January 9, 2018

Patient Groups and Data Protection Practice

BEST DATA PROTECTION PRACTICE

For many European patient groups and organisations, understanding their obligations under the European Union General Data Protection Regulation can be challenging.

Touching all patient group activities from creating apps, to holding individual’s data, to clinical research and registries, the Regulation will apply at the end of May 2018.

Key patient organisations across Europe have taken action to:

Identify the implications of the Regulation
Identify how to monitor its implementation locally
Make sure their own activities that involve collecting, using and sharing data are compliant.

Grasping the data protection nettle

Most ehealth meetings we have been to over the last couple of years have discussed the General Data Protection Regulation. This is because its impact on patient group activities, healthcare and clinical research is quite fundamental.

Hitting the balance between patients’ wishes to participate in research while at the same time recognising their right to protect their health data was always going to be challenging. Patient groups used the draft consultations to try to ensure a fair balance.

Key guide from the European Patient Forum

Because patient groups will themselves often hold, process and control data on individuals, they face some specific challenges and obligations.

This is why the European Patient Forum guide on the Regulation published in 2016 is still so important. It examines the implications of the Regulation specifically from a patient group perspective.

The guide is partly about helping patient organisations to ensure that when the Regulation is implemented locally that patients’ rights to privacy, data sharing, and accessing their health data are respected.

The guide also summarises:

Principles of the Regulation and the resulting rights patients have over their health data
Rules for patient consent in the collection, use and sharing of their data
Recommendations when patient groups collect use and share patient’s data. For example as part of their advocacy activities.

Country level compliance: Ireland

The Irish Platform for Patient Organisations, Science and Industry (IPPOSI) brought all key stakeholders together to evaluate the impact of the Regulation at country level. A round table meeting in involved the Irish Department of Health, patient groups, clinicians and industry.

The organisation then published a report in July summarising:

the impact of the Regulation on health data and research
how patient consent can be more `dynamic’ and flexible in biomedical research. This makes it easier for people to “give consent and revoke consent. As well as, importantly receive information and engage in clinical research activities”.

In the report, Dr Gianpiero Cavalleri of the Royal College of Surgeons Ireland, identified the practical challenges for the research community: “The reality is that 99% of the datasets held right now probably don’t comply with GDPR.”

The report concludes that despite the scale of the challenges ahead, there is overall benefit for patients:

“Patients are more empowered and informed about the consent and research processes, and the GDPR should allow for greater transparency as to the use of their health data. This should lead to greater confidence and trust among patients”– Irish Platform for Patient Organisations, Science and Industry (IPPOSI)

Ongoing vigilance: Watching the regulators

Although the point of an EU Regulation is harmonisation there will of course be complexity about how the regulation is enacted and implemented through country law. It’s an issue that concerns patient organisations such as the European Cancer Patient Coalition, ECPC:

“Unfortunately, the GDPR leaves some room for interpretation to EU countries. The EU countries can individually set out the rules on few key aspects of the GDPR, including those on exemptions in scientific research.

As a consequence, there is the danger that data protection rules might not be the same across all EU countries. This can be very dangerous to the sharing of precious data, and therefore slow down both research and useful innovation to patients.” – European Cancer Patient Coalition.

NEXT STEPS: