Enriching knowledge and enhancing care through health data

Tutorial organised by i-HD

“GDPR for Health Data Research Innovations”

Monday 19 November, 2018 (9:00 – 12:00)
Room R24-R25

Nathan Lea, i~HD GDPR Task Force lead, Senior Research Associate, UCL Institute of Health Informatics, London
Peter Singleton, Cambridge Health Informatics
Nikolaus Forgó, University of Vienna
Brendan barnes, EFPIA
Mitchell Silva, patient advocate, co-founder of Esperity

Our organisations are working hard to implement changes to data handling process and practice across the health sector to make sure they will be able to achieve compliance with GDPR and other legislation that is being enacted across Member States to implement its derogations.

This journey is seeing uncertainty grow around what this means for the re-use of medical data to support research and innovations. In March 2018, i~HD initiated at its members’ request the GDPR Task Force to help our members and the health data innovations community to understand and comply with the new Regulation, especially when reusing health data for learning and research.

i~HD is proud to announce its first GDPR tutorial as a pre-conference event. Authorities in the field tackle hot challenges on GDPR and re-use of your medical data.

Draft Tutorial Programme

Welcome and course objectives (09:00)

An introduction to set the scene and speakers: aims, objectives and content of the tutorial.

1. Secondary legislation and its impact on GDPR, data flows and research (9:10 – 9:35)

This topic will focus on the progress of new legislation to handle the derogations that GDPR offers Member States. It will include an overview of where Member States have reached in terms of implementing Data Protection laws as well as other legislation around genomics research, public health surveillance and commissioning.

We will explore the implications both now and as the new laws come into force and likely developments over the coming months. The session will include an update on the implications of the ePrivacy Regulation, Cyber Security and the Public Sector Information Directive.

With this session we aim to establish a clearer roadmap of the likely changes for data handling as these laws come into effect.

2. Clarifying Consent - patients’ perspective (9:35 – 10:00)

With the new bar for consent to data processing being set even higher, especially around the freely given nature of consent for data processing, Recital 43 and the requirements under Articles 6 and 9 of GDPR, the role of consent in the research domain and with regards data processing needs explanation and clarification.

We will explore the patient perspective on the meaningfulness of consent for participation, and how the informed basis of consent can be worded. The session will look at what reasonable expectations participants and patients may have and the extent to which broad consent is covered under GDPR for collection and reuse for related proposes.

We aim in this session to help build the clearer picture to aid the explanations and clarifications that are needed where consent is concerned

3. Identifying Legal Bases for processing data (10:00 – 10:25)

There can be multiple legal bases for processing personal data and in the case of health data, it is important for attendees to recognize how best to identify these and to understand the limits that they apply.

In combination with the Consent tutorial this session will help attendees to appreciate the legal bases under GDPR on which they might be processing data. It will explore the elements under Articles 6 and 9, thinking in detail about not only provisions under 9(2), but also for legal obligation and legitimate interest in cases where public task is not appropriate.

Additional consideration will be given to archiving data sets and a focus on developing resources for later reuse following the biobanking models.

Coffee Break (10:25 – 10:40)


4. transparency requirements for research platforms and pseudonymisation & GDPR - reusing existing databases  (10:40 – 11:05)

This session will focus on what is needed to achieve a meaningful and clear descriptions of data processing so that organisations can achieve the transparency that GDPR requires.

We will illustrate this with reference to  ongoing cases where transparency and reasonable expectations are being disputed as an illustration of the importance of privacy notices, information leaflets and descriptions of data handling.

In this topic, we will focus on the process of pseudonymization and how this can be described to participants and the public. We also aim to highlight the reuse of existing data sets where legitimate interests may be appropriate but must be clearly explained to in appropriate notices.

5. Accountability in practice - demonstrating compliance through documentation - international transfers - feasibility, binding corporate rules and competence  (11:05 – 11 :30)

Our aim in this session is to provide an overview of how best top prepare to achieve GDPR compliance with its accountability principle and focus on the essential ingredients of successful accountability. 

We think about the role of documentation including contracts, codes of practice, risk and asset registers, the role of Data Protection by Design and Default and Data Protection Impact Assessments.

Building on this, we refer to the need to demonstrate accountability, including methods to internally audit activity and the role of independent certification, training for staff and routine review of practice.

Debate  (11:30-12:00)

Topic of discussion: GDPR is good for our health!