Leonardo Cervera Navas, Director at the European Data Protection Supervisor (EDPS) in an interview for the magazine “Healthy Europe” on the protection of health data and the challenges of sharing them within and between countries. A short version of the interview is part of an article on page 8 of the print magazine “Healthy Europe”.
Director Cervera Navas, what has to be done generally to guarantee data security and ethical usage of data? How can the tasks of the European Data Protection Supervisor in that context be described shortly?
Leonardo Cervera Navas:
The fundamental rights to privacy and to the protection of personal data have become more important for the protection of human dignity than ever before. Such rights are enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. The General Data Protection Regulation (GDPR), now applicable since two months, lays down, under its Article 5, the data protection principles(lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality)that apply to all processing of personal data.Indoing so, the GDPR expressly reinforces the data protection principles that guarantee, among others, data security.
However, in today’s digital environment, we also have to consider the ethical dimension of the processing of data. We should address deeper questions as to the impact of new technologies in data driven society on dignity, individual freedom and the functioning of democracy. The possible solutions relate tomanifold aspects and have engineering, philosophical, legal and moral implications.We needa collective effort, underpinned by ethical considerations in order to respond to these challenges.
In this context, in theEDPS Strategy 2015-2019, we have outlined as one of our priorities the assessment of an ethical dimension that, as said above, goes beyond the application of data protection rules and encourages a multi-stakeholders and informed conversation and knowledge-sharing on the impact ofbig data and the internet of things on digital rights.
In September 2015, the EDPS issued an Opinion, Towards a New Digital Ethics, in which we urged the EU and the internationally responsible entities to promote an ethical dimension in future technologies to preserve the value of human dignity. The EDPS also created anEthics Advisory Group (EAG)with the aim of helping the EDPS to better assess the ethical implications of how personal information is defined and used in the digitalised world. As outcome of its work, the EAG issued a Final Report, which is available on our website.
This year the EDPS willbe hosting the International Data Protection and Privacy Commissioners Conference. The main theme of the Conference is:“Debating Ethics: Dignity and Respect in Data Driven Life”, focusing on the impact of digital technologies on our lives.
Let me recall that the European Data Protection Supervisor (EDPS) is the data protection authority for the European Union institutions, bodies and agencies. Among these institutions and bodies, the EDPS supervises the European Medicine Agencies (EMA)andclosely follows the work of EMA’s Technical Anonymisation group (TAG) with the key objective to further develop best practices for the anonymisation of clinical reports.The TAG group involves members from Europe and the US with significant experience in the area of anonymisation and clinical trials, coming from the academia, the public authorities – DPAs, the private sector, and other research institutions.
In addition to our supervision of the EU institutions, the EDPS also has a role as advisor on data protection issues in a wide range of policy areas and all matters concerning the processing of personal data, including health research policies.
Standardized surveys and usage of health data could bring benefits for patients by improving treatments and enabling more personalized medicine. On the other hand health data are especially sensitive. What has to be done to guarantee data security and ethical usage of data especially regarding health data? What are the most important measures?
Leonardo Cervera Navas:
It is widely acknowledged that standardized surveys and use of health data can bring benefits for patients by improving their treatments. In this regard, I would like to underline that data protection shouldnot to be considered as an obstacle, but as an added valuein order to improve the usage of health data, while keeping it safe and respecting the ethical dimension.
As provided by EU legislation, certain categories of personal data, including health data, are considered as particularly sensitiveandcannot be processed unless the ‘controller’ can rely on a specific legal ground (as specified under Article 9 of the GDPR) and specific safeguards are applied to the processing.
One of the legal grounds for the processing of health data is the explicit consent of the data subject (the person that can be identified, directly or indirectly, via the personal data). Consent is a key condition,also from the ethical viewpoint,for the processing of personal data in the context of health research projects.However, it should be considered that consentis not, in all circumstances, the appropriate legal basis for all the types of processing of personal data.In addition to allowing researchers to process sensitive data where the data subject explicitly consents or makes her data public, the GDPR also permits a controller to process sensitive data when processing is necessary for the purposes of “preventive or occupational medicine”; for reasons of public interest in the area of public health”; and for research purposes where “processing is necessary for [research] purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
We also note that it is often difficult to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research.
Let me also flag that Article 89 of the GDPR allows the EU or Member States to limit certain individual rights, when necessary for scientific research. As an exception, it should however be strictly interpreted and applied.
The GDPR introduces safeguards which, even though also applying to ‘non-health data’, are particularly relevant to the processing of health data:
- The principle of privacy by design and by default: this important principle, initially established only ‘in practice’, is now codified by the GDPR. Privacy shall be embedded in the design phase of the processing of data.
- The principle of data minimisation and data quality: these are ‘sides of the same coin’. A large amount of data are available in the real world, but not all of them are of good quality. The GDPR introduces the concept of data minimisation (use just what you need). As minimisation is implemented, there is a greater incentive to select data of good quality. Data quality is crucial in healthcare (e.g. clinical trials, therapy evaluation, etc.).
- The principle of accountability: the GDPR introduces a shift in paradigm about compliance. The controller has to adopt suitable measures to ensure and demonstrate compliance and to continuously assess, manage and minimize risk associated to processing.
A non-exhaustive list of appropriate measures includes: documentation,implementing security requirements , Data Protection Impact Assessment (DPIA) anddesignation of a Data Protection Officer (DPO).
Should information sharing of health data within and between countries be enhanced, especially for the aim of improving diagnoses and treatments? What are the challenges doing this?
Leonardo Cervera Navas:
The increasingly international dimension of scientific research requires the sharing of health data at the EU and at the international level toenhance diagnoses and treatments.
At the same timethe sharing of information may bring to an increased risk for the protection of data subjects. For this reason, the GDPR lays down a number of grounds, subject to specific conditions, for the transfer of personal data to third countries and international organizations. Such ‘legal grounds’ include: transfers to Countries recognized by the European Commission as providing an adequate level of protection by so-called adequacy decisions and appropriate safeguards provided by the controller or processor (legally binding agreements between public authorities, binding corporate rules, standard data protection clauses, approved codes of conduct or certification mechanism).
We note that the GDPR, also referring to codes of conduct or certification mechanism, extends the possibility for data transfers, also having regard to the exchange of health data for research purposes.
The General Data Protection Regulation, which has become law across the EU in May 2018, has been criticised as being over-regulative by health researchers and practitioners. Should it be attenuated regarding the purposes of health research and treatment?
Leonardo Cervera Navas:
As already mentioned, Article 9 of the GDPR provides for legal grounds other than consent allowing the processing of sensitive data in the context of research, in particular when necessary for reasons of public interest in the areas of public health, such as for public health surveillance activities and epidemiological studies.
The GDPR also offers new opportunities for standardizationof data protection practices in the field of scientific research, in particular with reference to codes of conduct, binding corporate rules and certification mechanisms. Such harmonisation (a ‘common playing field’) would facilitate the exchange of health related data (across health operators within EU Member States and with third countries) and hence the medical and scientific work.
As a general remark, let me stress that in the future, we expect that privacy is increasingly perceived as a quality feature of products and services lubricating the flow of information.
Let me finally add that the EDPS will soon publish a background paper on research and data protection in the European Union, as a first stage in stimulating an informed discussion on data protection law and related ethical issues in the field of research, having regard in particular to health research.