Guest post by Jaakko Lähteenmäki from VTT
Secondary use of health and social services data is attracting interest worldwide. MIDAS project addresses the use of data for supporting policy makers in decision making. Additionally, there are several other application areas for secondary use of health and social services data. These include population research, statistics, organisation management, quality monitoring and clinical decision support. Interest towards data resources is increasing also in private sector. Pharmaceutical companies are obviously interested in using data in the development of new drugs and therapies and in monitoring the safety and efficacy of their products. Increasing interest towards data is observed also among companies providing medical devices and personal health solutions as well as in food industry [1].
In many applications data access is needed at individual level. Even if direct person identifiers are removed the individuals may still be identifiable for example based on the subject’s area of living or time-tagged health centre visits. Therefore, it is critical to take privacy issues carefully into account when person-level data is released for secondary use. The GDPR (General Data Protection Regulation) provides a basis for privacy protection in Europe. The GDPR sets strict obligations for data controllers in order to ensure the privacy of data subjects. While increasing obligations to data controllers the GDPR still enables secondary use of data e.g. for scientific research without explicit consent.
Even if current legislation enables the use of data for secondary purposes, there are several challenges related to data exploitation in practice. Health and social services data is stored in heterogeneous registers. For the data user it is difficult to locate the relevant data resources and to apply for data permits from a wide range of registry controllers. Furthermore, combining data from different registries is delicate, as this requires transmission of personal identifiers between registry controllers.
It is clear, that legislation and guidelines beyond the GDPR are needed in order to more efficiently exploit data across registries. Finland has compiled unique legislation for regulating secondary use of data. The “Secondary Use Act” is currently in the acceptance process of the Parliament and it is expected to be in force in January 2019. The objective of the Secondary Use Act is to enable efficient and controlled access of data resources for legitimate exploitation, while maintaining the rights and privacy of the data subject. A central component of the law addresses the legal entity which will be in charge of granting usage permits for data users and of establishing and running the related processes. According to the bill the legal entity is the National Institute of Health and Welfare (THL), which may outsource the operational processes to be managed by an external organization, referred as “Service Operator”.
Similar trends as in Finland are seen in other countries. Centralized services for data are needed in order to exploit data efficiently. MIDAS and other international projects are in an important role in defining and developing technical components needed by the centralized services in processing data and converting it into useful information for the users. As the needs are similar throughout Europe it is important to create interoperable, reusable and scalable components. A good example is the standard-based metadata management solution which was originally developed for the Finnish Service Operator, but as open source solution could be adopted also for the needs of MIDAS [2].
References
[1] Data-driven precision medicine ecosystem – stakeholder needs and opportunities: https://cris.vtt.fi/en/publications/data-driven-precision-medicine-ecosystem-stakeholder-needs-and-op
[2] Isaacus metadata editor: https://github.com/Sitra-Isaacus/THL-Aineistoeditori