The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?
The EHDS requires considerable preparation. A Health Data Access Body needs to be established, various software and hardware components need to be built or connected, and additional legislation needs to be drafted. Therefore, the EHDS will come into effect in several phases. What happens when it comes to the beneficial reuse of health data?
The arrival of the EHDS is causing public unrest. Will our health data still be safe? The regulation will indeed make more data available for beneficial reuse. But at the same time, health data will also be much more secure. So, kudos to the EHDS.
As a medical scientist, you might think you have little professional involvement with the rule of law. Nothing could be further from the truth. Understanding the separation of powers, for example, is crucial for knowing when to ignore the Data Protection Authority. It's also helpful to understand that lobbying begins with the question of whether the Ministry of Health, Welfare and Sport is the right place to be.
The EHDS is creating new roles around the reuse of health data. The Health Data Access Body is well-known, but the data collector is unknown. This data collector is crucial for unlocking data in a way that is more efficient, better for science, and, above all, can contribute to greater trust in the system. I think it would be useful if we thoroughly discussed at conferences in the Netherlands how we can optimally design the EHDS system by utilizing the role of data collector.
In discussions about the reuse of health data, national borders are often discussed. Privacy advocates often believe that "our" data shouldn't be allowed to cross borders when reused. Scientists argue that they can only do their work if data from different countries can be used. Therefore, they welcome the EHDS. What both parties overlook is that the free flow of health data within the EU has long existed.
Reusing health data for scientific research, for example, is currently permitted in The Netherlands if the patient has given consent (with some exceptions). This will change under the EHDS. What will this entail? Who will oversee it? And is all of this ethical?
The EHDS is perceived by those who distrust the government as a manipulative tactic: the coronavirus pandemic would be used to learn everything about us citizens. The striking thing is that even these suspicious people will be enormously helped by the EHDS. This regulation includes not only a data permit, but also a request: a request for an answer to a statistical question. Anyone can request such a request, which is therefore excellent for our constitutional state.
On LinkedIn, doctors and medical researchers regularly complain about unworkable regulations. My response is: if it's not in the law, you can often ignore it. Dentists and pathologists then explain to me that these are codes of conduct that the IGJ also uses and that "therefore" cannot be ignored. Here's an explanation for them as to why certain codes of conduct can indeed be ignored.
In healthcare, law and ethics are often confused. Ethics is a reasoned judgment, law is a collection of rules. Confusing them leads to all sorts of misunderstandings. Lawyers describing the EHDS don't offer an opinion on ethics. But the democratically elected European Parliament did.
A DPIA is a Data Protection Impact Assessment. It is mandatory under the GDPR in certain cases. What is it and what isn't it? When is it mandatory? And what is the role of the Data Protection Officer?
Medical scientists trying to gather data for (undeniably useful) research are sometimes faced with rejection due to "purpose limitation." For example, someone had collected data for research into unexplained excess mortality after COVID-19. When she subsequently wanted to use that same data for research on Long-Covid, it was denied. Purpose limitation! But is that correct?
The EHDS aims to make more health data available for beneficial reuse by making it more secure. The GDPR will continue to apply alongside the EHDS. It already stipulates that such reuse is permitted if it serves a good purpose (such as scientific research), if the law is followed, and if measures have been taken. In that respect, the EHDS offers nothing new. Nevertheless, what is about to happen is revolutionary, partly because scientists will indirectly gain a right to data.
The European Health Data Space aims to make more health data available to them for research and therefore includes a list. Member States can add data to this list in their own legislation if they feel something is missing. It's therefore important that we carefully examine the list and consider which data are missing, but which are also important for science and policy evaluations. Study the list here and share your thoughts.
The EHDS is European law. But what is it exactly? Does it have direct effect? What is the difference between a directive and a regulation? What is implementing legislation? Does European law always override national law? Can the EU write rules about public health? And can privacy be protected beyond what Europe prescribes?
The European Health Data Space Regulation, a European law on health data, came into effect in February. It will be implemented gradually over the coming years. The law contains rules for the primary care process, rules for the healthcare IT market, and rules on data reuse for purposes such as scientific research. But why did the EU write this law in the first place? Shouldn't we, as member states, decide this for ourselves?
Pseudonymization is a term in the GDPR that causes confusion. Is this personal data, and does the GDPR therefore apply to it, or not? As is so often the case, the answer from lawyers is: it depends. This is because pseudonymous data is not a category of data. Pseudonymization is only listed in the GDPR as a privacy protection technique.
All those contracts in medical research! Medical scientists can easily get lost in the maze of contracts: Grant Implementation Agreements, Consortium Agreements, Clinical Trial Agreements, Data Transfer Agreements, Joint Controllers Agreements... and so on. What does it all entail?
It's not always clear whether a contract is a subsidy or a commercial contract. People often think, "It's been tendered, so it must be a contract," but that's not true. The title they attach to it isn't decisive either. But the difference is important, especially for VAT purposes. Subsidy law also requires various steps.