.4. GDPR should not be overlooked.
Where the secondary use concerns scientific research, the GDPR provides in article 5, 1. (b) that compatibility with the original purpose of data collection is presumed. In this regard, it must be noted that the concept of scientific research adopted by the GDPR is broad rather than limited. Recital 159, for example, clarifies that the concept includes “technological development and demonstration, fundamental research, applied research and privately funded research”.
Where the secondary use concerns purposes other than scientific research article 6.4. GDPR provides a list of elements that have to be taken into account to assess the compatibility of the secondary use with the original purpose of the data collection. The university hospitals wish to stress that even if performed in a commercial rather than an academic context, the secondary processing of RWD should not per se be considered incompatible with the original purpose of the data processing. A case-by-case assessment is required.
Aware of the (academic) debate on the interpretation of Recital 50, the university hospitals, however, urge further guidance on this point from the authorities. In the case that Recital 50 cannot be interpreted as suggested above, clarification is required on the interpretation and the application of articles 5, 1. (b), and 6 GDPR in relation to two situations:
- where the secondary use concerns scientific research, which is following article 5, 1. (b) assumed not to be incompatible with the original purpose; and
- where the secondary use concerns other purposes and is assessed as compatible or incompatible with the original purpose of the processing.
[1] Whichever solution is adopted, it seems crucial that a) the adoption of a strong authentication mechanism ensures that patients have access to the overview that concerns them only, and b) the overview can be made available in printed form at the patient’s request.
[2] In the margin of this, the university hospitals wish to note the peculiarities in the Belgian legal framework (Wet Experimenten Menselijke persoon – Loi relative aux expérimentations sur la personne humaine of 7 May 2004) differs from the approach taken by European and international legal instruments. Based on European and international instruments, informed consent for participation must be obtained from human participants in prospective interventional trials. The Belgian law foresees that same obligation for participating in prospective non-interventional experiments on the human person. Given that a prospective non-interventional trial focuses on collecting and analysing data, also protected under the broader framework of GDPR, the added value of this peculiarity in Belgian law can be questioned.
[3] GDPR provides that when a controller intends to use data obtained from data subjects also for other purposes, this controller should, at the time of collection of the data, take appropriate measures in order to meet the information obligations about the further processing. See also: EDPB, Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, Adopted 2 February 2021, 9.
[4] As indicated by the EDPB in the “Document on response to the request from the European Commission for clarifications on the consistent application of the GDPR, focusing on health research, Adopted 2 February 2021, 9”.
[5] Article 29 Working Party Guidelines on transparency under Regulation 2016/679, as Adopted on 29 November 2017 and last Revised and Adopted on 11 April 2018 and as Adopted by the EDPB during its first plenary meeting on 25 May 2018, 28-29.
[6] They must be taken from the list provided in Article 9, 2. GDPR.
[7] Article 9, 2. (h).
[8] Article 9, 2. (g) and (i).
[9] Article 9, 2. (j).
[10] Article 9, 2. (a).
[11] Note that the informed consent discussed in this position paper concerns only the informed consent for data processing. It does, for example, not concern informed consent for treatment or participation in an interventional clinical trial.
[12] While article 9, 4. allows the Member States to impose further restrictions on the processing of health-related data, such restrictions must be in line with the general principles of article 5 GDPR.
[13] Recital 50 GDPR: “The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.” [emphasis added]
[14] If and when a successful compatibility test would, in contrast to the clarification in Recital 50 GDPR, not be sufficient to meet the lawfulness criterion, processing should not be allowed unless a legal basis is available in article 6, 1. GDPR.
[15] Although Recital 33 GDPR mentions the concept of broad consent, the EDPB has stressed the obligation for data controllers to provide additional information when the purpose of the research is further defined (See EDPB Document health research, adopted on 2/02/2021).
[16] in compliance with article 9, 2. (g), (i) or (j) GDPR.
[17] in compliance with article 9, 2. (h) GDPR.
[18] In terms of content, the balancing exercise can be compared to the balancing exercise performed in the application of legitimate interest as a legal basis for processing personal data (article 6, f. GDPR). For further details, we refer to Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC.
[19] taking into account technical and organisational feasibility.
[20] An effort that is not required under GDPR.
[21] It should be noted that the concept of de-identification adopted by US HIPAA does not match the concept of anonymisation adopted by the GDPR. Stripping or replacing the listed identifiers does not return anonymised but pseudonymised data. See: Health Insurance Portability and Accountability Act of 1996 (HIPAA), enacted 21 August 1996, Pub. L. 104-191.
[22] The Belgian Data Protection Authority (GBA/APD) applied in the context of Covid-19 databases the following rule: “Data are only (sufficiently) anonymous if also in combination with other data (including those of other parties) they do not allow reidentification (e.g., IP addresses are always personal data because with the help of a telecom operator individuals can be re-identified)”; see: https://www.ehealth.fgov.be/nl/egezondheid/task-force-data-technology-against-corona/aanbevelingen-op-het-vlak-van-naleving-van-de-avg-door-apps.
[23] Zie gecoördineerde wet van 10 juli 2008 op de ziekenhuizen en andere verzorgingsinstellingen, BS 7 november 2008.