Key points
- Health data can drive better outcomes and support patient safety
- Total anonymisation would make secondary use of device or research data impossible
- MedTech Europe has developed a framework that balances data protection with data-driven opportunities to help perform the analysis of re-identification risks
We live in an increasingly data-driven world. Innovative medical technology companies are developing a growing range of connected devices with the potential to improve people’s lives. As Europe prepares for the era of the European Health Data Space, protecting user’s information is essential to maintaining trust. That is why companies must invest time, energy and resources in robust data systems.
The European Federation for Pharmaceutical Industries and Associations (EFPIA), representing the innovative medicines industry, has explored this in a thought-provoking article. It highlights several challenges arising from anonymisation of patient-level data. Many of these apply to medical technology, but there are also some additional sector-specific issues for medical technology companies, particularly when it comes to connected devices.
Data-driven insights
To understand how health data is collected and used by medical technology devices, consider a hypothetical wearable product designed for people with diabetes. Perhaps it measures blood glucose, blood pressure, heart rate and oxygen levels. The data may be used to determine how much insulin the device should give to the user.
It may also connect to a smartphone app which provides useful information on, for example, blood sugar levels. The patient can use these insights to adapt their diet or lifestyle. And the app could connect with the user’s healthcare team to allow remote monitoring or inform decisions about care.
This type of connected device and app can improve lives by making care more dynamic and responsive. It allows health professionals to spot problems even if their patient is not sitting in the clinic. And it gives patients peace of mind to know that they will be warned if something is not right, so they can immediately reach out for advice.
There is also potential to use data for additional purposes. Secondary use of data refers to the use of information for purposes other than the original reason for its collection. This can help to improve the device or to identify and solve problems affecting the wider diabetes community. For example, by studying large datasets, scientists can study how patients respond to treatment, or pinpoint trends in specific demographic subgroups. This can inform a more customised, patient-centric approach to care.
Using large datasets in this way is also critical to reducing potential bias in patient management, expanding access to underserved populations, and supporting efficient data-driven approaches to monitoring, regulatory and reimbursement decisions.
Striking a balance
As a data scientist with a keen interest in privacy and de-identification of health information, I see that all healthcare stakeholders, including the medical technology industry, at times struggle to balance the potential benefits with their respective legal responsibilities. Medical technology companies generate data not only to support their compliance with safety rules (i.e. MDR/IVDR) and reimbursement, but also – as in the example above – in the course of using their devices.
This differentiates medical technology companies from pharma companies which mostly gather data in clinical trials (before the product is approved) and actively collect post-marketing safety information (after approval), but not as part of the normal functioning of the product. To put it simply, drugs don’t collect and use data in the way that a wearable diabetes monitor does for example.
Under EU law (notably the GDPR), we all have a right to have our personal data protected: if we share personal data with a company’s health app, that information may only be used for the purposes for which it was collected, and for secondary purposes to the extent that those purposes are compatible with the initial purposes for which our personal data was collected.
One question that I often get asked is why companies would go to the trouble of de-identification rather than ‘simply’ removing all personal data. The answer is that simply removing personal datasets would make the secondary use of device data nearly of no value. This would mean companies could not use data for any secondary purposes – such as, for example, to monitor and improve the performance and safety of devices. And it would prevent researchers from leveraging large datasets to study, for example, how well certain age cohorts or people with particular co-morbidities are being managed.
The suggested way that would enable companies to use this data for secondary purposes is to ensure that the risks of re-identification are reduced in such a way that the usability of the data will not be lost. This can be achieved by de-identification of the data, often via a combination of anonymisation and pseudonymization techniques. Though full anonymization is practically not possible nor desirable, this de-identification technique offers a risk-based approach that balances the benefits of the data sets while still protecting the privacy of the individuals.
Implementing a robust framework
For several months, I have been working with MedTech Europe and an array of diverse member companies to help them navigate a course towards good data de-identification practices. In this complex task, we are supported by MedTech Europe’s Operational Framework which, if implemented carefully, helps companies to ensure they can manage data risks in a practical and pragmatic way.
While helping companies to apply the Framework, I have developed an even deeper appreciation of the complex variety of challenges medical technology companies are grappling with. These can be confronted by taking a careful and considered approach that reduces the risk that a patient is identified by a third party.
However, it is also important to have an open conversation about these issues. In driving down the risk of re-identification as close as possible to zero, we must acknowledge, as did several data protection authorities[1], that it is not practically feasible to entirely eliminate all risk. Certainly, if we wish to unlock the potential of big data to improve the performance and safety of medical devices or to identify population-level trends that improve the lives of patients, we cannot live in a zero-risk world.
It is also clear to me that this tension between absolute data protection and a new era of opportunities in health informatics will become more acute as new EU legislation comes over the horizon.
With the AI Act and the European Health Data Space coming into view, we must embark on a full and frank conversation about what we want from health data – and how we can achieve this together.
[1] See Roundtable of G7 Data Protection and Privacy Authorities of 11 October 2024, “Reducing identifiability in cross-national perspective”.