How can hospitals valorise Real-World Data safely and securely?
The real value of Real-World Data (RWD) is that they improve individual patients’ health, and healthcare in general. But the idea of extracting that value and sharing RWD makes many healthcare providers feel insecure. And yet, they shouldn’t be. This blog will debunk their many outdated beliefs about data ownership, GDPR-related obligations and the (non) necessity of involving the Ethics Committee (EC).
This blog will show why hospitals can safely and securely valorise their data, the main reasons being that
- Data ownership is not an obstacle
- Patients must be informed but don’t need to consent
- The Law on experiments is not applicable to retrospective RWD studies and thus the Ethics Committee’s advice is not required
Patients cannot prohibit their data to be shared, but have the right to be informed.
Who owns the patient’s data?
Actually, in Belgian law there’s no concept of ownership of patient data. This simply doesn’t exist, so patient data is not something anyone can own: not the patient, not the hospital, not the healthcare practitioner.
RWD rights and obligations
But every party involved has certain rights and obligations towards the data.
- The right to access, copy, delete and correct their data (Law on patient rights)
- The right to privacy (Law on patient rights)
- The right to be informed on what happens with their data and the right to oppose to certain data processing activities (GDPR)
Healthcare practitioners are
- Obliged to keep the data in a patient file (Law on patient rights)
- In need of access to the patient data to provide care (Law on quality practice of care)
Healthcare institutions must
- Provide the infrastructure to create and store patient files (Law on hospitals)
- Assure this infrastructure is safe and secure (GDPR)
Data can be shared
Put simply: patients cannot prohibit their data to be shared on the basis of ownership. They do, however, have the right to be informed on what happens with their data.
And even though RWD cannot be sold (as nobody “owns” the data), they can be shared with other parties, in a legal way and with respect for the patients’ privacy.
What are the applicable GDPR processing rules
GDPR, and more specifically articles 6 and 9, provide the possible legal grounds for processing health related personal data as part of a data valorisation project. RWD valorisation can be justified by the legitimate interests of the data controller, represented by the hospital, and by the necessity for scientific research.
Patient consent requirements: none
The consent of patients for processing their personal data as part of a RWD valorisation project is therefore not required as a legitimate ground (as there are other legitimate grounds available).
What hospitals need to do, though, is to inform patients on the further processing of their personal data for research purposes; at the latest before any such processing occurs – for example before the anonymization of data. It’s recommended, however, that patients are informed of the possible further processing of their patient data for data valorisation purposes, at the moment of registration in the hospital. Alternatively, it is accepted to generally inform all patients on the website of the hospital, through general patient communication, etc.
When must the Ethics Committee (not) be involved
The Belgian law on experiments requires an advice from an EC on any prospective study, i.e., a study that starts in the present and will continue in the future with the aim to collect new patient data that are not yet available in patient files.
The Belgian law on experiments is, however, not applicable to retrospective studies. Retrospective studies rely on patient data that have already been collected in the past and that are already present in patient files. Patients are not explicitly implicated in the study upfront and no new data are collected.
Data valorisation projects are retrospective studies. Therefore, the Belgian law on experiments is not applicable to them, hence no advice from the EC is required.
Establish Data Assessment Committee to advice on RWD queries
Our recommendation to hospitals is, however, to establish a specific data assessment committee that is competent enough to evaluate RWD queries. By integrating a delegation of the EC in such data assessment committee, the EC is still informed, yet relieved and can focus on its legal obligations.
For any data valorisation project, patients need to be informed, but their consent is not required. As these RWD use cases are retrospective studies, the advice of an EC is not legally necessary. It could however be desirable to create a knowledgeable Data Assessment Committee to review any RWD query to keep the overview and execute control over the data processing.
Ready to talk about RWD?
Get in touch!