Patients are vulnerable; as the misuse of their private data can result with patient job loss, distress or perhaps worse. Legislators, companies and health care practitioners have a duty to protect the patients. Privacy is a human right, written into the European Convention on Human Rights, yet still there are groups of people completely unprotected by law. These groups include those individuals who generate the data themselves and those living in countries that do not understand the need for data protection. Of course patients whose data are held by the ill informed or by those prepared to flout the law are also very vulnerable.
Lets go to the very top!
On the 28th of January 2015, the European commissioner for Digital Single Market, Andrus Ansip, and Commisioner Věra Jourová provided a joint statement marking the 9th European Data Protection Day. In this statement they highlighted a new draft general data protection regulation, which has specific provisions on processing data for matters pertaining to health, including historical, statistical and scientific research purposes.
“These provisions will be fully harmonized – providing one set of rules for research data across the Union.”
The data protection regulation will hopefully be enacted during 2015, and may ultimately obligate companies and organisations involved in health related research to ensure explicit patient consent concerning matters surrounding data management. But how can these regulations be enforced when the research community is so large? How does the EU ensure that the right people are informed about these important changes in data privacy law?
It’s about evolving law
This new regulation will help to regulate mobile health applications, which are currently seen as the biggest growth area concerning data collection. This doesn’t necessarily affect current IMI projects, however, up and coming IMI projects are seen as prospective users of mobile health applications, due to the inherent flexibility of this type of technology. Bodies that do not comply with the regulations are liable to be fined which can result in the cessation of research projects and or other plans for the data, including the closure of clinical trials. This is a good example of why we must always be mindful of the most current data privacy rules.
Medical research data is normally held securely in larger companies such as EFPIA members, organisations including the EMA, and some universities. Outside of these institutions, levels of data security vary. Data holders need to understand the nature of the risks and safeguards put into place concerning data protection.
There is a huge body of data users uninformed about EU legislation, albeit not specifically binding it self, national law does hold groups accountable to the legislation.
Who sits between you and the law?
Corporate policy usually sees the distribution of a simplification of law enabling employees to become legally compliant. Of course, with multi-national Public Private Partnerships (PPPs) there is a certain level of harmonisation necessary to ensure all partners are familiar with the wider picture. In addition to this, eTRIKS and others have cooperated in the production of accessible and harmonised European guidelines for the use and re-use of medical data whilst ensuring the privacy rights of the patient.
The role of eTRIKS
Anne Bahr, the EFPIA lead of the eTRIKS work package – Ethics for eTRIKS platform data, has driven a major effort to inform and harmonize IMI partners of regulations surrounding the use of patient data.
It is the different interpretations of the law in each country and organization that can lead to the prevention of quality cross border research. eTRIKS looks to harmonize the project actors working under these circumstances.
IMI projects work largely with pseudonymised and anonymised data, which broadly translated means data that can be traced back to the patient and data that cannot be traced back to the patient. In the past there was not a specific need to request permission from the patient for researchers to re-analyse legacy data. Legacy data is data of any form that was produced in past projects. With new EU legislation, researchers may soon have to gain further patient permission, unless an exception for research is included in the EU legislation.
With the advent of translational research, new statistical and topographical tools have been developed that enable new ways to interpret data. These specialised tools integrate old data with new, enabling a stronger prospect to develop a treatment for a given condition or disease. On the one hand we have a very exciting new way to develop medicines, but on the other hand we cannot just ignore the patients privacy and go back and reuse their data without first due consideration.
Hence it is important that data managers and analysts understand how the data in their different forms should be managed securely. This relates to data storage, access rights as well as legislation of what can and cannot be done. In short, there was a need for IMI project members to have a basic set of guidelines to help manage their data lawfully. eTRIKS has filled that need.
Anne Bahr oversaw the production of the eTRIKS code of practice on secondary use of medical data in scientific research projects. Irene Schluender of TMF and Leila el Hadjam of the EISBM were instrumental in the development of thisharmonized framework to allow reuse of clinical data intended for and acceptable to other EU collaborative research projects, the IMI office, DPAs, patients associations and ethics boards. This document is a “global” reference and is drawn from many sources including national and international legislation and Industrial code. It is guidance for IMI projects to address multi-partner multi-country issues for complying with Personal Data Protection regulations, providing a roadmap for EU harmonized operational solutions. As law is ever evolving this code of practice provides an excellent starting place for groups involved in multi-partner multi-country initiatives.
Is eTRIKS having an impact in the wider data privacy landscape?
Yes, eTRIKS is helping other European projects to take better care of data, and makes it easier for them to harmonize their data management. It’s about transforming legal information into technical requirements, and promoting a balance between patient privacy and effective scientific research.
eTRIKS provides a suite of services including technical expertise, training webinars and written guidelines to enable PPPs to ensure their members who come into direct contact with patient data, become legally compliant. We have provided a number of training events for current IMI projects, and they have described the training as very useful.
In addition, eTRIKS members consistently participate in discussions with legislators, both supporting and contributing to new legislation. This ensures that eTRIKS remains on the forefront of efforts towards data protection.
EU legislation, what is coming that might change things?
Healthcare data complied using mobile applications is widely unsafe. It’s difficult to ascertain whom has access to the information accumulated by these applications and what the intentions are of those who have access. This is an example of what the new EU regulation addresses. However, this may affect legitimate scientific research.
Exception for the requirement of consent for the secondary use of data would be a good work around for those who have a legitimate cause to re-evaluate legacy data. Finding patients for their consent could be extremely challenging, and would not only cause massive administration upheaval, but loss of the use of very valuable data.
The Future
Anne will continue to work towards an industrial wide code of conduct for good practice in using health data in research.
The reality is that Information technology puts privacy more and more at risk. Total patient protection is not likely to happen. In addition, public privacy rules do not protect people everywhere; there are countries that don’t understand the need to protect data privacy. We need to find a balance between research and privacy. We believe that data owners should take accountability and responsibility for their data, and this is what we work towards. In the meantime, eTRIKS is available to other IMI projects to provide guidelines on how to manage your data responsibly.
