Personal data is information about a natural person. It can be any information relating to an individual, whether it relates to their private, professional or public life, and presents the risk that it could allow the identification of the person.
In this sense, it is imperative to distinguish between
- identifiable data (even if it is key-coded) and
- data that is rendered completely anonymous,
as the EU General Data Protection Regulation (GDPR) applies to the former, and not the latter (GDPR, Recital 36). GDPR covers cases wherein the data is collected and used by another person or legal entity.
Data protection in clinical and health research was leading to discussions in the legislative process, in particular whether there should be exemptions from the obligation to always seek consent before using patients’ data for research in cases where asking for consent or re-consent is impossible (GDPR Article 89).
In GDPR, there is an option for exemption to consent for research purposes, and, if it is used, researchers must ensure that technical and organisational safeguards are in places when using patients’ data (GDPR, Article 89 paragraph 1).
The safeguards that must be met are to be specified in Union or Member State law (GDPR, Article 89, paragraphs 2 and 3) – and will therefore vary in details and date of application.
One such safeguard mentioned in GDPR is pseudonymization, which ensures confidentiality through key-coding the data to make it impossible to identify who the data is about without the key.
It also asks researchers to use anonymous data where possible, especially if identifiable data is not needed for the research purpose being pursued. Anonymized data is different from pseudonymised data; it means that it is completely impossible to find the identity of the person from the data at all.
Clinerion’s patented ANID technology
Although all identifiable personal information and patient record identifiers have been completely stripped from medical records before use, this technology can enable a healthcare provider to match these de-identified, unlinked records with corresponding hospital records using a combination of techniques.
The system set-up involves a unidirectional, outbound-only connection between the hospital IT infrastructure and the locally hosted Clinerion server, further increasing information security.
ANID offers an enhanced level of data protection and enables many other advantages of Clinerion’s Patient Network Explorer. Query results for feasibility requests are stored in the Clinerion secure private cloud environment, which only sees aggregated counts of the patients who match the coded queries (e.g. inclusion / exclusion criteria).
The performance of Patient Network Explorer is such that results appear in real-time in a fraction of the time needed by traditional search processes: minutes instead of months.
“The new EU Regulation on the protection of personal data: what does it mean for patients?”
The full text of the General Data Protection Regulation in all the official languages of the EU: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
The European Commission published a questions and answers factsheet which gives general information the Regulation: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
The fundamental Rights Agency has published a handbook on data protection (based on the Directive from 1995) to make it more accessible: http://fra.europa.eu/sites/default/files/fra-2014-handbook-data-protection-law-2nd-ed_en.pdf