OUP user menu

Harmonization may be counterproductive—at least for parts of Europe where public health research operates effectively

Timo Hakulinen, Marc Arbyn, David H. Brewster, Jan Willem Coebergh, Michel P. Coleman, Emanuele Crocetti, David Forman, Mika Gissler, Alexander Katalinic, Tapio Luostarinen, Eero Pukkala, Mati Rahu, Hans Storm, Reijo Sund, Sven Törnberg, Laufey Tryggvadottir
DOI: http://dx.doi.org/10.1093/eurpub/ckr149 686-687 First published online: 11 November 2011

Carinci et al. suggest that harmonization of data protection procedures between all EU Member States regarding research with patient data should be emphasized in the current proposal to update the European Union Data Protection directive (EU 95/46/EC),1 in order to facilitate optimal public health research that is executed with the highest standards of confidentiality. According to these authors, the exemptions to the strict requirements for consent that are provided for certain types of research by the current data protection directive2 have not been sufficiently or uniformly implemented by national legislatures. They see harmonization as a way to improve the situation in countries where that implementation is inadequate.

We can agree that there are marked differences in the implementation of the Directive with respect to the use of patient data for health research. Some Member States have implemented the Directive very restrictively, others have left much more room for public health research, mainly based on articles 8.4 and 11.2 of the Directive. However, ‘harmonization’ can go two ways. The type of harmonization that Carinci et al. propose would substantially worsen the conditions for public health research in those countries where the conditions are currently the best in Europe, especially the Nordic countries. One may consider it natural that in a compromise, as the proposition by Carinci et al. is intended to be, some countries will gain and others lose. But this view is not acceptable when the proposal produces no definable gain in data security but a predictable increase in the difficulty of performing public health research—for which there is also strong public support.3,4

Currently, national legislatures in the Nordic countries do not always require separate approval from an ethical committee or a competent privacy protection board for record-linkage research between registers. Trusted third parties are not used at all, and the so-called privacy-enhancing technologies (e.g. encrypting) are only utilized to a limited extent. On the contrary, adequate national legislation already enables, indeed facilitates, all types of public health research without requiring any of the conditions that Carinci et al. now suggest as desirable for all European countries. During the many decades of record-linkage and other register-based research in the Nordic countries, which has made a huge contribution to knowledge and to public health policy, no problems or breaches of privacy protection—in the sense that individual patient data would become known to unauthorized third parties—have emerged. Carinci et al. propose technical solutions for which there is little evidence of efficacy in order to solve a problem that exists in theory, but not in practice.

Carinci et al. focus strongly on ‘public health monitoring and privacy-enhancing technologies’ in their argument, leading to anonymized data for such monitoring. In that case, however, there would be no need to use research exemptions to the principle of consent, because anonymized data are not subject to the consent principle. For monitoring, the use of anonymized data will usually be sufficient. However, for epidemiological research designed to investigate more intricate interactions between exposure, lifestyle, preventive interventions, treatment and outcomes, neither anonymized nor pseudonymized data are sufficient for the individual-level data linkages that are required for that kind of research. It must remain possible to correct errors or update the data, for example to estimate survival many years after the diagnosis: that is not possible unless the identifiers are retained.

Implementation of the suggestions by Carinci et al. would lead to a further increase in bureaucracy, increased costs and reduced quality of public health research, both in the Nordic countries and in other countries with advanced register-based health information systems. They would also cause substantial delay: merely creating the data set for one such study in the UK has required almost 4 years. There are also other examples of problems.5

If their proposal were implemented, there would no longer be any part of Europe where epidemiological studies could be conducted in a reliable, unbiased, rapid and efficient manner and at low cost. The results of these studies have often been directly generalizable to other countries where this kind of optimal research is still not possible. A regulation that does more harm than good is itself unethical.6

‘Harmonization’, however desirable it may be in principle, should not become a policy goal in its own right. Unless and until the European Directive can be transformed into an instrument that explicitly facilitates public health research, the best existing research frameworks must be protected by allowing national exemptions from the principles of the Directive on explicit consent of the data subject when public health research based on individual data is carried out.

References