While medical researchers find innovative ways to gain valuable insights from large amounts of medical data, European data protection regulators have clarified their views on the scope of the definition of personal health data and on the processing thereof in the context of historical, statistical and scientific research.
The regulators – unified in the Article 29 Working Party (the “Working Party”) – wrote to the European Commission in reaction to a recent Commission consultation concerning mobile health (mHealth) devices and apps, but their views have wider implications.
Pointing to the proposed definition in the draft EU Data Protection Regulation, the Working Party explains that 'health data' in the context of data protection regulation is a much broader term than 'medical data'. In the Working Party's view, ‘health data’ includes inter alia 'information derived from the testing or examination of a body part or bodily substance, including biological samples' and any information about 'disease risk' and about 'the actual physiological or biomedical state of the data subject independent of its source'.
For data to qualify as ‘health data’, it need not necessarily relate to 'ill health'. Whether data about a person's physiological or biomedical state is within the 'healthy' limit or not is not relevant. Moreover, in the Working Party's view, even personal data not directly related to a person's health may qualify as health data if processed with the purpose of identifying disease risks - for example as part of big data analysis of exercise habits or diet.
The broad definition of ‘health data’ championed by the Working Party implies that data being processed in the context of life sciences research may unexpectedly qualify as personal health data in the eyes of data protection regulators, and be subject to a stricter than usual data protection regime.
In particular, the requirement for explicit consent from the data subject, commonly required for processing of health data outside the scope of the provision of healthcare to patients, may become of particular relevance in a research context.
Whereas the current EU Data Protection framework allows national legislators and regulators relative flexibility in applying a lighter regime for further processing of personal data for historical, statistical and scientific research purposes, the European Parliament has proposed to amend the new draft EU Data Protection Regulation with a strict consent requirement for such processing.
The Working Party now calls for this strict consent requirement to be also applied under the current regulatory framework for the further processing of personal health data for research purposes. In this regard the Working Party specifically expresses its concern about the introduction of the notion of a lighter data protection regime for pseudonymised data. According to the Working Party, the use of pseudonymised data is, in itself, not sufficient to justify a lighter regime.
Whether the Commission will respond to the Working Party's call, and whether the European Parliament's proposal will be included in the Data Protection Regulation is uncertain. It is clear, however, that the use of personal health data, including in the context of historical, statistical and scientific research, is on the agenda of data protection regulators.