The discussion about the European regime for processing personal data is entering a new phase. After the European Commission had proposed a new General Data Protection Regulation (GDPR) in 2012, the European Parliament proposed a different version in May 2014. The proposal of the European Parliament of the GDPR restricts processing personal data by requiring informed consent, regardless of the purpose the data will be used for and regardless of whether or not privacy enhancing technologies are applied. Although there are a number of situations where the version of the European Parliament proposes alternatives, informed consent seems set to become the default. In this version of the GDPR, informed consent is not only required for directly identifiable data with names, addresses or other identifiers of people, such as IP addresses, but is deemed to be necessary for all data that is not anonymous. After all, the version of the Parliament distinguishes only two types of data: personal vs. anonymous. Many comments have argued how this version could seriously jeopardise (public) health research.1-3 Informed consent for the use of data in health research cannot be based on the dichotomy of personal vs. anonymous data. In spite of the use of privacy enhancing technologies, data in health research is highly likely to contain indirectly identifiable variables, simply because of its granularity. Moreover, data that may identify subjects is needed for research in children’s diseases (age classes in months) or effects of environmental exposure (location) to name but a few.
In June 2015 the Council of Ministers, which is the third player in drafting European Union (EU) legislation, proposed its version of the GDPR. That version is much more research friendly. Further use of personal data is not seen as incompatible with the original use for which data were processed. Broad consent seems to be possible, and research without consent is left to the legislation of the member states. The latter is already the case under the existing EU Directive 95/46/EC which is at the moment the Europe-wide standard for processing personal data, as a Directive needs to be implemented into national law. Regulation, such as the proposed GDPR, would bind governments, corporations and citizens directly and hence aims to harmonise completely. In the Council’s version, such harmonisation would not be reached for research with personal data without consent. Incomplete harmonisation might be preferable to harmonisation according to the most strict standards.4
With its proposal, the European Parliament ignores the need for granular data, at least in the first steps of the research and the use of privacy enhancing technologies in further steps,5 to give us adequate feedback on our current practices of health care delivery and health protection. This kind of research contributes to a learning health care system which, in the European context, is based on the principles of solidarity, quality and long-term sustainability. Research based on large-scale registries (with the records of millions of patients) used, e.g. to determine disease prevalence would need the informed consent of all individual patients. Such procedures create biased research, which affects the quality of our health care systems. Furthermore, the Parliaments’ proposal is contrary to recent calls to reduce waste in biomedical research regulation and management 6 and initiatives aiming at responsible sharing of individual patient data from clinical trials.7 Therefore, the research community, together with patient organisations, endorsed the more research friendly approach of the Council, and the website datasaveslives.eu gives regular updates about their views and the GDPR discussions.
Yet, representatives of patient organisations, who know what is at stake if data will not come to their aid or to those after them, might not be seen as representatives of the average population. Therefore, we conducted a survey of citizens’ opinions about health research and the extent to which people would be willing to give researchers access to their health data. This used a sample of 1500 members of a panel of citizens (the Dutch Health Care Consumer Panel of the Netherlands Institute for Health Services Research NIVEL) of whom 731 responded. Response rates of this panel depend on the target group and the subject of a questionnaire and may lead up to 70%. Our current response rate is lower, but still in line with previous surveys of this panel. The responses have been weighted to represent the Dutch population for age and gender.
Respondents appeared to have a reasonably high degree of trust in the research community (78%, compared with 92% in medical professionals and 46% in the pharmaceutical industry). Most respondents agreed that scientific health research is very important (93%). Two-thirds find it a problem when privacy regulations become more strict and make less scientific health research possible (23% has no opinion, 13% finds this a problem). At the same time, one-third find their autonomy in deciding over their ‘own’ health data more important than medical scientific progress (29% has no opinion, 40% does not agree with this statement). However, the majority (three-quarters) agree to their health data being used without informed consent, as long as this data is well protected and only used for scientific research (12% has no opinion). In our analysis, respondents with a higher education seem to have more need to decide over their ‘own’ health data by themselves. The same applies to respondents with better self-reported health and younger respondents.
These outcomes seem to be in line with other findings about patient views about using patient data for health research.8 Our findings also show that trust is the paramount issue here. There has not yet been a data breach reported of patient data once safely in the research domain, and there is quite a number of techniques how such safety can be reached.5 Yet, what happens behind the scenes is not enough. It seems to us that much more transparency and explanation is needed about how the ‘further use’ of patient data is the driving force of all improvement in health care and prevention.9 It should also be explained that what patients might see as ‘their’ data is in fact the result of all previous learning experiences and investments in the European solidarity based health care systems.10 These two explanations, next to data safety in which all researchers have a vested interest, form the ethical basis of a research exemption from which the European Parliament might learn as well.
In the following months, the three mentioned players will negotiate about a final text, the so-called ‘trilogue’. We may hope that the outcomes of the trilogue will be more nuanced than the mistaken ‘consent or anonymise dichotomy’9 and will recognise the need for health research with granular data. After all, the protection of data in research should be proportional to the risks and benefits of the use of that data for improvement of health through research. This will allow future generations to have the same benefits from health research as past and current generations.
Conflicts of interest: E.V. is advisor to research consortia, research organisations and patient organisations.
References
- 1.Nyren O, Stenbeck M, Gronberg H. The European Parliament proposal for the new EU General Data Protection Regulation may severely restrict European epidemiological research. Eur J Epidemiol 2014;29:227–30. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.European Public Health Association. A response by the European Public Health Association to the report by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs report on the proposal for a General Data Protection Regulation (2012/0011(COD): EUPHA; 2013. Available at: http://www.eupha.org/repository/sections/PHMR/EUPHA_DPD_response_22_Febr_2013.pdf (27 January 2015, date last accessed).
- 3.Ploem MC, Essink-Bot ML, Stronks K. Proposed EU data protection regulation is a threat to medical research. BMJ 2013;346:f3534. [DOI] [PubMed] [Google Scholar]
- 4.Hakulinen T, Arbyn M, Brewster DH, et al. Harmonization may be counterproductive–at least for parts of Europe where public health research operates effectively. Eur J Public Health 2011;21:686–7. [DOI] [PubMed] [Google Scholar]
- 5.Kuchinke W, Ohmann C, Verheij RA, et al. A standardised graphic method for describing data privacy frameworks in primary care research using a flexible zone model. Int J Med Informatics 2014;83:941–57. [DOI] [PubMed] [Google Scholar]
- 6.Al-Shahi Salman R, Beller E, Kagan J, et al. Increasing value and reducing waste in biomedical research regulation and management. Lancet. 2014;383:176–85. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 7.Drazen JM. Sharing individual patient data from clinical trials. New Engl J Med 2015;372:201-2. [DOI] [PubMed] [Google Scholar]
- 8.Stevenson F, Lloyd N, Harrington L, et al. Use of electronic patient records for research: views of patients and staff in general practice. Fam Pract 2013;30:227–32. [DOI] [PubMed] [Google Scholar]
- 9.Sethi N, Laurie GT. Delivering proportionate governance in the era of eHealth: making linkage and privacy work together. Med Law Int. 2013;13:168–204. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 10.van Veen EB. Patient data for health research, a discussion paper on anonymization procedures for the use of patient data for health research. The Hague: MedLawconsult, 2011. [Google Scholar]