The EU charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data. The General Data Protection Regulation (GDPR), adopted in April 2016 and published on the EU Official Journal on 4 May 2016, has been in full force since 25 May 2018. The new Regulation contains provisions with an important impact on health services and research. It strengthens the principles of data protection by putting more focus on accountability and security.
Since the publication of the draft proposal by the European Commission in January 2012, HOPE has been very active in monitoring the legislative process.
HOPE joined the Healthcare Coalition on Data Protection at the end of 2012. A Coalition composed of key stakeholders of the healthcare sector in Europe gathering representatives of medical research, healthcare providers, the pharmaceutical industry and the medical technology industry. The objective of the Coalition was to raise awareness about the importance of access and sharing of data, in a secure environment, for the delivery of timely, effective and good quality healthcare to patients and guarantee their safety.
Position papers adopted by the Coalition:
In January 2013, HOPE published a position paper on the Commission’s proposal. In this document, HOPE welcomed the Commission’s effort to further harmonise data protection requirements in the European Union and the provisions to support healthcare and health research. However, HOPE brought attention to some areas in need of being enhanced to facilitate improvements in care delivery, continuous medical innovation and support of medical research for the benefits of society. HOPE stood against a considerable number of draft provisions restricting the availability of health data, delaying innovation, creating legal uncertainty and increasing compliance costs.
Additionally, ahead of the vote on 21 October 2013 in the Parliamentary Committee on Civil Liberties, Justice and Home Affairs (LIBE) HOPE sent a briefing to MEPs putting forward some recommendations for vote on crucial provisions for the health sector.
In September 2015, HOPE joined the European Data in Health Research Alliance, which brings together stakeholders from academia, patient and research organisations from across Europe committed to ensure that the review of the Data Protection Regulation does not limit the use of personal data for health research purposes. HOPE signed a joint statement published in October 2015. The joint statement highlights key issues to be taken into account by policymakers during the trilogues negotiations.
In May 2016, HOPE had published in collaboration with the NHS European Office a briefing intended for staff working on privacy or information governance in hospitals and other health and care organisations. The study highlighted the main changes that can be expected for the health and care sector when meeting the data privacy requirements laid out in the Regulation. It also provided recommendations for national and EU implementers on how to prepare for a smooth transition to the new law in the health and care sector.
In July 2019, the Commission published Communication taking stock of the implementation of the Regulation. It is providing grants to data protection authorities to co-finance their reaching out to stakeholders, in particular individuals and small and medium size enterprises.
A workshop was organised on 16 March 2020 as a component of the assessment of the Member States’ rules on health data in the light of GDPR with Ministries of Health (MoH) delegates from EU Member States, external experts and stakeholder delegates. The workshop was divided into three sessions, each addressing a specific type of processing of health data, namely the primary use for health and social care delivery, the secondary use for scientific research and industry and last for wider public health purposes including planning, management, administration; prevention or control of communicable diseases; protection against health threats and ensuring quality and safety standards of healthcare and of medical products and medical devices.
HOPE also attended the workshop discussing the draft results of a survey on the assessment of Member states’ rules on health data in the light of GDPR on 15 June 2020. HOPE raised with other organisations several issues:
- > The need for targeted sector-specific legislative measures at EU level to provide a harmonised approach to health data processing and addressing the governance principles, responsible use and re-use of health data;
- > The data subjects’ (patients’) rights, including access, rectification, erasure and portability of data, as well as the right to information about why, how and by whom data are processed. The GDPR provides that the right to erasure may not apply when they are processed for public health or healthcare purposes, and that the right to portability applies only where data are processed on the basis of consent or contract. The study has identified that access to and portability of health data are highly desired by patients, but frequently difficult to exercise.
- > Data re-use for research. The study has shown that re-use of data for public health purposes such as, new medicines regulation, pharmacovigilance, medical device certification and safety; health system planning; public health threats; etc is often very difficult because of both practical and regulatory issues related to data access.
The European Data Protection Board, composed of the EU data protection authorities, issued a statement on 20 March 2020 on the processing of personal data in the context of the COVID-19 outbreak.
On 24 June 2020, the Commission released a Communication on two years of application of the General Data Protection Regulation and concludes of the success of the legislation. The report shows the GDPR has met most of its objectives and has proved to be flexible to support digital solutions in unforeseen circumstances such as the COVID-19 crisis. The report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The report contains a list of actions to facilitate further the application of the GDPR for all stakeholders.