What COVID-19 teaches us about the use of medical data.

Enormous amounts of data are generated in hospitals related to the treatment of COVID-19 patients in the form of laboratory reports, CT reports, clinical notes … However, there is a lack of insight into which therapies are effective and which risk factors exist as this data is collected in disparate data formats and systems. Insights in these data are required to treat COVID-19 and to better cope with epidemics or pandemics in the future. New technologies such as data mining, cloud computing, etc. must be used to uncover live-saving insights into this plethora of data. The question is: Can hospitals use these novel techniques to analyze this data? And is the GDPR an obstacle in this process?

At LynxCare, we’ve built extensive experience in clinical data processing for various hospitals over the last 3 years. Contrary to popular belief, the GDPR has been a facilitator for us. Even more, the GDPR is a critical enabler for our clinical data processing & Big Data services. The GDPR has brought clarity to the legal framework, which is largely uniform in the EU, and laid down in the rules for the correct use of data. The obstacles we encountered however were mainly the lack of knowledge of the legislation by many stakeholders in the healthcare industry.

What exactly are the concerns for processing health data within the GDPR?

One of the GDPR’s main principles is purpose limitation. This principle entails the owner of the data to be able to determine the purpose for which his or her data are used or processed. Parties commissioned to process this data can also appoint other parties to assist them in this task. If applied to the context of the hospital, this is a clear matter: Can hospitals use new technologies to process medical data? For the patient, i.e. the owner of the data, the goal or purpose of the hospital is to receive treatment. Therefore the hospital may use new technologies to achieve this goal. The GDPR also states that the use of this technology does not have to be limited to the treatment of a single patient. This means data processing can also be used more generally for quality management within the hospital, which ultimately benefits all patients.  In principle this is a simple matter.

To respect the GDPR principle of data minimisation, it is required that only the data needed for this purpose are provided. The purpose has to be legitimate and the appropriate security measures must be taken. These conditions follow from the principle of purpose limitation. So as long as the appropriate security measures are complied with, it does not matter whether the used technology is from a commercial player or from a non-profit. Even so it does not matter whether the data is hosted locally by the hospital or in a Microsoft or Amazon server park.

Does the patient have to give consent? No, because as stated, he or she has instructed the hospital to treat him or her in the best way possible. Within this context, the hospital may use the necessary technologies to serve this purpose. However, the hospital is obligated to report which technologies it uses for this purpose and can do so in the privacy policy, but it does not have to ask for consent. In the end, the hospital must be able and allowed to use the right means to achieve its goal: treatment of the patient in the best possible way.

How does COVID-19 impact this?

On 21 April 2020, the European Committee for Data Protection (EDPB – the umbrella body of all European privacy authorities) published recommendations on the use of health data in the context of scientific research with regards to COVID-19. The previous paragraph makes clear that a hospital can use new technology in the context of treatments and their improvement, as well as that this does not require patient consent.

Until now, many questions are nonetheless raised regarding the use of health data for scientific research. Patients do not specifically come to the hospital to take part in scientific research. In the context of the GDPR, this would be a different purpose.

Does the patient have to explicitly agree?

The legislation on patients’ rights and scientific studies/experiments states that consent is always required when the patient’s treatment process is changed, for example by a new type of treatment, participation in a clinical study… But in order to process the data within the context of scientific research, the GDPR is clear: there are various legitimation grounds for processing data, and consent is but one of them. For data that are already present (historical data) the legislation clearly specifies that other grounds of legitimacy also exist. These can be in the context of a legal obligation or in state interests. Scientific research can also be just as legitimate in itself. Historically it was up to the member states to fill in this ground of legitimacy, which resulted in a great deal of confusion and differences. In Belgium, this was done through the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data.

Clear guidelines

In the context of COVID-19, the EDPB made clear recommendations and clarified a number of principles on data processing for scientific research and how Member States may put this into practice.

First, if it is difficult or impossible to seek a free consent, for example because the patient was already dependent on the doctor for the treatment of his disease, the GDPR allows the research to continue without consent. In this case it suffices to inform the patient as well as possible. However, the research must be scientifically well defined. Hospitals’ ethics committees can oversee this by testing it methodologically and ethically. Also, the patient will still have a right to object (a kind of opt-out), but this is only a limited right as objection is no longer possible if the data have already been analysed and must remain available for verification.

Secondly, research can only be performed if the data are pseudonymised and encrypted. Belgium has in this respect already taken a leading role in making scientific research possible. This recommendation of the EDPB now clarifies the responsibility of hospitals all over Europe in the case of deployment of new technologies, enabling these data to become available for scientific research and the development of new treatments. With this recommendation the EDPB has created the necessary clarity towards national governments.

More data in healthcare

COVID-19 clearly shows that the time is now for more data and not less. The risk of improper use must be avoided at all times but the GDPR provides the proper ground rules for this. Hospitals are therefore able to use new technology to improve their treatments and conduct scientific research within the right framework.

The EDPB’s recommendation covered only COVID-19, but what about other conditions? Should we just ignore historical data for other conditions, so that no progress can be made in scientific research? COVID-19 makes it clear that we must reverse the question: Hospitals and all healthcare stakeholders have a responsibility to manage the data in their systems properly using the right technologies. In doing so they not only improve their patients’ care, but with the aid of scientific research, the care for all patients.

Now is the time to take a next step in medicine and value-based healthcare  based on real-world’ data and evidence from clinical practice.

“When you can measure what you are speaking about, and express it in numbers, you know something about it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts advanced to the stage of science.” – Lord Kelvin, 1824-1907.