Using health data for R&D and AI: will new legislation make this possible in Germany?
Published on 31st Oct 2023
The new health-data bill currently debated by the German lawmakers could be adopted this year and apply from early 2024
Life science and pharmaceutical companies, as well as hospitals and research institutions in the healthcare sector, have been struggling with the compliance requirements under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (FDPA) when it comes to using health data for research and development (R&D) and artificial intelligence (AI).
Companies and research institutions have voiced – especially during the Covid-19 pandemic –significant uncertainty over whether article 9 of the GDPR and section 27 the FDPA permit research with health data. This, allegedly, had the consequence that health data from other jurisdictions, such as the UK, US and Israel, were used for research during the pandemic.
But what type of research can be covered by section 27 of the FDPA? How shall the mandatory balancing of interest test as part of section 27 of the FDPA applies in practice? The requirements for the application of section 27 of the FDPA has been unclear.
The German government has published a bill for a new Health Data Use Act (Gesundheitsdatennutzungsgesetz or GDNG) that would enable, among other things, R&D and AI with health data under certain conditions. The GDNG would bring a broad range of changes with respect to R&D and AI.
Permission for research
Section 6 of the GDNG bill permits healthcare providers, such as doctors or hospitals, to reuse health data for quality assurance, protection of patients and research, if the health data was originally collected from their own patients as part of healthcare services.
Healthcare providers will, however, be prohibited from sharing health data with other healthcare providers, unless the patient has consented, there is a legal requirement for sharing, or the health data is anonymised . Section 6 of the GDNG bill contains a statutory permission for healthcare providers to anonymise the health data of their patients. The results of any reuse must be anonymised promptly and patients must be informed about the reuse. For additional transparency, any research project based on section 6 of the GDNG bill must be signed into a register of the World Health Organization for clinical trials. However, the specifics about the type, scope and concrete purposes of the reuse must only be provided upon the patient’s request.
Reuse is only permitted if the healthcare provider implements safeguards, such as pseudonymisation, access right concept, retention concept and prompt anonymisation. Section 6 does not provide for a right to object for the patient. The research findings must be published publicly within 24 months after completion, as specified in section 8 of the GDNG bill.
The bill at section 9 imposes a statutory confidentiality obligation and a violation of it can amount to criminal sanctions of up to two years imprisonment or criminal fine.
Further discussion during the legislative process is particularly expected because (i) section 6 does not provide for a right to object for the patient, (ii) the relationship of section 6 and the state hospital laws is unclear, (iii) as is the relationship to the general data privacy transparency requirements under article 13 and 14 of the GDPR, and (iv) a prohibition for seizure and a right to refuse testimony relating to such health data is not yet foreseen in the GDNG bill.
R&D and AI permission
Under the GDNG bill, the Social Act V will be amended to allow broader use of health data contained in individual electronic patient records (EPR). Health data in the EPRs shall be made available, upon request, to anyone who can demonstrate a valid purpose for reuse.
Valid purposes are exhaustively listed in section 363 of the Social Act V – as amended by the GDNG bill – and include the quality improvement of patient care, resource planning, scientific analysis on the effectiveness of healthcare, scientific research and development and improvement of medical drugs and medical devices, monitoring of the security of drugs and medical devices, as well as testing and training of AI.
The health data in the EPRs will be transferred in pseudonymised and encrypted form from the various German health insurance companies to the Research Data Centre (Forschungsdatenzentrum), an institution at the BfArM (Bundesinstitut für Arzneimittel und Mediziprodukte). The Research Data Centre will make the data available under the GDNG bill to persons upon request provided those persons are located in the EU. This right to request access to EPR data shall not be limited to certain bodies or institutions; anyone shall be eligible in principle. Patients have a two-way opt-out: they can opt out of the EPR in general or they can opt out to any or all of the reuse purposes listed in section 363 of the Social Act V – as amended. A right to opt out for reuse by particular types of persons and institutions shall not be provided.
The concept of section 363 of the Social Act V – as amended – is similar to that contemplated under the EU Health Data Act – but limited to Germany. The infrastructure and procedures of the data sharing concept under the GDNG bill shall be leveraged once the EU Health Data Act will be implemented in a few years.
Linking health data for cancer research
Currently, there are state-level clinical cancer registers (klinische Krebsregister) based on section 65c of the Social Act V. Through the GDNG bill, data contained in a clinical cancer register will be linked with data stored by the Research Data Centre, which stores, for example. demographic information about each patient, such as age, gender and city of residence, as well as patient-related treatment information. In the future, through the GDNG bill, the Research Data Centre will also receive and store the patient data contained in the EPR. This stored patient data shall, upon request, be linked in a pseudonymised form with the patient-related data in the clinical cancer register to allow research with the data.
Linking health data and using the linked data sets will require prior approval by the data access and coordination agency for health data (Datenzugangs- und Koordinierungsstelle). Approval will be granted if the applicant can demonstrate that: the linking of the data sets is necessary for the objectives of a research project; access to the pseudonymised data in the clinical cancer register and in the Research Data Centre has already been approved by the competent authorities; and either the legitimate interests of the affected person is not impaired or the public interest in the research project outweighs the affected person’s interests in confidentiality – and provided that the specific risk of reidentification has been assessed and mitigated.
If approved by the data access and coordination agency, the clinical cancer register and the Research Data Centre transfer the health data to be linked into a secure processing environment which shall be determined by the data access and coordination agency. The data will be linked in this secure processing environment and made available to the applicant as a pseudonymised and single data record; the applicants will not be permitted to share this with any third parties.
Lead supervisory authority
Where one or more public or non-public entities are involved as controllers (without qualifying as joint controllers) in a research project relating to health or healthcare in which several German supervisory authorities are "competent", then a lead supervisory authority can be identified upon notice (see section 5 of the GDNG bill).
The lead supervisory authority will be the one that is competent for the entity participating in the research project that has generated the highest annual turnover in the preceding financial year. If not all of the participating entities have an annual turnover, then the lead supervisory authority will be the one that is competent for the participating entity with the largest number of employees processing personal data. In order to benefit from a lead supervisory authority, all entities participating in the research project must notify all of their competent supervisory authorities about their choice of benefiting from the lead supervisory authority. However, the practical relevance of a lead supervisory authority in this context will very likely be minimal, because, in most research projects, the entities will qualify as joint controllers, which prevents the application of this approach.
Where one or more non-public entities are involved in a research project and qualify as joint controllers in such a way that several German supervisory authorities are competent, one supervisory authority with exclusive competence for the research project can be identified upon notice of all the participating entities. The supervisory authority with exclusive competence will be the one that is competent for the participating entity with the highest annual turnover in the preceding financial year or, if not all of the participating entities have an annual turnover, that is competent for the participating entity with the largest number of employees processing personal data. In order to benefit from this concept of "exclusive responsibility", all entities participating in the research project must notify all of their competent supervisory authorities about their choice of benefiting from this concept.
Osborne Clarke comment
The GDNG bill drafted by the German government was published on 30 August and the German Federal Council has adopted its statement on the GDNG bill on October 20, 2023 without any relevant objections. It is expected that this bill will be adopted by the German Parliament by the end of 2023 and apply as of February 2024.
The GDNG bill contains several provisions that permit the processing of health data for research purposes, such as through secondary use by healthcare providers and hospitals of their patient data, broader access to health data in the EPRs, and linking of health data in the clinical cancer register with other health data, in particular those in the EPRs.
Use of patient data for AI testing and training purposes is only explicitly mentioned in the context of secondary use of the health data in the EPRs. However, theoretically anyone can request access to the EPR health data for AI purposes in pseudonymised form.