The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The EHDS and the secure processing environment
Technical Requirements of the European Commission
Under the EHDS, work must be carried out in a Secure Processing Environment (SPE). Scientists will not receive data, but will have access to it in a SPE that meets the strict technical and security standards established under the EHDS. The exact nature of these requirements is not yet known. They will be established by the European Commission by March 2027 (see timeline). The European Commission will also assist Member States in promoting the security and interoperability of the various SPEs. Such security requirements cannot be prescribed in the EHDS itself. Risks and security evolve faster than new European legislation.
HDAB and Trusted Data Holders monitor
Please note: there are parties who claim that there will only be one single BVO, managed by the HDAB. This would then become a supercomputer containing all Dutch healthcare data. This is not the case. The EHDS clearly speaks of multiple SPEs. Every Trusted Data Holder (TDH) must also have an SPE, and it is likely that all the academic hospitals, among others, could become such. The HDAB and the TDHs must always monitor what exactly happens in their SPE, so that scientists are only granted access in line with the exact conditions of their permit.
Therefore, those who hold an SPE must be able to enforce compliance with both the GDPR and the EHDS. Scientists may not simply grant access to another scientist who is not also listed on the permit. And only non-personal data (i.e., anonymous or aggregated data) may be downloaded from such a SPE. They may, of course, be transferred from one SPE to another, for which interoperability must be achieved. The log data of processing operations within the SPE must be retained for at least one year to verify compliance with the permit conditions. In this way, the SPE is an essential safeguard for protecting the rights and freedoms of patients with regard to the processing of their health data for secondary use.
The SPE should always be mandatory
There is criticism (in The Netherlands) of the EHDS, which aims to make more health data available for beneficial reuse. It is important to keep in mind that the idea of this law is to make more data available, precisely by making it more secure; in the certified SPEs. It is important to note here that there are people who think that you will soon be able to freely choose whether to apply for a data permit, and that you will thereby ensure that you fall under the EHDS. It follows that you would also be able to choose whether or not you are obliged to work in a SPE. That you can choose whether you are obliged to do something seems an untenable position to me. But if it turns out that I am wrong, and people can indeed freely choose whether to apply for a permit, then the implementing legislation should include that working in a SPE (as described by the European Commission) will always be mandatory from 2029, even if one does not follow the route via the HDAB.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?
Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?