The Danish Data Ethics Council opinion on the proposed Regulation of European Health Data Space

The DDEC is a government-mandated council, which advises the Danish parliament, ministries and public authorities on dataethical questions concerning the use of data and new technology. The DDEC is tasked with promoting responsible data use and practices by reviewing ethical questions about the relation between the advantages of employing new technology on the one hand, and concern for citizens’ fundamental rights, rule of law and essential social values on the other.

The DDEC recognizes the important benefits, which the datasharing established and advanced by the EHDS can generate, including improving the ability of persons to transfer their health data (data portability) and the public health benefits resulting from researchers’ improved access to large datasets. However, personal health data is by nature particularly sensitive, and measures to share such data require careful consideration of the dataethical implications. The DDEC reviews data ethical issues on the basis of 10 central dataethical principles for ethical collection, sharing and use of data.[1] Among these, protection of privacy, respect for autonomy, and non-maleficence (avoidance of harm) are particularly pertinent to the proposed EHDS. 

In light of these principles, the DDEC applauds measures taken in the proposal to protect the privacy, autonomy and wellbeing of data subjects, including i) the right to access personal health data) ii) the ability to delay the data subject’s access to their personal health data, when such delay serves their interest, iii) the right of data subjects to restrict health professionals’ access to all or parts of their electronic health data, iv) the ability of health professionals to override restrictions on access to data in certain health emergencies, v) requirements of establishing a suitable purpose for datasharing, and sharing the minimal amount of data necessary for that purpose, and v) setting the sharing of anonymized data as the default,.

Notwithstanding these laudable measures, the proposal raises a number of dataethical concerns, both on elements of the proposal where improved clarity is required, and on elements where further measures to protect the privacy, autonomy and wellbeing of data subjects are both feasible and ethically desirable.

Specifically, the DDEC believes the proposed EHDS raises important concerns relating to:

• The right of data subjects to access their personal electronic health data
• The right of data subjects to restrict access to their personal electronic health data
• The duty to provide health information generated in secondary use to data subjects
• The duty to provide the minimal amount of data necessary, including protecting privacy through the use of anonymization and pseudonymisation

The DDEC strongly believes that aligning the EHDS with protection of privacy, respect for autonomy, and non-maleficence on these issues is both ethically required and important to the EHDS, in order to ensure public trust in data sharing and public support for the opportunities established by the EHDS.

1. Summary of recommendations

• The DDEC strongly recommends clarifying the scope of the exemption from the right to access personal health information established in EHDS article 3.3 and 3.1, specifically to exclude the possibility of allowing exemptions based on interpretations of allowing access to information being “inappropriate” or “unethical” that are contrary to the interests of the data subject.
• The DDEC strongly recommends that the EHDS introduce a requirement of proportionality to the exemption from the right to restrict health professionals’ access to personal health data established in article 4.4, such that the benefit provided by accessing data against the autonomous, express restriction of the data subject(s) must be proportional to the violation of privacy and autonomy thereby perpetrated.
• The DDEC recommends that the EHDS obligate, not merely allow, data users and data access bodies to provide relevant information to data subjects in cases of discovery in secondary use of data defined in article 38.3.
• The DDEC recommends clarifying the grounds and conditions of providing information under article 38.3, such that the regulations apply to individual information about the data subjects health, which if provided to the data subject can be reasonably expected to be of benefit to the data subject’s health, or where the data subject can be reasonably expected to have a strong interest in obtaining the information independent of any health benefits.
• The DDEC strongly recommends that the EHDS clarify and define the terms anonymization/anonymous data and pseudonymisation/pseudonymous data, inserting the resulting definitions in EHDS article 2 alongside other definitions.
• The DDEC strongly recommends the use of further technical restrictions to protect against reidentification in secondary use of pseudonymous data.
• The DDEC recommends that the EHDS establish a graded hierarchy of access to data such that data access bodies are obligated to provide access to anonymous data by default, to masked or otherwise protected pseudonymous data only where demonstrably necessary, to the results of remotely processed data where access to protected pseudonymous data is demonstrably insufficient, and to unprotected pseudonymous data only where none of the previous options are sufficient and where the purpose of accessing data is proportional to the privacy risks thereby imposed on data subjects.
• The DDEC notes that the meaning and scope of article 33.5 is unclear, and strongly recommends clarifying it to establish the scope of requirements of informed consent for the rights and obligations of the EHDS.
• The DDEC strongly recommends that the EHDS secure the right of data subjects to restrict access to personal health data for secondary use. Such a right must make the ability to restrict access be sufficiently granular that data subjects can meaningfully grant or withhold access to personal health data in alignment with their personal beliefs and values.

2. The right of data subjects to access their personal electronic health data

The right of data subjects to access their personal health data is of central dataethical importance. Such data is intimately tied to the data subject and often vital for the data subject in order to allow informed decisions on important matters relating to central life issues such as health, work, travel and family. Ensuring access to such data generally protects the autonomy and promotes the wellbeing of data subjects.

EHDS article 3.1 establishes that: “Natural persons shall have the right to access their personal electronic health data processed in the context of primary use of electronic health data, immediately, free of charge and in an easily readable, consolidated and accessible form.”  

EHDS article 3.3 qualifies the right by allowing that: “Member States may restrict the scope of this right whenever necessary for the protection of the natural person based on patient safety and ethics by delaying their access to their personal electronic health data for a limited period of time until a health professional can properly communicate and explain to the natural person information that can have a significant impact on his or her health.”

Preliminary note (9) motivates the qualification by observing that: “it should be considered that immediate access to certain types of personal electronic health data may be harmful for the safety of natural persons, unethical or inappropriate. For example, it could be unethical to inform a patient through an electronic channel about a diagnosis with an incurable disease that is likely to lead to their swift passing instead of providing this information in a consultation with the patient first. Therefore, a possibility for limited exceptions in the implementation of this right should be ensured. Such an exception may be imposed by the Member States where this exception constitutes a necessary and proportionate measure in a democratic society…”

The DDEC supports both establishing data subjects’ right to access their personal health data and qualifying the right by allowing for exemptions. However, the DDEC notes with concern that the scope of the exemption is vague because the grounds noted in both article 3.3 and note (9) that can legitimately justify an exemption are underspecified. The DDEC believes that the ethically most plausible grounds for the exemption are the interests of the data subject, such that “harmful…, unethical or inappropriate” is best interpreted as being contrary to the interests of the data subject, either because directly harmful or because the data subject can reasonably be expected to prefer receiving the information through a different source, such as a personal conversation with a health professional. The DDEC strongly recommends clarifying the scope of the exemption, specifically to exclude the possibility of allowing exemptions based on interpretations of providing information being “inappropriate” or “unethical” that are contrary to the interests of the data subject.

3. The right of data subjects to limit access to personal health data

The right of data subjects to limit access to their personal health data is a regulation of central dataethical importance. The data subject’s ability to control which persons and institutions have access to their sensitive health data protects their autonomy and allows them to preserve privacy.

EHDS article 3.9 establishes that: “Notwithstanding Article 6(1), point (d), of Regulation (EU) 2016/679, natural persons shall have the right to restrict access of health professionals to all or part of their electronic health data. Member States shall establish the rules and specific safeguards regarding such restriction mechanisms.”

Preliminary note (13) motivates the regulation by noting that: “Natural persons may not want to allow access to some parts of their personal electronic health data while enabling access to other parts. Such selective sharing of personal electronic health data should be supported.”

The DDEC interprets the regulation as applying to primary use of personal data, rather than to the secondary uses of data covered by later articles of the EHDS. The observations and recommendations below are based on this interpretation (for related recommendations on data subject consent to secondary use of personal health data, see section five below). It is worth emphasizing, however, that improved clarity on the scope of article 3.9 would be desirable, specifically to clarify whether the right to restrict access applies to secondary use of data, and/or to anonymised/pseudonymised data.

The DDEC supports the right to limit access on the basis that ethically justifiable sharing of sensitive personal data, including electronic health data, will under ordinary circumstances require informed consent from the data subject. It is noteworthy that the right to restrict access is a somewhat weaker protection than a restriction on access to data absent informed consent. The right to restrict access must thus be considered a minimal safeguard, since it at least allows a data subject to act so as to prevent access to data that the subject does not consent to share.

The right to restrict access to personal health data is qualified in EHDS article 4.4, which allows that: “In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the healthcare provider or health professional may get access to the restricted electronic health data. Following such access, the healthcare provider or health professional shall inform the data holder and the natural person concerned or his/her guardians that access to electronic health data had been granted. Member States’ law may add additional safeguards.”

EHDS Preliminary note (13) motivates the qualification by observing that: “…such restrictions may have life threatening consequences and, therefore, access to personal electronic health data should be possible to protect vital interests as an emergency override… […] vital interests refer to situations in which it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.”

The DDEC recognizes that the right to restrict access must be subject to exemptions for the reasons at stake in article 4.4 and note (13). There are emergencies where the duty to protect vital interests must take precedence over the right to restrict access to personal health data. However, it notes that the qualification as stated allows any restriction to be overridden for any number of data subjects when the data is necessary to protect an interest that is essential for the life of a person. In standard ethical theory, a requirement of necessity is supplemented by a requirement of proportionality. The DDEC strongly recommends introducing this requirement in the EHDS, such that the benefit provided by accessing data against the autonomous, express restriction of the data subject(s) must be proportional to the violation of privacy and autonomy thereby perpetrated. 

4. The duty to provide health information generated in secondary use to data subjects

The EHDS establishes a legal and institutional framework for the extensive sharing of data for secondary use, including centrally research (private or public sector). When data is used and shared, there is a prima facie ethical obligation to inform the data subject. This information serves the dual purpose of allowing them to understand what data remains private with respect to whom, and to challenge the sharing and use of data if they believe it infringes on their legal or moral right.

However, the EHDS reasonably adopts a position presumptively based on the view that an obligation to inform would impose an unmanageable administrative burden upon data access bodies, and that the resulting substantial stream of information would be of little value to data subjects.

In order to provide accessible and meaningful information, EHDS article 38.2 obliges health data access bodies to provide general public information about the conditions under which permits are issued as well as the data permits issued. However, “Health data access bodies shall not be obliged to provide the specific information under Article 14 of Regulation (EU) 2016/679 to each natural person concerning the use of their data for projects subject to a data permit…”

Preliminary note (44) clarifies the regulation by noting that: “…health data access bodies should provide general information concerning the conditions for the secondary use of their health data containing the information items listed in Article 14(1) and, where necessary to ensure fair and transparent processing, Article 14(2) of Regulation (EU) 2016/679, e.g. information on the purpose and the data categories processed.“

There are circumstances, however, where secondary use will discover information relevant to the data subject. An often cited example is the presence of a cancer tumor. In these situations it can be ethically important to provide such information to the data subject. Article 38.3 adresses the issue, allowing that: “Where a health data access body is informed by a data user of a finding that may impact on the health of a natural person, the health data access body may inform the natural person and his or her treating health professional about that finding.”

Preliminary note (44) motivates the regulation, noting that: “Exceptions from this rule should be made when the results of the research could assist in the treatment of the natural person concerned. In this case, the data user should inform the health data access body, which should inform the data subject or his [sic] health professional.”

The DDEC supports the article’s exception to the general rule that only general public information be provided, but is concerned both that the regulation merely allows sharing information and that the circumstances under which information should be provided are underspecified. The preliminary note correctly notes that data users and health data access bodies should inform data subjects or their health professional. Failure to do so can impose unnecessary and substantial health risks on data subjects. There is a strong ethical obligation not to unnecessarily impose substantial health risks on others. Therefore, the DDEC recommends that the regulation obligate, not merely allow, data users and data access bodies to provide the relevant information. It notes in this context that providing information may be subject to the considerations at stake in EHDS article 3.3, i.e. that there may be strong reason to ensure that the information is initially provided to the data subject through an appropriate source, such as a health professional, as opposed to making it initially available in digital form.

The DDEC also notes that the type of information at stake is individual information about the data subject at stake, and that the ethical obligation to provide said information is based on the information being of interest to the data subject, i.e. because access to the information will potentially benefit the data subject’s health, or because the data subject has a strong, non-derivative interest in the information. The DDEC recommends clarifying these grounds and conditions, such that the regulation apply to individual information about the data subjects health, which if provided to the data subject can be reasonably expected to be of benefit to the data subject’s health, e.g. by allowing them to seek treatment, or by improving ongoing treatment, or where the data subject can be reasonably expected to have a strong interest in obtaining the information independent of any health benefits.

5. The duty to provide the minimal amount of data necessary, including protecting privacy through the use of anonymization and pseudonymisation

Personal health data is very sensitive information about natural persons. As noted above, the regulation recognizes this even in the context of primary use by health professionals, e.g. by allowing data subjects to restrict access to health information and defining the exceptional circumstances under which these restrictions can be overridden.

However, the EHDS envisions and will establish the legal and institutional framework for widespread secondary use of personal health data. As observed in preliminary note (38): “European databases that facilitate data (re)use are available in some areas, such as cancer (European Cancer Information System) or rare diseases (European Platform on Rare Disease Registration, ERN registries, etc.). These data should also be made available for secondary use. However, much of the existing health-related data is not made available for purposes other than that for which they were collected. This limits the ability of researchers, innovators, policy-makers, regulators and doctors to use those data for different purposes, including research, innovation, policy-making, regulatory purposes, patient safety or personalised medicine. In order to fully unleash the benefits of the secondary use of electronic health data, all data holders should contribute to this effort in making different categories of electronic health data they are holding available for secondary use.” Given these ambitions, an ethical balance must be struck between the potential benefits generated by increased secondary use access to large health data sets on the one hand, and protection of individual privacy on the other. This point is recognized in preliminary note (49), which observes that: “Given the sensitivity of electronic health data, it is necessary to reduce risks on the privacy of natural persons by applying the data minimisation principle as set out in Article 5 (1), point (c) of Regulation (EU) 2016/679.” The EHDS takes several important steps to minimize access to data and protect privacy.

Centrally, EHDS article 34.1 defines the range of permissible purposes, for which access to information can be granted, and EHDS article 44.1 imposes duties on data access bodies to grant access only when the data user has successfully established that access to data is necessary for such a purpose: “The health data access body shall ensure that access is only provided to requested electronic health data relevant for the purpose of processing indicated in the data access application by the data user and in line with the data permit granted.” Jointly, these articles serve to ensure that access to data is granted only when such access can be reasonably expected to provide benefits.

Furthermore, EHDS article 44.2 defines anonymization as the default: “The health data access bodies shall provide the electronic health data in an anonymised format, where the purpose of processing by the data user can be achieved with such data, taking into account the information provided by the data user.” On certain interpretations of anonymization (see discussion below), anonymization is the strongest possible protection of privacy, and access to anonymous data therefore raises substantially fewer ethical concerns. As such, the DDEC strongly supports defining access to anonymized data as the default.

However, the EHDS allows secondary use access to personal health data that is not anonymized in certain circumstances. Specifically, EHDS article 44.3 states that: “Where the purpose of the data user’s processing cannot be achieved with anonymised data, taking into account the information provided by the data user, the health data access bodies shall provide access to electronic health data in pseudonymised format. The information necessary to reverse the pseudonymisation shall be available only to the health data access body.”

In this context, the DDEC notes with strong concern that unlike other central terms in the EHDS, the crucial concepts of anonymization and pseudonymisation are not defined. On a commonly accepted understanding of the distinction, the former is data that is in no way linked to an identifiable subject, e.g. because it contains only a single data point for each subject, e.g. an unidentified person’s age, or consists entirely of aggregated data, e.g. the average age in a population. The latter, on this understanding, is data that is in some respect linked to an identifiable person although devoid of data points that are individually, uniquely identifying (e.g. name, social security number), such as an unidentified person’s age, gender, and height. The DDEC strongly recommends that the EHDS clarify and define the terms anonymization/anonymous data and pseudonymisation/pseudonymous data, inserting the resulting definitions in EHDS article 2 alongside other definitions. The remaining comments proceed under the assumption that the commonly accepted understanding of the terms set out above applies.

The distinction is important because, as noted by the European Commission Expert Group’s Guidance Note on Data Protection: “anonymisation processes are challenging, particularly where large datasets containing a wide range of personal data are concerned. This is because it is very difficult to create fully anonymous datasets that retain the granular information needed for research purposes.”[2] As such, it is to be expected that sharing and use of pseudonymous data for secondary purposes will be common. Indeed, the DDEC is concerned that regardless of the EHDS defining it as the default, sharing and use of genuinely anonymous data may become not the rule but the exception.

On the suggested interpretation of the difference between pseudonymous and anonymous data only the former allows reidentification. While any use of a data subject’s data raises ethical considerations, access to sensitive personal health data about an identifiable person through reidentification is a crucial risk for data subjects’ privacy. As such, the DDEC strongly urges that all feasible measures to protect against reidentification be considered and where possible required.

The EHDS relies on a combination of technical restrictions on access to pseudonymous data and legal penalties to protect data subjects from being reidentified from pseudonymous data. Specifically, EHDS article 50.2 establishes that: “The health data access bodies shall ensure that electronic health data can be uploaded by data holders and can be accessed by the data user in a secure processing environment. The data users shall only be able to download non-personal electronic health data from the secure processing environment.” Furthermore, Article 44.3 states that: “Data users shall not re-identify the electronic health data provided to them in pseudonymised format. The data user’s failure to respect the health data access body’s measures ensuring pseudonymisation shall be subject to appropriate penalties.”

While the DDEC supports the restriction of access to pseudonymous data and the prohibition of reidentification, it notes with concern that such measures provide limited guarantees against reidentification. As such the DDEC strongly recommends the use of further technical restrictions to protect against reidentification in line with the observations of the European Data Protection Supervisor’s (EDPS) preliminary opinion, note 25, which urges that: “safeguards should consider, as appropriate and as far they have reached the state-of-the art maturity, the use in context of privacy enhancing technologies, including those enabling to perform operations on encrypted data without having access to the data in clear or performing calculations on distributed data without having access to all data sources or enabling reliable statistical calculations on data where noise has been injected.”[3]

As noted by the EDPS, one available technical restriction is the application of masking techniques to data. As examples, injection of statistical noise can secure differential privacy, while binning or data-reduction can secure k-anonymity.[4] These are mature and well-tested technologies that can frequently be applied with little or no cost to the data user, and prevent or greatly reduce the risk of reidentification.

A second technique, noted in preliminary note (49) is the use of remote processing where: “…the applicant can request the health data access bodies to provide the answer to a data request, including in statistical form. In this case, the data users would not process health data and the health data access body would remain sole controller for the data necessary to provide the answer to the data request.” With remote processing, data subjects are protected against reidentification because the data access body carries out the requested analysis of data and provides access only to the anonymous results of the analysis.

The EHDS recognizes the risks and potential for technical reductions of these risks in preliminary note (64), which observes that: “Certain categories of electronic health data can remain particularly sensitive even when they are in anonymised format and thus non-personal, as already specifically foreseen in the Data Governance Act. Even in situations of the use of state of the art anonymization techniques, there remains a residual risk that the capacity to re-identify could be or become available, beyond the means reasonably likely to be used.” However, the EHDS postpones and delegates treatment of technical measures to protect against reidentification, holding that: “The protective measures, proportional to the risk of re-identification, would need to take into account the specificities of different data categories or of different anonymization or aggregation techniques and will be detailed in the context of the Delegated Act under the empowerment set out in Article 5(13) of Regulation […] [Data Governance Act COM/2020/767 final].”

In light of the ethical obligation to reduce the risk of reidentification, and the availability of feasible techniques to do so, the DDEC recommends that the EHDS establish a graded hierarchy of access to data such that:

• Where a data user’s needs can be met through access to anonymous personal health data, the data access body shall provide only access to anonymous personal health data.
• Where the data user can convincingly establish both that anonymous personal health data cannot meet the data user’s needs and that the purpose of accessing data justifies access to non-anonymous data, the data access body shall provide only access to pseudonymous data protected by masking techniques e.g. to secure differential privacy or k-anonymity.
• Where the data user can convincingly establish both that neither anonymous personal health data nor pseudonymous data protected by masking techniques can meet the data user’s needs, and that the purpose of accessing data justifies access to non-anonymous data, the data access body shall remotely process data for the data user, and provide only the anonymous data generated by such processing.
• Only where the data user can convincingly establish that neither anonymous personal health data nor pseudonymous data protected by masking techniques, nor remote processing can meet the data user’s needs, and that the purpose of accessing data justifies direct access to unmasked pseudonymous data, shall the data access body provide access to unmasked pseudonymous data.

Finally, a central ethical concern is whether data subjects are capable of consenting to access to their data for secondary use. It is widely held that access to sensitive personal information is ethically permissible with the informed consent of the data subject, but that there are strong moral reasons against accessing sensitive personal information without informed consent grounded in respect for autonomy and protection of privacy. The DDEC considers informed consent to sharing and use of data to be a central principle of data ethics. The EHDS touches upon consent of data subjects to secondary use access of their data only in EHDS article 33.5, to hold that: “Where the consent of the natural person is required by national law, health data access bodies shall rely on the obligations laid down in this Chapter to provide access to electronic health data.”

The DDEC notes that the meaning and scope of article 33.5 is unclear, and strongly recommends clarifying it. Specifically, it is unclear whether the obligations referenced are meant to take precedence over national law requiring consent, such that data access bodies must provide access under the obligations of the EHDS regardless of any requirements of informed consent established in national law, or whether the obligations are meant to be subsidiary, such that access must be provided only if both consent requirements established in national law and requirements established in the EHDS, such as obligations for the data user to establish that access will serve one of the recognized justifiable purposes, are met.

Regardless of the intended reading of the article, the DDEC is concerned that the EHDS itself establishes neither a duty for data access bodies to obtain informed consent to secondary use of personal health data, nor a right to restrict access to personal health data for secondary use, along the lines of the right established in article 3.9. Notably, the latter is a less demanding standard of consent, which must be considered a minimal ethical safeguard. The DDEC strongly recommends that the EHDS secure the right of data subjects to restrict access to personal health data for secondary use.

The DDEC notes in this context that meaningful consent cannot be given as a blanket statement allowing or disallowing access to all personal health data for all types of secondary use. Rather, as observed by the EDPS preliminary opinion note 19 in a related comment: “the technical means implemented [in the legal basis for further processing of data] should be granular enough to allow for the respect of the will of the data subjects, for example, when they have expressed a consent limited to certain situations such as usage by public sector bodies or specific research types.” This granularity in the ability to provide consent, or to deny access to data, is important in order to accommodate the different grounds that data subjects may have for offering or withholding consent to use of data. For example, and as pointed out in the EDPS preliminary opinion note 20, data subjects might wish to restrict access due to: “…personal objections to certain private sector stakeholders (e.g. pharmaceutical, insurance, etc.) having access to the individual’s sensitive personal data.”

[1] https://dataetiskraad.dk/dataetik
[2] European Commission: Ethics and Data Protection
[3] European Data Protection Supervisor: Preliminary Opinion
[4] On the former, see: Dwork, Cynthia, and Aaron Roth. "The algorithmic foundations of differential privacy." Found. Trends Theor. Comput. Sci. 9.3-4 (2014): 211-407. On the latter, see: Sweeney, Latanya. "k-anonymity: A model for protecting privacy." International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10.05 (2002): 557-570.