The European Union has provisionally agreed changes to planned data privacy legislation that will make it easier to share data between health and social care services.
At a meeting of the Council of the European Union this month, ministers endorsed principles to amend its proposed General Data Protection Regulation, addressing how the regulation handles the sharing of ‘special’ forms of personal data such as health and genetic data.
According to the new proposals, personal health data could be shared and processed without the explicit consent of the individual in certain circumstances, such as when “necessary for the purposes of preventive or occupational medicine… the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of [EU] law or member state law”.
The right to share and process data would also apply when necessary for reasons of public interest and public health, such as protecting against “serious cross-border threats to health” or ensuring high quality and safety standards for healthcare, medicines and medical devices.
The principles state that the processing of personal health data for public interest “should not result in personal data being processed for other purposes by third parties such as employers, insurance and banking companies”.
The NHS Confederation welcomed the changes, saying they “signal an important strategic commitment by ministers to alleviate the burden of data sharing”.
In a summary of the council’s proposals, the confederation said they would mean data can be shared without explicit consent for clinical purposes; for the provision of health or social care; for the treatment or management of health or social care systems; and services and for public health purposes.
Elisabetta Zanon, director of the NHS European Office – part of the NHS Confederation – said in a blog post that the proposed changes will mean a “more flexible legal framework for sharing data across health and social care” to support new care models such as those outlined in NHS England’s Five Year Forward View.
The General Data Protection Regulation, developed to update existing rules on data protection that have been in place since 1995, has previously caused concern in the UK as it requires researchers to request explicit and time-limited consent from citizens for using identifiable, pseudonymised or linked data.
Last year, the Department of Health said that the new rules would make conducting research with data “impractical”, while plans to share data via the care.data programme also appear to be impacted.
While it is unclear whether the new proposals will address these concerns, Phil Booth of healthcare data campaign group MedConfidential told EHI News that the plans for care.data are “such a mess” that it will be difficult to manage the consent issues “without a fundamental re-engineering of consent across the whole system”.
Booth said one of the main points of interest in the new proposals is a statement that pseudonymised data should be considered as personal data, which he saw as an acknowledgement that all individual-level data is potentially re-identifiable.
“[The proposal] would have a massive impact on the dissemination of patient data for secondary uses; hospital episode statistics, for example, which is pseudonymised individual-level data, will no longer be able to be ‘deemed not personal data’ and therefore treated as if it is out with the Data Protection Act and be sold to all and sundry,” he said.
The proposed changes will be discussed alongside the rest of the General Data Protection Regulation in June, with the regulation set to become law by late 2015 or early 2016.