There's a persistent misunderstanding regarding the EHDS. Data holders must have their datasets included in a data catalog. However, data users can apply for a permit, even for data not yet included in the catalog. Therefore, the application procedure cannot be (solely) tied to the catalog.
Trusted Data Holders and the EHDS
Recommendation to the HDAB
The EHDS creates several new roles regarding the reuse of health data. A well-known example is the Health Data Access Body, a new government agency where a permit can (or must?) be requested to work with data in a secure processing environment. Much less attention is paid to the role of trusted data holders. The HDAB can designate these trusted holders to reduce the administrative burden. Due to their expertise in legislation and the secure processing of health data, these trusted holders may submit applications according to a simplified procedure, with a recommendation regarding the decision to be made. However, the HDAB must remain responsible for the actual issuance of the permit and may not be bound by the recommendation of the trusted data holder.
The administrative law - duty to verificate
I assume that Section 3.3 of the Dutch General Administrative Law Act (Algemene wet bestuursrecht), concerning advice, applies to the advice of the trusted parties. Article 3.9 is important in this regard: “If a decision is based on an investigation into facts and conduct conducted by an advisor, the administrative body must ensure that this investigation was conducted with due care.” This is called the duty of verification. Therefore, if a university hospital has the status of trusted holder and issues a decision on an application concerning its own data, the HDAB may not approve it without reading it. While marginal review is permitted, it is not permitted to omit review.
Academic hospitals as trusted holders
Keep in mind that there’s a difference between a factual application to a data holder and a legal application to the HDAB. With a regular data holder, they can (actually) contact them to inquire whether the data the scientist wants even exist, after which they can legally apply for a permit from the HDAB and go through the entire procedure. If the data holder is a reliable data holder, they have the right to have the scientists’ legal application to the HDAB accompanied by a proposal regarding the decision to be made. For example, academic hospitals seem logical parties to be designated as reliable holders. However, if the recommendations, according to the HDAB, are frequently incorrect (unjustified refusals or, conversely, unjustified grants), the reliable holder status can be revoked.
The trusted holder oversees the data user
Trusted holders of health data must possess, in addition to expertise, their own Secure Processing Environment or at least have access to one. The simplified procedure can be followed for a permit application or a request (the statistical inquiry) that concerns data exclusively from trusted holders. If such a request is submitted not to the trusted holder but to the HDAB, the HDAB will simply forward it. The trusted holder will write its recommendation within two months, after which the HDAB will make a decision within two months. The trusted holder will then perform the operational tasks (such as anonymization). The work is subsequently carried out in the trusted holder’s Secure Processing Environment, where it monitors compliance with all laws and regulations. The HDAB in turn monitors the work of the trusted data holders.
With the right to use the Identity number (BSN)
This allows the trusted holders to perform all sorts of tasks relatively independently, which is why it is explicitly described as a role that eases the burden on the HDAB, thus leading to a more efficient system. Of course, there shouldn’t be any national legislation that would hinder this, but that’s currently the case. Trusted holders must have the right to use the national identification numer (BSN) to link files in a privacy-safe manner. Furthermore, they must be able to independently consult the National Control Register using the BSN. If they aren’t allowed to do so, they still have to do their work through the HDAB, which prevents the role of trusted holder from being fully realized.
The EHDS is about data, not bodily material. The Dutch draft Bodily Material Act is about material, not data. This might lead one to believe there's no overlap. But if you extract data from material, you're doing something with both data and material. That's why I'm discussing my thoughts on the draft act here. Spoiler alert: it's not good.
The Ministry of Health, Welfare and Sport will soon determine who will become the HDAB; who will be the source of permits for the beneficial reuse of health data. Who can be this, and who cannot? And what will this HDAB be responsible for?