Health data, does the GDPR favor the evolution of medicine?

20 February 2020

As we indicated in the previous article in our dossier on health data, if the French people approve of their processing, it is on condition that their protections are respected.

The GDPR imposes a number of obligations on those who collect, store and process health data, such as the fact that

health data are considered sensitive data;
their processing requires the explicit consent of the persons concerned;
their processing is necessary for scientific research purposes…

However, this is not necessary in cases of legitimate and imperative reasons that outweigh individual rights and freedoms.

Use of health data for clinical research

The use of patients’ health data for clinical research is subject to the GDPR under the following rules:

patients must be informed of the potential uses of their data;
the purposes of the processing;
the legal basis used;
the contact details of the controller;
all recipients of the data;
and how long the data will be kept, or at least the criteria for determining this period.

This information must be provided in a concise, transparent, understandable and easily accessible manner.

Data controllers have a duty to ensure the security and confidentiality of data.

The GDPR provides certain rights to data holders. These are listed below:

right of access;
rectification;
erasure;
limitation of information;
and to object.

These are legitimate unless there is a legitimate reason that overrides individual rights and freedoms.

Protection of the individual and anonymisation of health data

The data from shared medical databases must be anonymised so that individuals cannot be identified.

Access to and use of these databases require compliance with strict regulations in order to guarantee their confidentiality.

It is necessary to obtain :

a favourable opinion from the Committee for the Protection of Individuals;
an authorisation from the National Agency for the Safety of Medicines and Health Products;
and a declaration of compliance with the reference methodology for clinical studies and health data sharing.

Scientific research involves some specificities

The field itself makes it sometimes very difficult, if not impossible, to define precisely the purpose of a processing operation, so data subjects may give their consent for particular areas of research, or for specific parts of projects, but the requirement to specify purposes is less than in other settings.

Data processed for scientific research purposes may also be kept for a longer period of time, beyond the fulfilment of the purpose for which they were originally collected. This area can also sometimes dispense with the obligation to inform individuals about the processing, given the difficulties that this may present in some cases.

The GDPR rights of access, rectification, and restriction are also restricted to the extent that their exercise could harm work. The right to erasure cannot be applied in this context. However, the processing of data for scientific research requires appropriate security guarantees, but also the application of a precise methodology.

If in October 2017, two out of three people already trusted French institutions to ensure the protection of their health data, the entry into force of the GDPR in May 2018 and the requirements and obligations it implies must have reassured French people concerned about the security and control of this data.

This legal certainty could thus calm their fears and push them to share their medical data in order to make the health sector evolve, which we will see in the next article in our dossier on health data!

If you would like to learn more about Fair&Smart and our personal data management solutions, click on the button below:

Let’s contact us!