Tools to safeguard patient privacy while encouraging innovation
Patients today are more aware of the importance of sharing (anonymized) health data to advance scientific research, compared to the past. The role of European data protection legislation, the development of robust data- and privacy-enhancing technologies, and the transparency with which stakeholders inform and educate patients certainly contribute to this positive evolution.
From European legislation to local implementation
In May 2018, the General Data Protection Regulation (GDPR) came into force in the European Economic Area. It is the embodiment of the EU citizens’ right to the protection of their personal data, as stipulated in the EU Charter of Fundamental Rights. With this Regulation, the EU wanted to address the variations in national privacy legislation that had emerged even after the 1995 Data Protection Directive and were hampering the functioning of the internal market. “In establishing new Regulations, such as the GDPR, the EU focuses on two aspects,” explains Professor of Privacy Law at Ghent University, Griet Verhenneman. “It aims to strengthen the fundamental rights of their citizens and bring harmonization between Member States by targeting factors that may be blocking interaction.” Different from a Directive, an EU Regulation does not require implementation through national law, theoretically it is ready for national application based on local needs. However, individual Member States can still add nuances and supplements. For the processing of health-related data, the possibility of introducing further conditions, including limitations, is explicitly foreseen. “EU Regulations and national adaptations are established with expert input provided by various stakeholders during the legislative process,” Verhenneman says, serving as an external member of the Knowledge center within the Belgian Data Protection Authority. “Yet, in the end, the final decision is always a political compromise.” Once reinforced, everyone handling patient data, from care providers to researchers, should adhere to the legislation.
Technological innovation supporting patient privacy
In order to invest in healthcare innovation while adhering to privacy regulations, a number of technological tools are available. Anonymizing or pseudonymizing patient data is one of them. By removing or replacing identifiable information, the records cannot be traced back to the individual patients, securing their privacy. Federated learning is another very elegant technique to allow medical innovation while committing to privacy preservation. “In federated learning, we train AI models on data, spread over distinct locations, without the need to exchange sensitive information,” says Brahem El Haddioui, Senior Manager Benelux Global Privacy at Johnson & Johnson. “The data never leave the secure environment of the local (hospital) server. Only the insights and outcomes from the analyses are shared.” El Haddioui also emphasizes the need for adequate data governance processes. “Implementing clear structures and guidelines on how to deal with patient data is essential and guarantees ethical use.”
“In federated learning, we train AI models on data, spread over distinct locations, without the need to exchange sensitive information.” – Brahem El Haddioui, Johnson & Johnson
Transparency and education as key priorities
Even when technological advancements allow us to fully adhere to the strict privacy regulations, involving patients in the processes remains vital. Patients are becoming increasingly aware of the value of their personal health information for research, yet also feel an increasing need for protection against commercial exploitation. “To make sure patients feel valued and respected, transparency and education are crucial,” says El Haddioui. “We need to clearly communicate which data are collected, why we need them, how we will use them, and how privacy is guaranteed.” It is also valuable to involve patients in a more active manner. By establishing patient advisory councils, in which members can comment on research programs, the patient population is represented and can impact the use of their data.
Informed consent – a powerful tool with critical pitfalls
The concept of informed consent takes up a central position in medical ethics. It implies that patients can autonomously make decisions in their care pathway regarding medical procedures or investigations, having been fully informed about the benefits, risks, and alternatives of that procedure. “Although informed consent allows the patient to actively participate in their care pathway, there are certain challenges associated with it,” says El Haddioui. “Especially in more complex situations, patients can be overwhelmed by the intense emotions associated with their disease and by the amount of information they receive.” In specific cases, such as when patient information is collected for future – yet undefined – research, the situation becomes even more complex. We can question whether this type of consent can truly be considered informed in such instances. Verhenneman agrees, “Informed consent creates the illusion that patients have complete control over their decision-making processes. Yet in reality, which additional protection does it bring when the mechanism is reduced to the request to check a box or put down your signature for the umpteenth time?” Another factor to consider is the quantity of data needed for AI tools to discover patterns. When asking patients for consent to use their data, we risk losing the quantity we need to extract relevant insights. “In healthcare and health research, we face a challenging issue. Data concerning a patient’s health may be very valuable to investigating better treatments for future patients, but it does not always bring a direct benefit for the patient who is requested to share data at that very moment,” adds Verhenneman. “In this regard, we should consider to entrust data custodianship to trustworthy organizations, such as hospitals, instead of requiring individual patients to provide consent.”
“We should consider to entrust data custodianship to trustworthy organizations, such as hospitals, instead of requiring individual patients to provide consent.” – Griet Verhenneman, Ghent University
From challenges to solutions
One of the most pressing challenges, both interviewees agree on, is the lack of harmonization within the EU. “Different interpretations have led to inconsistencies in the application of the GDPR,” argues Verhenneman. “This poses challenges to companies and organizations,” agrees El Haddioui, “Developing clear guidelines and striving towards a uniform interpretation of the rules will lead to less insecurity and fragmentation.”
The journey toward successfully implementing privacy preservation techniques while maximizing innovation possibilities is also impeded by the lack of support for supervisory authorities. Supervisory authorities are expected to offer supervision, information, and guidance to organizations. However, the shortage of funding and internal expertise complicates their functioning. “The European Data Protection Board (EDPB) in the context of the Clinical Trials Regulation, stated that new guidelines on the processing of personal data for scientific research purposes were under preparation and due in 2021. As for their arrival, we seem to be caught in a time warp of anticipation,” illustrates El Haddioui. “This hinders national implementation and innovation.” The European Commission can be criticized as well for continuously introducing new legislation without first addressing the problems surrounding the implementation of the GDPR. Maintaining an open dialogue between stakeholders and legislators is essential to solve these issues. “Regular exchanges between policymakers, scientists, and companies provide a better understanding of the practical challenges and needs,” says El Haddioui.
Finally, drawing insights from the experiences of other nations will allow us to catalyze progress in the rest of Europe. “Countries such as Finland and Estonia present progressive models that accommodate both their drive towards innovative research and the need for privacy protection,” states El Haddioui. “In this regard, the idea to establish a European Health Data Space (EHDS) is highly relevant,” adds Verhenneman. The EHDS is an ecosystem establishing standards, practices, and infrastructural frameworks for the utilization of health data in research and innovation. It is their goal to facilitate cross-border access to data, which would improve collaboration and knowledge sharing within the EU.
“Developing clear guidelines and striving towards a uniform interpretation of the rules will lead to less insecurity and fragmentation.” – Brahem El Haddioui, Johnson & Johnson