A stricter regime for profiling07 June 2016
Will the New EU Data Protection Regulation Facilitate Healthcare Innovation?
The collection and use of information about an individual's physical or mental state engages EU data protection law. But this may not be the only legal framework that applies. Devices that help to prevent, diagnose or treat illnesses or improve bodily functions may be classified as a medical device and therefore subject to further regulation. Similarly where a pharmaceutical company is investigating the effects of a new medicine, it will need to comply with EU rules for the conduct of clinical trials. It follows that those obtaining informed consent (including using simplified means in the clinical trials context) must still ensure that applicable data privacy rules are met. All of this demonstrates that the healthcare industry operates in a highly regulated space. Therefore, a technological transformation of the healthcare industry faces a number of complex challenges.
Yet recently both those in the industry itself and those in charge of the regulatory landscape have intimated that the impetus is moving towards greater technological innovation. So in April 2014 the European Commission published its Green Paper on mobile health highlighting the potential of mHealth solutions to improve evidence-driven care practice, research activities and deliver other efficiencies. With Europe's ageing and increasingly sickly population as well as squeezed public finances, the promise of technology to provide patient-focused healthcare in the hands of patients while promoting healthy behaviours, is clearly attractive to EU policy makers. In the mobile environment, the number of new health and well-being apps and consequent popularity as well as the latest wearables demonstrates a public appetite for technologically enabled solutions that measure or quantify health.
Privacy regulatory framework
Technological innovation in healthcare must comply with data protection and privacy rules. Current EU data protection law expressed in Directive 95/46/EC is due to be replaced by a Regulation in the next few years. The recent disclosure of the latest draft of the Regulation being negotiated within the Council of the EU gives an insight into what the regulatory background will be for those processing health data. The general tenor of the previous versions of the draft Regulation produced by the EU Commission and EU Parliament has been a move towards greater prescription in contrast to the current Directive.
Under the current Directive, data concerning health is sensitive personal data and therefore its use is prohibited unless the organisation can rely on a specific ground i.e. explicit consent, employment law or the protection of vital interests. The prohibition is lifted where data processing is required for preventive medicine, medical diagnosis, provision of care or treatment or the management of health care services where processing is carried out by a healthcare professional or person subject to equivalent obligations of secrecy. Individual Member States may also specify exemptions from the prohibitions for reasons of substantial public interest so long as they provide suitable safeguards. Furthermore, with respect to other provisions (for example around information provision and subject access) the Directive allows greater flexibility where data processing takes place in the context of scientific research. Since the EU passed a Directive in 1995 (rather than a Regulation), each Member State also had greater scope to shape data protection rules to suit expectations within its own healthcare culture.
What is the shape of the new Regulation?
So does the proposed draft EU Data Protection Regulation differ substantially from the current Directive? Will the Regulation facilitate or frustrate the new healthcare innovation that is hotly anticipated? We don't yet have the final text of the Regulation (and we don't have space to go into all the detail here) but we can surmise a number of conclusions based on the draft Regulation dated 19 December 2014 that has been made available and reflects discussions in the Council. These are as follows:
- The Regulation provides a more detailed definition of what is meant by personal data concerning health although, in practice, this is not likely to differ greatly from how health data is currently interpreted under the Directive. But it also includes a definition of pseudonymous data which may prove helpful depending on whether the final version of the Regulation gives greater flexibility to the use of pseudonymous data.
- The general prohibition on processing health data reflects the position under the Directive. Like the Directive, the prohibition does not prevent processing by a professional who is subject to secrecy for the purpose of preventive or occupational medicine, to assess employees, for medical diagnosis or provision of care, treatment or management of the healthcare system.
- Although there is no exception for processing health data for medical research purposes (currently specifically referenced under UK data protection law), there are provisions that facilitate data processing for scientific (research) purposes. Indeed there is a clear acknowledgement of the benefits of medical research in a reference to examining registries to obtain new knowledge as well as a reassurance that further processing of data for scientific purposes is not incompatible with the initial purpose.
- Processing data for health purposes is permitted for an important public interest ground especially where the processing is linked to a quality or cost-effectiveness benefit. Public health grounds permit the use of health data without the consent of individuals but such health data should not end up in the hands of third parties such as employers, insurance or banking companies. Important public interest objectives involving public health also permit Member States to restrict the scope of certain obligations on organisations and certain rights of individuals. Additionally, the right to be forgotten provision will not require the erasure of health data processed for either public health reasons in the public interest or for scientific purposes.
- There are specific restrictions on profiling individuals in order to evaluate or analyse their health. Accordingly a data protection impact assessment must be carried out in most instances of profiling. However, in what looks like a concession primarily to the healthcare industry, an impact assessment is not mandatory where such processing is protected by professional secrecy and is administered, for example, by a healthcare professional.
From this list it appears that there is greater flexibility for organisations involved in data processing for scientific research and public health reasons. Consequently it is important to know when data processing comes within these categories. Although processing of personal data for scientific purposes is interpreted to include fundamental research, applied research and privately funded research, a couple of Member States have tabled a scrutiny reservation concerning this interpretation so it may change. In contrast, public health has a specific interpretation linked to a separate EU regulation on statistics on public health and health and safety at work (EC No. 1338/2008).
But the latest draft of the Regulation is not without its wrinkles. For instance, the Regulation is potentially confusing at points. So while it states that there should be harmonised conditions across the EU for the use of health data particularly where the processing is for health-related purposes by persons subject to professional secrecy, it also states that national law may provide for specific conditions for certain sectors and for the processing of sensitive data. Undoubtedly the text will see further amendments so that any ambiguities should hopefully be tidied up. Additionally, it will be significant to see the final proposals concerning how pseudonymous data will be regulated.
More and more companies are exploring new technologies for delivering healthcare or well-being services. Whether through smartphone apps, wearables or through other devices or interfaces not yet developed, there is substantial potential for technology to help individuals understand their health better and for healthcare professionals to deliver smarter services. There are welcomed signs that the Council has listened to concerns raised by the healthcare industry about the more prescriptive approach of previous versions of the Regulation. However, the situation is fluid. For instance, there is still no certainty on the position of pseudonymous data and we remain some way off from a final agreed text given that trilogue discussions have not yet begun within the EU institutions.
This article was first published in e-Health Law and Policy in January 2015.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016