Codes of practice
Health data users need to adopt strict codes of practice that comply with the GDPR. Codes of practice can also ensure that the purposes for which data is used meet the following criteria:
they have a legal basis
they are in society’s interests
they are ethical.
It is expected by patients that health data users will only use the data for the purposes that are permitted.
Policies and rules for data users
Health data users define policies and rules that their staff have to follow when they use data from people, whether it is anonymised or more personally identifiable. There are also several European initiatives that have defined codes of practice that can be adopted as a standard by multiple organisations across Europe, which has the advantage that they follow the same or very similar rules. This cooperation on data protection and security practices is needed when organisations undertake collaborative research, which is increasingly common.
These codes of practice, policies and rules generally cover the following areas, although many more rules are often included.
Purpose of use: the health data user must only permit its staff to use data for purposes that have been approved, such as a particular area of research.
Legal basis: the health data user must check that its planned use of the data complies with one of the set legal bases for data use, defined by the GDPR. (This is not required if the data have been anonymised.)
Permissions: If the data have come from another source, the data user must also confirm that it has permission from the source to use the data for the planned activity. This might include approval from a research ethics committee.
Data handling: the data user must agree with the data source how they must safeguard the data they access or receive, if they are permitted to share it with other collaborating organisations, and if their copy of the data must be destroyed soon after their activity has been completed.
Research results: the organisation has stated how it plans to use the research results, and if they will be published or used to develop or improve a healthcare product or service.
Data protection: the organisation and its staff must have policies and appointed officers who will be responsible for data protection and for investigating any issues that arise with the way the data are used.