Secondary Use Provisions in the European Health Data Space Proposal and Policy Recommendations for Korea

Won Bok Lee; Sam Jungyun Choi

doi:10.4258/hir.2023.29.3.199

Journal List > Healthc Inform Res > v.29(3) > 1516083501

Go to TopGo to Top Go to BottomGo to Bottom

TOOLS

Lee and Choi: Secondary Use Provisions in the European Health Data Space Proposal and Policy Recommendations for Korea

Review Article

Healthcare Informatics Research 2023; 29(3): 199-208.

Published online: 31 July 2023

DOI: https://doi.org/10.4258/hir.2023.29.3.199

Secondary Use Provisions in the European Health Data Space Proposal and Policy Recommendations for Korea

Won Bok Lee¹

, Sam Jungyun Choi²

¹Ewha Law School, Seoul, Korea

²Covington & Burling LLP, Brussels, Belgium

Corresponding Author: Won Bok Lee Ewha Law School, Suite 510, 52 Ewhayeodaegil, Seodaemungu, Seoul 03760, Korea. Tel: +82-2-3277-2748, E-mail: wonbok.lee@ewha.ac.kr (https://orcid.org/0000-0002-3983-8957)

Received 31 January 2023 Revised 23 July 2023 Accepted 24 July 2023

This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/4.0/) which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Objectives

This article explores the secondary use provisions of the European Health Data Space (EHDS), proposed by the European Commission in May 2022, and offers policy recommendations for South Korea.

Methods

The authors analyzed the texts of the EHDS proposal and other documents published by the European Union, as well as surveyed the relevant literature.

Results

The EHDS proposal seeks to create new patient rights over electronic health data collected and used for primary care; and establish a data sharing system for the re-use of electronic health data for secondary purposes, including research, the provision of personalized healthcare, and developing healthcare artificial intelligence (AI) applications. These provisions envisage requiring both private and public data holders to share certain types of electronic health data on a mandatory basis with third parties. New government bodies, called health data access bodies, would review data access applications and issue data permits.

Conclusions

The overarching aim of the EHDS proposal is to make electronic health data, which are currently held in the hands of a small number of organizations, available for re-use by third parties to stimulate innovation and research. While it will be very challenging for South Korea to adopt a similar scheme and require private entities to share their proprietary data with third parties, the South Korean government should consider making at least health data collected through publicly funded research more readily available for secondary use.

Keywords: European Health Data Space, Health Data, Electronic Health Records, Secondary Use, Privacy

I. Introduction

On May 3, 2022, the European Commission published its proposal to create a European Health Data Space (the “EHDS Proposal”) [1]. The EHDS Proposal aims to introduce a new, unprecedented framework to make electronic health data available for re-use for various purposes, including research. This proposal is groundbreaking on two counts: (1) the electronic health data to be made available for re-use include data held by both public sector bodies and private sector organizations—meaning that private companies would be required to disclose certain electronic health data to third parties for re-use; and (2) the recipients of the data (called data users) are allowed to use the data for a number of purposes, including, among others, scientific research, product development, artificial intelligence (AI) training, and personalized healthcare—meaning that data can be used for commercial purposes. The background to this proposal is that, in the eyes of European policymakers, the coronavirus disease 2019 (COVID-19) pandemic highlighted the importance of having up-to-date health data to respond to public health crises.

The EHDS Proposal is anticipated to have wide-reaching consequences for the healthcare sector, transforming the way in which electronic health data will be shared and reused in Europe. The EHDS Proposal is still in draft form and progressing through the European legislative process, so it is likely to change. This article analyzes the EHDS Proposal as first published by the European Commission, with a focus on the provisions on secondary use of electronic health data. This article discusses the newly proposed mandatory data sharing regime for secondary use of electronic health data, and the responses to this proposal from industry and academia. The final section of this article discusses the potential policy implications of the EHDS Proposal in Korea.

II. Methods

The European Commission published the initial text of the EHDS Proposal on May 3, 2022. The draft is now under review by the European Parliament and the Council of the European Union (EU). Each of these institutions will formulate their own version of the proposal, and they will then enter into negotiations to agree on a compromise text to be adopted. Agreement on the EHDS Proposal is expected at the end of 2023 or early 2024. The authors of this paper analyzed the EHDS Proposal and surveyed other documents published by the EU that provide insights into the EHDS Proposal, as well as the relevant literature.

III. Results

1. Background

The EHDS Proposal is a sector-specific component of the EU’s European Strategy for Data, announced in 2020 (EU Data Strategy) [2]. The EU Data Strategy recognizes data as “the lifeblood of economic development.” The ultimate aim of the strategy is to ensure that Europe is able to capture the benefits of better use of data by increasing the use of, and demand for, data and data-enabled products and services throughout the EU.

The EU Data Strategy is operationalized through numerous horizontal legislative reforms—such as the Data Governance Act (entered into force in June 2022) and the Data Act (proposed in February 2022, not yet adopted)—and sector-specific, vertical legislative reforms targeting key sectors [3]. Through the vertical legislative reforms, the EU will create “European Data Spaces” focused on specific sectors, such as healthcare, manufacturing, mobility, and energy. The EHDS is the first of the European Data Spaces to be formally proposed by the European Commission. Each of these legislative reforms are aimed at unlocking access to data—currently held in the hands of a few organizations—and making it available to a greater number of actors for re-use.

2. Overview

The EHDS Proposal is a lengthy and complex piece of proposed legislation [4]. An overview of the EHDS Proposal can be found in (Table 1). The EHDS Proposal creates a wide range of new rights and obligations in relation to access to and use of “electronic health data.” A chart setting out the defined terms in the EHDS Proposal can be found in Table 2. The key components of the EHDS Proposal are as follows.

1) Primary use

The EHDS Proposal creates new rights for patients over their electronic health data processed in the context of primary use of electronic health data [5]. The new rights granted to patients include the right to access, modify, and restrict access to electronic health data by healthcare professionals. The EHDS Proposal would also grant healthcare professionals access to electronic health data of their patients across EU member states, irrespective of the member state of affiliation and the member state of treatment. Patients are allowed to restrict access to certain electronic health data by their healthcare professionals on an “opt-out” basis.

2) EHR systems

The EHDS Proposal establishes a pre-market conformity assessment requirement for Electronic Health Record systems (EHR systems) and a voluntary labeling scheme for wellness applications. The conformity assessment would evaluate whether the service meets certain mandatory requirements relating to fitness for purpose and interoperability [6].

3) Secondary use

The EHDS Proposal introduces new obligations for “data holders” to provide electronic health data for secondary use by third parties. Access to electronic health data would be mediated through a data permit system run by government-designated health data access bodies. The rules for secondary use of electronic health data are the focus of this article.

3. Rules for Secondary Use of Electronic Health Data

Chapter IV of the EHDS Proposal sets out rules applicable to the “secondary use” of electronic health data. Under these rules, “data holders” must make a wide range of specified categories of electronic health data available for secondary use by third parties, called “data users.” The term “data holder” is broad enough to include hospitals, biobanks, research institutes, academic institutions, and commercial companies, such as pharmaceutical companies and medical device manufacturers. The EHDS Proposal is clear that electronic health data “entailing protected intellectual property and trade secrets from private enterprises shall be made available for secondary use” (our emphasis), although in such cases “all measures necessary to preserve the confidentiality of intellectual property (IP) rights and trade secrets shall be taken” (Art. 33(4)). A full list of the types of electronic health data that data holders would be required to share pursuant to these rules can be found in Table 3.

To access the data for secondary use, any “natural or legal person may submit a data access application” to the health data access body “for the purposes referred to in Article 34” (Art. 45(1)). These purposes include, among others, “scientific research related to health or care sectors,” “development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices,” and “training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices” (Art. 34(1)(e)–(g)). A full list of the allowed and prohibited purposes for which electronic health data can be re-used under the EHDS Proposal are set out in Table 4.

It is notable that these allowed purposes may include revenue-generating commercial purposes, such as product development. It is also notable that the data user is not restricted to being in a particular sector, or to being an academic or public institution. This means that commercial organizations, such as technology companies, pharmaceutical companies, and medical device manufacturers can all take advantage of the EHDS rules on secondary use to gain access to data held by third parties. Before granting a permit, health data access bodies must assess “if the application fulfills one of the purposes listed in Article 34(1) of this regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this chapter are fulfilled by the applicant” (Art. 46(1)). If the applicant meets these requirements, the health data access body is required to issue a data permit within 2 months. Once the data permit is issued, the health data access body will request the data holder to provide the data to the health data access body, which will then make it available in a secure processing environment.

Where the applicant seeks data only from a single data holder in a single member state, the data user may submit a data access application to the data holder directly (Art. 49(1)), without going through a health data access body. A direct data access application must include the same elements required for an application to a health data access body, and the data holder must consider the same criteria that health data access bodies consider when determining whether to issue a data access permit (Arts. 49(1)–(2)). Where the criteria are met, the data holder “may issue a data permit” (Art. 49(2)) and grant access to the requested data.

Flowcharts showing the process for making data access applications and granting data permits are presented in Figure 1.

4. Responses to the EHDS

In the EU, the EHDS has generally received positive feedback from the research community and some industry groups [7,8]. However, there are some aspects of the EHDS Proposal that have been called out as raising certain concerns. Some of these concerns are as follows.

1) Intellectual property/trade secrets protections

The current text of the EHDS Proposal contains only vague, high-level references to protecting IP and trade secrets for data holders. Article 33(4) states that “all measures” must be taken to protect such rights, and that public bodies should take “all specific measures” to protect IP and trade secrets. Many industry players are calling for strengthened protections in this regard [9].

2) Fees

Health data access bodies and data holders are allowed to charge a fee to data users for making electronic health data available for secondary use (Art. 42). This fee must be “transparent and proportionate to the cost of collecting and making electronic health data available for secondary use, objectively justified and shall not restrict competition” (Art. 42(4)). This means that although data holders may be able to recoup the costs of making data available to data users, they are unlikely to be able to generate profit—or in some cases recoup the full cost of investments required to collect the data—from data sharing under the EHDS framework. The EHDS data sharing scheme may also threaten the business models of existing for-profit data sharing frameworks already in operation.

3) Medical confidentiality and ethics laws

Currently in the EU, medical confidentiality and ethics laws apply to patient health data. Concerns have been raised that the EHDS may challenge the differing traditions of member states regarding medical confidentiality and ethics relating to secondary use of data. This has led to the CPME (Standing Committee of European Doctors), an association representing European doctors, calling for granting patients the right to opt-out or opt-in to the collection and use of electronic health data for secondary use [10]. The CPME has also called for systematically involving ethics committees or review boards within the EHDS framework.

4) Privacy and data protection law

The interplay between the EU’s General Data Protection Regulation (GDPR) and the EHDS is also unclear in places [11]. The GDPR will apply to personal data processed under the EHDS framework. However, the EHDS Proposal does not create a legal basis under the GDPR for data users to access (pseudonymized) personal data, even if they obtain a data access permit. Rather, data users are responsible for identifying such a legal basis under EU or member state law, meaning that data users must identify the legal basis that would apply under both Article 6 and 9 of the GDPR. Currently in the EU, different member states take different approaches to whether patient consent is required to use data for research (Article 9(2)(a)) or whether organizations may rely on the research exemption in Article 9(2)(j) and Article 89(1) [12]. The EHDS Proposal fails to harmonize the rules in this regard, leaving it open for the data user to identify the legal basis appropriate to the data processing in question. Without this harmonization, data users may in fact be limited in the types of data they will be able to access lawfully for secondary use.

IV. Discussion

The European Union has served as the model for Korea’s privacy and personal information policies. The EU’s GDPR has influenced Korea’s Personal Information Protection Act (PIPA) [13]. The first question that pops into anyone’s mind, thus, is whether Korea can implement a secondary use pathway similar to that in the EHDS Proposal. It is undeniable that putting health datasets held by private entities to secondary use has the potential to benefit society. That said, requiring privately held datasets to be made available for secondary use by third parties on a mandatory basis will likely meet significant legal challenges under Korean law.

The Korean constitution provides that the property rights of citizens must be protected and that the scope and limitations of property rights are to be set forth in a statute (Constitution, Art. 23, Para. 1). The constitution also provides that commandeering, using, or limiting a citizen’s property out of public necessity must have legal basis in a statute and be justly compensated (Constitution, Art. 23, Para. 3). The concept of trade secrets is defined broadly as information, including a production method, sale method, useful technical or business information for business activities, which is not known publicly, is managed as a secret, and has independent economic value (Unfair Competition Prevention and Trade Secret Protection Act, Art. 2, Para. 2). This means that proprietary datasets will likely constitute a trade secret, a type of property protected by the constitution [14].

Even if proprietary datasets constitute trade secrets or otherwise protected property under the constitution, one can argue that the takings clause under the Korean constitution will permit mandatory sharing of proprietary datasets for secondary use, provided that the legislature passes a law allowing it with just compensation [15]. Besides, unlike tangible properties that can be used by only a single party at a time, intangible properties, such as datasets, do not necessarily diminish in value when used by multiple parties. However, it is not clear whether the “public necessity” component of the takings clause will be met if secondary use includes research and development activities with a commercial aim. In recent years, Korean authorities have rarely granted compulsory licenses on the grounds of public necessity, although the relevant IP law allows this if just compensation is also granted [16].

This does not mean that creating a “health data space” of some kind in Korea would be impossible altogether. Many publicly held health datasets are already available for secondary use, mostly for research or public health endeavors (Table 5). Korea could conceivably create a “health data space” that includes health datasets that have been created with research grants from the government. The current government research funding regulation bestows the property rights to all byproducts of research to the research institution or the individual researcher (National Research and Development Innovation Act [NRDIA], Art. 16, Paras 1 and 2), in a manner similar to the US Bayh-Dole Act [17]. This property rights scheme was a utilitarian contrivance, after government ownership of IP created from government-funded research had failed to see active downstream development [18]. By the same utilitarian token, permitting wider access to datasets created by government-funded research may bring about even more downstream use of the datasets than proprietary control by a single entity. There are three hurdles that need to be overcome to implement wider access to health datasets generated by government-funded research: legal basis for mandatory sharing of health datasets, privacy of research participants, and IP rights embedded in datasets.

The NRDIA would be the natural place to provide a legal basis to require sharing of scientific data, including health data, created during government-funded research. The current NRDIA conceptualizes a “data management plan” as a part of research proposals, which should include the researcher’s plan to generate, store, maintain and share scientific data created by government-funded research [19]. However, a data management plan is required only selectively at the discretion of the funding ministry. The first step in widening access to health data for secondary research is to make data sharing the rule in publicly funded research, rather than the exception, as is the case in some jurisdictions [20].

For health data, the privacy of the data subjects represented in the datasets will add to the legal complexity of mandatory sharing of health datasets for secondary use by third parties. In this regard, the government must provide guidance as to how health data may be made available for secondary research without compromising the privacy of research participants. The United States’ National Institutes of Health offers a good example [21]. The “scientific research exemptions” under the PIPA as amended in 2020 provides some insights too [22]. The research exemptions under the PIPA allow pseudonymized personal data to be used for statistical purposes, scientific research purposes, and archiving purposes in the public interest—without the consent of the data subject (PIPA Art. 28-2). This provision is similar to GDPR Article 9(2)(j) and Article 89(1), although the issue in the EU is one of fragmentation of how this provision is interpreted by different member states [23]. While the constitutionality of the scientific research exemptions has not yet been tested, designing a Korean “health data space” along similar lines of the scientific research exemptions will at least find precedential support in the PIPA [24].

Safeguarding IP rights embedded in or arising from the datasets will also be a critical issue. The EHDS Proposal reads “(e)lectronic health data entailing protected IP and trade secrets from private enterprises shall be made available for secondary use. Where such data is made available for secondary use, all measures necessary to preserve the confidentiality of IP rights and trade secrets shall be taken” (EHDS Proposal, Art. 33.4; similar provisions are found in Arts. 34.4 and 37.1). The proposed text is not clear on what “all measures necessary” would entail, and how any disputes that will surely arise between the parties about the appropriate measures to take would be resolved. It will be interesting to watch how the EU solves the puzzle [25]. Interestingly, the European Commission’s Data Act Proposal contains more detailed provisions relating to dispute resolution in this regard, and we may see this being reflected in future iterations of the EHDS Proposal. The same issue will have to be overcome as well if Korea were to adopt the authors’ suggestion of making datasets from government-funded research available to the public for secondary use. Regardless of whether datasets are made available to the public or not, some IP rights may have to remain proprietary to the research organization or the individual researcher in order to make downstream development feasible, especially in the life sciences industry where IP rights become key assets [26].

In conclusion, the EHDS Proposal is a reminder that facilitating secondary research by widening access to health data, whether held by the public sector or the private sector, will add value to society. It is a policy that Korea should consider in the long run. If a similar piece of legislation is not feasible in the short term in Korea, mandatory sharing of scientific data, including health data, generated by government-funded research will be a feasible and beneficial alternative.

Notes

Conflict of Interest

No potential conflict of interest relevant to this article was reported.

Acknowledgments

This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (No. NRF-2021S1A5A2A01066230).

References

1. European Commission. Proposal for a regulation of the european parliament and of the council on the European health data space [Internet]. Strasbourg, France: European Commission;2022. [cited at 2023 Jul 31]. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0197.

2. European Commission. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: a European strategy for data [Internet]. Brussels, Belgium: European Commission;2020. [cited at 2023 Jul 31]. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066.

3. Carvalho G, Kazim E. Themes in data strategy: thematic analysis of ‘A European Strategy for Data’ (EC). AI Ethics. 2022; 2:53–63. https://doi.org/10.1007/s43681-021-00102-y.

4. Jauregui AE. Overview of the European Health Data Space (EHDS): goals and current challenges. Eur J Public Health. 2021. 31(Suppl S3):ckab164–123. https://doi.org/10.1093/eurpub/ckab164.123.

5. Lee J, Park YT, Park YR, Lee JH. Review of national-level personal health records in advanced countries. Healthc Inform Res. 2021; 27(2):102–9. https://doi.org/10.4258/hir.2021.27.2.102.

6. Stellmach C, Muzoora MR, Thun S. Digitalization of health data: interoperability of the proposed European health data space. Stud Health Technol Inform. 2022; 298:132–6. https://doi.org/10.3233/shti220922.

7. Das M. Stakeholders welcome proposal on the European Health Data Space. Lancet Oncol. 2022; 23(12):1492. https://doi.org/10.1016/s1470-2045(22)00691-x.

8. Horgan D, Hajduch M, Vrana M, Soderberg J, Hughes N, Omar MI, et al. European Health Data Space: an opportunity now to grasp the future of data-driven healthcare. Healthcare (Basel). 2022; 10(9):1629. https://doi.org/10.3390/healthcare10091629.

9. Yakovleva S. On digital sovereignty, new European data rules, and the future of free data flows. Legal Iss Econ Integr. 2022; 49(4):339–48.

10. Standing Committee of European Doctors (CPME). Position on the European Health Data Space [Internet]. Brussels, Belgium: CPME;2022. [cited at 2023 Jul 31]. Available from: https://www.cpme.eu/api/documents/adopted/2022/11/cpme.2022-065.FINAL.CPME.position.EHDS.pdf.

11. Karacic J. Europe, we have a problem! Challenges to health data-sharing in the EU. In : Proceedings of the 2022, 18th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob); 2022 Oct 10–12; Thessaloniki, Greece. 47–50. https://doi.org/10.1109/wimob55322.2022.9941532.

12. Slokenberga S, Tzortzatou O, Reichel J. GDPR and bio-banking: individual rights, public interest and research regulation across Europe. Cham, Switzerland: Springer;2021. 397–419. https://doi.org/10.1007/978-3-030-49388-2.

13. Lee SE. The Amendment of Personal Information Protection Act of Korea: focusing on the grounds for processing personal data without data subject’s consent. Ewha Law J. 2020; 24(3):249–86. https://doi.org/10.32632/elj.2020.24.3.249.

14. Park YG. Study on the trends of the supreme court cases regarding trade secret protection. J Ind Prop. 2016; 49:231–77.

15. Chung KH. Die Begriffe von ‘Enteignug, Nutzung, Beschränkung’ im Sinne von Art. 23 Abs. 3 KV. Const Law. 2019; 25(3):133–87. https://doi.org/10.35901/kjcl.2019.25.3.133.

16. Eom T. Policy consideration on the utilization of compulsory license of pharmaceutical patent for overcoming COVID-19. J Intellect Prop. 2022; 17(1):1–40. https://doi.org/10.34122/jip.2022.17.1.1.

17. Kim M. A review of legislation related to science and technology research, industry convergence promotion: focused on the latest issues of the special Act on the Innovation of National R&D and Industrial Convergence Promotion Act. J Sci Technol Policy. 2019; 2(1):59–83.

18. Jung J. A study on Acts of the Republic of Korea regarding Technology Transfer and Commercialization from National Research and Development Project. Law Technol. 2014; 10(4):82–101.

19. Ministry of Science and ICT. Rules for Management of Data from National Research and Development (Notice 2020-102). Sejong, Korea: Ministry of Science and ICT;2020.

20. Yoon CM. Introduction and development direction of the national R&D data management system: focusing on the “Data Management Plan (DMP)” system. Sci Technol Law. 2020; 11(2):197–222.

21. National Institutes of Health. Supplemental information to the NIH policy for data management and sharing: protecting privacy when sharing human research participant data [Internet]. Bethesda (MD): National Institutes of Health;2020. [cited at 2023 Jul 31]. Available from: https://grants.nih.gov/grants/guide/notice-files/NOT-OD-22-213.html.

22. Lee WB. Adoption of Pseudonymization by Korea’s Personal Information Protection Act & Its Implications on Genomic Research. Ewha Law J. 2020; 25(1):191–224. https://doi.org/10.32632/elj.2020.25.1.191.

23. Molnar-Gabor F, Sellner J, Pagil S, Slokenberga S, Tzortzatou-Nanopoulou O, Nystrom K. Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: insights from Germany, Greece, Latvia and Sweden. Semin Cancer Biol. 2022; 84:271–83. https://doi.org/10.1016/j.semcancer.2021.12.001.

24. Oh BC. EU Data Act Draft and Its Implication. Korean Forum Int Trade Bus Law. 2022; 31(1):487–516. https://doi.org/10.23068/KJITBL.2022.7.31.1.487.

25. Burk DL. Intellectual property in the context of e-Science. J Comput Mediat Commun. 2007; 12(2):600–17. https://doi.org/10.31235/osf.io/8agp9.

26. Dutfield G. Intellectual property rights and the life science industries: a twentieth century history. 1st ed. London, UK: Routledge;2003. https://doi.org/10.4324/9781315252131.

Figure 1

Flowcharts for secondary use in the EHDS Proposal. (A) For data access applications and data requests to multiple data holders in more than one member state. (B) For data access applications and data requests to a single data holder in one member state. HDAB: health data access body, EHDS: European Health Data Space, EHD: electronic health data.

Table 1

Overview of the provisions in the EHDS Proposal

Provisions	Obligations
Chapter I. General provisions (Arts. 1–2)	Subject matter and scope Definitions Relationship between the EHDS Proposal and other EU instruments
Chapter II. Primary use of electronic health data (Arts. 3–13)	New patient rights and HCP obligations over electronic health data Obligations on interoperability of health-related data sets Establishment of a common infrastructure (MyHealth@EU) to facilitate cross-border exchange of electronic health data
Chapter III. EHR systems and wellness applications (Arts. 14–32)	Mandatory self-certification scheme for Electronic Health Record systems (EHR systems) Requirements on interoperability and security of EHR systems Conformity assessments; CE marking; market surveillance of EHR systems Voluntary labeling scheme of wellness applications interoperable with EHR systems
Chapter IV. Secondary use of electronic health data (Arts. 33–58)	Aims to facilitate secondary use of electronic health data (e.g., for research, innovation, policy making, patient safety, or regulatory activities) obligation for data holders to provide data Defines data types that can be used for defined purposes; sets out prohibited purposes Member states to set up a health data access body for secondary use of electronic health data—to issue permits to data users and provide secure platform to access the data Data holders may be required to issue permits and create own secure platform to share data with data users Mandatory data quality and utility label for datasets created and processed with public funding Provisions on IP and trade secret protection
Chapter V. Additional actions (Arts. 59–63)	Rules on international transfer of and access to non-personal data in the EHDS

EHDS: European Health Data Space, EHR: Electrical Health Record, HCP: healthcare provider.

Table 2

Key definitions in the EHDS Proposal

Term	Definition
Electronic health data	Personal or non-personal electronic health data (Art. 2(2)(c)) Personal electronic health data is defined as “data concerning health and genetic data as defined in (the GDPR) as well as data referring to determinants of health, or data processed in relation to the provision of healthcare services, processed in an electronic form” (Art. 2(2)(a)) Non-personal electronic health data is defined as “data concerning health and genetic data in electronic format that falls outside the definition of personal data provided in Article 4(1) of the GDPR” (Art. 2(2)(b))
Secondary use	The processing of electronic health data for purposes set out in Chapter IV of the EHDS Proposal (Art. 2(2)(e)) The definition further states that “the data used may include personal electronic health data initially collected in the context of primary use, but also electronic health data collected for the purpose of the secondary use.”
Data holder	Any natural or legal person, which is an entity of body in the health or care sector, or performing research in relation to those sectors… who has the right or obligation… to make available… certain data (Art. 2(2)(y))
Data user	A natural or legal person who has lawful access to personal or non-personal electronic health data for secondary use (Art. 2(2)(z))

EHDS: European Health Data Space, GDPR: General Data Protection Regulation.

Table 3

Minimum categories of electronic data for secondary use

Electronic Health Records

Data impacting on health, including social, environmental behavioral determinants of health

Relevant pathogen genomic data, impacting on human health

Health-related administrative data, including claims and reimbursement data

Human genetic, genomic and proteomic data

Person-generated electronic health data, including medical devices, wellness applications or other digital health applications

Identification data related to health professionals involved in the treatment of a natural person

Population wide health data registries (public health registries)

Electronic health data from medical registries for specific diseases

Electronic health data from clinical trials

Electronic health data from medical devices and from registries for medicinal products and medical devices

Research cohorts, questionnaires and surveys related to health

Electronic health data from biobanks and dedicated databases

Electronic data related to insurance status, professional status, education, lifestyle, wellness, and behavior relevant to health

Electronic health data containing various improvements such as correction, annotation, enrichment received by the data holder following a processing based on a data permit

Table 4

Allowed and prohibited purposes for secondary use of electronic health data under the EHDS Proposal

Allowed secondary use (Art. 34)

Prohibited secondary use (Art. 35)

Activities for reasons of public and occupational health (e.g., protection against serious cross-border threats to health, public health surveillance or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices)
To support public sector bodies or Union institutions, agencies and bodies including regulatory authorities in health or care sector to carry out their tasks defined in their mandates
To produce national, multi-national and Union level official statistics related to health or care sectors
Education or teaching activities in health or care sectors
Scientific research related to health or care sectors
Development and innovation activities for products or services contributing to public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices
Training, testing and evaluating of algorithms, including in medical devices, AI systems and digital health applications, contributing to the public health or social security, or ensuring high levels of quality and safety of health care, of medicinal products or of medical devices
Providing personalised healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons

Taking decisions detrimental to a natural person based on their electronic health data
Taking decisions in relation to a natural person or groups of natural persons to exclude them from the benefit of an insurance contract or to modify their contributions and insurance premiums
Advertising or marketing activities towards health professionals, organisations in health or natural persons
Providing access to, or otherwise making available, the electronic health data to third parties not mentioned in the data permit
Developing products or services that may harm individuals and societies at large, including, but not limited to illicit drugs, alcoholic beverages, tobacco products, or goods or services which are designed or modified in such a way that they contravene public order or morality

EHDS: European Health Data Space.

Table 5

Representative types of big data available for health research in Korea

Type	Examples	Remarks

Biobanks
National	National Biobank of Korea (NBK)	As of 2019, biospecimens from 420,000 are stored at the NBK. Also houses biospecimens collected by government-funded cohort studies such as KoGES.
Private	Biobanks maintained by research hospitals	Mostly used for intramural research

Cohort data	KoGESa (Korean Genome Epidemiology Study) Orphan disease cohort	Mostly government agency projects Usually include genomic, anthropometric, and clinical data

Claims data	National Health Insurance Service (NHIS)’s claims data Health Insurance Review & Assessment Agency (HIRA)’s claims data	Due to the bifurcated governance of Korea’s national health insurance, big data are held by the two organizations that are complementary. The NHIS provides both “normalized” dataset of a sample representing the entire population and custom-prepared datasets at the request of individual researchers.

Electronic Health Records	-	Segregated at each hospital system and used mostly for intramural research. Sometimes used in collaboration with an outside research organization.

^a Source from Kim Y, Han BG; KoGES group.

Cohort profile: the Korean Genome and Epidemiology Study (KoGES) consortium.

Int J Epidemiol 2017;46(2):e20. https://doi.org/10.1093/ije/dyv316.

TOOLS

Similar articles