Assessment of the EU Member States’ rules on health data in the light of GDPR. Specific Contract No SC 2019 70 02 in the context of the Single Framework Contract Chafea/2018/Health/03.

In the context of the Single Framework Contract Chafea/2018/Health/03 between the EUHealthSupport Consortium and the Consumers, Health and Food Executive Agency (Chafea), a study was conducted with the objective to examine and present the EU Member States’ rules governing the processing of health data in light of the GDPR, with the objective of highlighting possible differences and identifying elements that might affect the cross-border exchange of health data in the EU, and examining the potential for EU level action to support health data use and re-use. We distinguish between using health data for primary purposes (for treatment of the patient) and secondary purposes (for research, registries and management of the healthcare system). The study provides an evidence-based comparison of the state of play regarding health data governance within the EU. This will help to assess in what areas EU intervention might be needed and if so, through which types of measures, be it measures such as a Code of Conduct for data processing in the health area, which could be supported by an EU level implementing act or more direct legislative action, taking into account the particularities of the health systems in the Member States. The study uses a mixed-methods approach, consisting of the following elements: • Literature review to provide an overview of best practices, bottlenecks, policy options and possible solutions already identified in the literature. • Mapping legal and technical aspects of health data usage at national level to provide an overview of the differences among countries in legislation, regulation and governance models regarding processing health data. • In-depth case studies of national governance models for health data sharing. • Workshops held with MoH representatives, experts, stakeholder representatives and experts from national data protection offices. • Stakeholder Survey to cross validate and supplement the topics addressed and identified in the Member State legal and technical aspects mapping. The results of this study allow for a detailed assessment of possible elements at Member States/EU level that might affect the movement of health data across borders. It also identifies practices that could facilitate this exchange of data, as well as possible policy options for strategies in this area. Finally, we explored possibilities for sustainable governance structures for health data collection, processing and transfer, as well as measures empowering citizens to have more control of their own health data and to ensure portability and interoperability of these data. The work conducted in the context of this study makes clear that a number of legal and operational issues need to be addressed to ensure that European healthcare systems can make best possible use of health data for the three interlinked purposes of primary use for direct patient care, secondary use to support the safe and efficient functioning of healthcare systems, and secondary use to drive health research and innovation. It is clear from the views shared in the workshops and by country correspondents to the legal and technical survey that while the GDPR is a much appreciated piece of legislation, variation in interpretation of the law and national level legislation linked to its implementation have led to a fragmented approach which makes cross-border cooperation for care provision, healthcare system administration or research difficult. In view of the margin of manoeuver left to Member States in the GDPR to further specify the application of the Regulation in the area of health and article 168 Treaty on the Functioning of the European Union, a fully harmonised approach to the rules on processing of data in the area of healthcare provision, administration or research across the EU has not been achieved. Furthermore, the interpretation of the law is complex for Assessment of the EU Member States’ rules on health data in the light of GDPR 10 researchers at national level and patients do not always find it easy to exercise the rights granted by the GDPR. Taken as a whole, the evidence gathered through the study shows that there is a strong interest in the prospect of a European Health Data Space, but highlights that it would require a sound level of legal and operational governance. The need for operational governance embracing the FAIR data principles1 was highlighted, which in turn emphasised the need for wide-spread implementation of technical standards to ensure data interoperability and to build trust in data governance amongst EU citizens. There is a good level of support for actions at EU level to promote health data access and sharing. Such measures may include a combination of soft law (via a Code of Conduct) with other non-legislative and legislative actions. A Code of Conduct is considered desirable to explain concepts from the GDPR and to ensure a consistent approach to health data exchange at a more practical level (e.g. defining formats for data exchange). A challenge for EU legislation is that it should be supportive of the ways health systems are organised in the different Member States. The empirical work identified significant support for the creation of an infrastructure to facilitate data access and sharing, although there is no clear preference with regard to the way such an infrastructure should be set up. There is however a preference to regulate the operation of the infrastructure centrally via an EU agency or EU committee, rather than via a voluntary network. When a structure is set up or a Code of Conduct is drafted, a broad representation of stakeholders is considered important, including organisations engaging into scientific research, regulatory bodies, patients and policy makers. The topics explored not only address issues concerning legal requirements and governance, but point equally so to technical infrastructure, technical and semantic interoperability, data quality, data acquisition and digital skills and capacity building in the Member States. This also demands the full support to patients to act as active agents in their own health and care, with full capacity to exercise their health data related rights. Taken together these factors can be regarded as pillars of trust that are necessary to enhance the development of a European Health Data Space. It is clear that addressing health data sharing and governance requires a multifaceted approach. The identified future EU level actions, that should be complementary and cumulative, include stakeholder driven codes of conduct, new targeted and sector specific EU level legislation, guidance and support to the cooperation among Member States and relevant stakeholders, but also support for digitalisation, interoperability and digital infrastructures, allowing for the access to and use of data for healthcare, policy making and research and innovation. It is important that these future actions are developed in full respect of principles of proportionality and subsidiarity. Whatever next steps are chosen a EU level, it is clear that co-operation between EU Member States is crucial. Such co-operation should draw upon the work of national level data protection authorities coming together as the European Data Protection Board, as well as the numerous national and EU level bodies that represent patients, patients of specific disease groups, healthcare professionals, researchers and industry. The COVID-19 pandemic has done much to increase willingness for such co-operation and provides many new models for rapid, responsive and impactful action.