Healthcare data is valuable. In particular, aggregating and analysing large-scale healthcare data using machine learning and other data analytics tools may offer new insights in relation to diseases, resulting in better patient outcomes. Furthermore, according to the 2019 EY report on Realising the value of health care data, this is expected to generate knock-on effects in relation to operational savings for healthcare organisations, and the public sectors that fund them.
Additionally, sharing healthcare data between hospitals, medical centres, and research institutions and making it more easily accessible is also expected to unlock significant value. In particular, the digital transformation of Healthcare Records would enable the sharing of allergy or prescription data across sites, which would contribute to better quality of care, especially in emergency circumstances. Beyond the immediate use of healthcare data for patient treatment, experts also expect that this data can be used to facilitate the development of health data driven innovations like clinical decision support tools or apps (or other support software) for patients and doctors. The development of new treatments and medicines can also be of significant local and national economies.
Combining these two potential benefits, EY has estimated that the UK’s NHS data set could generate approximately £9.6bn per annum in benefits.
How to unlock the value of healthcare data while achieving compliance
The collection and large-scale analysis of healthcare data offers a number of benefits to patients, practitioners, and researchers alike. However, under the GDPR (Article 9) and other data protection legislation, healthcare data is classed as special category data. This means that in order to collect, process or share this data, organisations must have a lawful basis for doing so and may require explicit consent from the individual whose data is being shared. This is especially the case when further re-using the data for research, innovation or other secondary purposes. In Ireland, such explicit consent is a core protection for data subjects under the Health Research Regulations 2018.
At the same time, the potential benefits of re-using existing healthcare data to support research and innovation creates a drive to re-use clinical and other types of data beyond their original purpose for the gathering of the data such as the primary delivery of care.
In the healthcare sector, this tension can sometimes manifest in the context of Data Sharing Agreements, where organisations’ positioning as Controllers and Processors can become contested. For example, a hospital sending blood samples to a lab often sees themselves as the Data Controller and the laboratory as a Processor. However, conversations with the laboratory can reveal that the laboratory intends to add the sample to their databank for research purposes and sees themselves as a Controller as well.
In healthcare especially, patients are often agreeable to their data being used to further insights and innovations for the common good. Nevertheless, even if patients were agreeable to such re-use of their data, their explicit consent would normally have to be recorded and stored in order to comply with data protection and other national legislation. However, different approaches and exemptions from this requirement are emerging among specific Member States’ legislation and guidance from different Supervisory Authorities.
These examples reveal while healthcare data can be utilised as an asset to unlock innovation and other benefits, this is only possible if and only if the proper data protection compliance safeguards are put into place.
Measures such as robust consent forms that enable data sharing and re-use for research purposes can provide a lawful basis for the further processing of patient data for research purposes. Similarly, well written Data Sharing Agreements can define the role and liability of each organisation using the data, the purposes for which it is being used and the security and governance requirements that must be respected. Transparency of processing achieved through patient information sheets, posters and websites can also help ensure there are no surprises for data subjects. A strong legal framework combines with the necessary support measures enables the lawful use of healthcare data to benefit patients, the economy and society as a whole.
The Trilateral Research Data Protection and Cyber-risk team has been working on the processing of special category data since 2015. We can assist your organisation to work with your partners to turn healthcare data into an asset that can bring added public health and social benefit. Contact one of our advisors for more information.