Report shows three ways out of the debilitating GDPR bureaucracy

A very restrictive interpretation of GDPR presents the biggest problem for Danish research, and we need to find a way of reducing the level of bureaucracy without sacrificing data security.

This was the warning last summer in an article in the Altinget media written by a number of clinical department heads, including Jørgen Frøkiær from the Department of Clinical Medicine at AU.

And now the solution to GDPR bureaucracy has possibly been found. At any rate, a report from the Danish Life Science Cluster, which is Denmark’s cluster for life science and welfare technology, has been published with a range of recommendations for a more frictionless use of health data in research.

The report was prepared by PWC, the law firm Poul Schmith/Kammeradvokaten and Jest Consulting, and includes a wide range of interviews with researchers and private stakeholders who have experienced the challenges associated with the use of health data.

One of the report’s conclusions is that the problem is not the EU's general data protection regulation GDPR. It is, as also stated in last summer's debate, the interpretation of the rules. Peder Jest, who is director of Jest Consulting and one of the authors of the report, explains.

"One of the biggest problems is that there is no uniform legal procedure in all regions and government agencies and institutions. In the regions, their legal experts take their respective regions into consideration, which is understandable, but which is also a barrier for researchers if the rules are interpreted too restrictively," he says.

Calls for authoritative guidelines

In addition to being director of Jest Consulting, Peder Jest was medical director at Odense University Hospital until 2020, and has many years of experience of innovation processes.

The solution to the problem is to create "authoritative guidelines" which can create clarity and uniformity in the area. And since no legislative changes are needed, it will be possible to do this relatively quickly, according to Peder Jest.

"Many of the challenges and frustrations that both researchers and private stakeholders face can be remedied with authoritative guidelines that will make the handling of health data more uniform," he says.

New guidelines on the way?

The work to develop more uniform guidelines has already begun. The Danish Data Protection Agency has begun a dialogue with the Ministry of Health to formulate new “advisory texts” on research and health data.

However, according to the analysis, it is not only the interpretation of GDPR which leads to problems for researchers and companies.

Two additional issues for the use of health data are:

• What are experienced as complicated and drawn-out administrative processes for approval of the use of health data. The analysis recommends considering changes in the organisation of the competence to approve applications.
• Some challenges are assessed as being due to actual legal limitations because legislation in some areas has not followed technological developments. The analysis recommends taking a closer look at the current legislation in two specific areas.

Minister for Health Magnus Heunicke (S) will consider the recommendations in the report. In connection with the publication of the report, he says in a press release:

"It is crucial that we ensure the greatest possible clarity regarding the applicable rules for the use of health data, so that we can utilise the new opportunities and, at the same time, ensure a high level of protection of Danish health data".

A brief history:

11 August 2021: Department Head at the Department of Clinical Medicine Jørgen Frøkiær together with the heads of Denmark’s three clinical medicine departments writes an article in the Danish news media Altinget under the heading ”Ledere af kliniske institutter: GDPR-bureaukrati truer Danmarks status som forskningsnation” (“Heads of clinical departments: GDPR bureaucracy threatens Denmark’s status as a research nation”). The article explains how both national and international research collaborations come to a standstill due to contradictory interpretations of the Danish Data Protection Act and the European General Data Protection Regulation (GDPR).

12 August 2021: The Danish Parliament's health committee introduces question no. 1554 for the Minister of Health: "Will the minister address the concerns raised in the article ”Ledere af kliniske institutter: GDPR-bureaukrati truer Danmarks status som forskningsnation” from Altinget on 11 August 2021? The question was asked at the request of Stinus Lindgreen (Danish Social Liberal Party).

9 September 2021: Minister for Health Magnus Heunicke replies to question 1554. The reply states that the Ministry of Health has now entered into a collaboration with the Danish Data Protection Agency on a number of guideline texts with a view to more specific and targeted guidance for the research area.

19 November 2021: Acting Dean Hans Erik Bøtker participates in a meeting of the Danish Management Forum for Medical Health Research. The forum discusses work on a new legal working group for health science research, which aims to resolve the legal barriers experienced by researchers. The chairmanship is shared between the Dean of Health Lars Hvilsted Rasmussen (Alborg University) and Medical Director Kim Brixen (Odense University Hospital). The working group aims to help ensure uniform interpretation of current legislation among the regions and the universities and thereby a clarification of the framework for the common working position. Dean Anne-Mette Hvas has now joined the Management Forum for Medical Health Research, which follows the group's work closely.

10 December 2021: The Danish Parliament's Committee on Education and Research introduces question no. 50: “What are the minister's comments to the clinical department heads’ appeal in Altinget on 23 August 2021, where they predict that ‘major research projects will stop, millions will have to be returned to the foundations etc.’", because the interpretation of the GDPR and the wish for data security have become a monster that ‘is without comparison the biggest problem for Danish research, including the life science initiative and register-based research?’" The question was asked at the request of Bertel Haarder (Danish Liberal Party).

21 December 2021: Minister of Justice Nick Hækkerup replies to question 50. The reply states that "it is considered appropriate to review the overall legislation in the area. Therefore, an initiative will be taken to establish an inter-ministerial working group that can look at the legislation in the area with the involvement of the Danish Data Protection Agency, among others."

13. January 2022: Altinget follows up with the article Nye retningslinjer for forskeres brug af data trækker ud: ”Det haster voldsomt med at finde en løsning" (“New guidelines for researchers’ use of data is dragging on; Finding a solution is very urgent”—which, among other things, includes interviews with Department Head Jørgen Frøkiær and Professor, Department Chair in Clinical Epidemiology at Aarhus University Henrik Toft Sørensen. 

January 2022: The Ministry of Justice begins the first meetings in a new cross-ministerial working group (with the Ministry of Health, the Ministry of Higher Education and Science, the Ministry of Interior and Housing, and the Danish Data Protection Agency), which is charged with looking into the legislation in the research area. The meetings of the new working group will likely have significance for the Danish Data Protection Agency's ongoing work with guidelines in the area.

February 2022: The Danish Life Science Cluster publishes its "Analysis of the legal frameworks for the use of health data for research and innovative solutions". The analysis includes three recommendations for how to remedy the challenges in the area.

In addition, a number of other initiatives are also underway. These include the Danish Comprehensive Cancer Center’s (DCCC) board appointing a cross-regional group of legal experts in 2020, with the objective of ensuring a common interpretation among the regions and universities regarding the rules for how to place responsibility for data in a research project. As part of its work, the group has looked into the question of when research collaborations should be based on a data processing agreement, and when collaborations should be based on a collaboration agreement between joint controllers. The group is expected to conclude its work in January 2022.