Big data has changed the way we manage, analyse and use data. I In the healthcare sector, we have had applications such as health apps, pedometers and other wearables for several years now. They measure our lives, stimulate healthy lifestyle initiatives and warn us about health problems. Big data also performs well in the healthcare sector. Data from hospitals, general practitioners, medical laboratories, but also from patients themselves, can contribute to personalised care and better prevention of health problems. But which data is involved, exactly? Does it really have so much potential? And what about privacy?
My data? Useful?
You may already have experienced it: you are referred by your GP to a specialist, you have to have a scan first, you have a history of an allergy diagnosed by a doctor abroad, your new physiotherapist doesn’t know anything about your rehabilitation five years ago with your now retired physio, and only your previous GP knows about your parents’ illnesses. Clinical data (patient files) and whereabouts (your ‘route taken’) could be used to bundle these data, thus improving care and making it more efficient. Administrative data of patients as well as care providers can all be important. Through improved access to patient data, relationships between patterns and trends can be discovered, which can lead to lower treatment costs and avoidance of symptoms or even diseases. Thanks to data sets, devices can, for example, predict strokes or analyse heart scans more accurately than a doctor could ever do. In short, the processing of big data within the healthcare sector can improve the overall quality of life.
Doctors or processors?
The exchange of medical data between healthcare providers or between patient and healthcare provider is at the basis of many new application possibilities. At the same time, sufficient safeguards must remain in place with regard to information security, protection of privacy and professional secrecy. Will our privacy not be compromised as more and more data is collected, processed and used?
Before a hospital carries out any processing activity, its legitimacy must be verified. In general, the GDPR recognises six legal bases (non-cumulative) on which a processing of personal data can be based, as stated in article 6, paragraph 1 GDPR: consent of the data subject; the necessity for the performance of a contract; a legal obligation; the protection of vital interests; the performance of a task in the public interest; and the representation of the ‘legitimate interests of the data controller’.
In addition to the above legal bases, an additional legal basis is required for the processing of sensitive data, such as health data. This is because in the healthcare sector, highly confidential and sensitive information is involved. This is because in the healthcare sector, highly confidential and sensitive information is involved.
The processing of sensitive data is in principle prohibited by Article 9 GDPR. This includes genetic data, biometric data, data concerning sexual behaviour and/or preferences and data concerning health. The GDPR only allows the processing of these data in exceptional cases, i.e. if one of the grounds for processing mentioned in the second paragraph of Article 9 is present, such as (among other things) when explicit consent has been obtained, the processing is necessary for obligations and/or rights under employment or social security law, reasons of public interest in the area of public health, vital interests are at stake, the information has been made public by the data subject himself or when the processing is necessary for preventive or (occupational) medicine.
When we apply this to healthcare, we see that health data is processed on a daily basis. Each of these processing activities therefore requires two processing grounds: in general, one from Article 6 and, in particular, one from Article 9 GDPR.
When one goes a step further and wants to (re)use this health data for scientific research (to discover patterns, for example), the situation becomes more complicated.
To start with, data transfer between the sources of the data, the research platform and the researchers is not always necessary. Imagine, for example, that data sources should only allow big data analyses to be carried out within their systems and that only general conclusions are drawn here: then there is no transfer of personal data and the GDPR does not apply.
However, the GDPR does apply to the data controller in order to carry out an analysis of the data that he himself manages. As the GDPR is based on the principle of purpose limitation, this means that the specific purposes for which data are collected must be explained to a patient. In this case, the ‘re-use’ of patient data for scientific research is certainly not the initial purpose for which the patient gave consent. Scientific research however is an exception to this principle of purpose limitation.
In the situation where personal data are transferred, all necessary measures must be taken to ensure maximum security of the data and to avoid the identification of patients. This can be done via anonymisation (the data loses its status as personal data) or pseudonymisation (via a ‘third party confidential adviser’).
If the patient’s data are used to conduct research in the public interest and all ‘appropriate safeguards’ for safe and unrecognizable re-use are respected, the re-use of the data is possible without the consent of the patient in question. Without this particular exception of public interest, the patient retains his right to object to the re-use of his data.
The Covid-19 pandemic, despite the admirable efforts of Belgian healthcare providers, has revealed clear pain points in the healthcare sector. However, among other interventions, the use of big data can revolutionise the proper functioning of the healthcare sector and increase people’s quality of life.
While we note that the medical sector can invoke different grounds for processing personal data, in these situations the GDPR already seems to offer a very precise and relevant framework that reconciles the different interests in a balanced way.
To find out more about big data and healthcare, do not hesitate to contact us at firstname.lastname@example.org.
Written by Emiel Koonen, Legal Adviser theJurists, and Kris Seyen, Partner theJurists