Foreign applicants for access to data

Some countries make no distinction between foreign and domestic applicants for secondary data use, subjecting both to the same set of rules. Nonetheless, many countries are reticent to approve foreign applications for access to data, due to the inability to impose sanctions on a foreign entity for non-compliance with legal requirements or with the requirements within their data sharing agreement. Some countries will not consider any foreign applications; some will consider only applications for access to de-identified personal health data; while others will consider the approval of the sharing of identifiable personal health data if there is a strong justification for the project.

Countries that may permit the sharing of health microdata with a foreign entity

In Europe, the European Directive 95/46 applies to countries of the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein and Norway. The directive enables the free movement of personal data in Europe and states that personal data can only be transferred to countries outside the European Union and the EEA when an adequate level of protection is guaranteed. With the EEA, all countries would have the same protection of privacy as was required by the directive. As a result, the European countries participating in this study have a clear and similar interpretation of data sharing requirements with foreign entities. Data may be shared if they are fully anonymised, such as aggregated data. If data are identifiable or de-identified but still carry a re-identification risk, then the data privacy protection legislation in the applicant’s country must be evaluated as providing adequate protection.

In the United Kingdom, for example, restrictions on data sharing with foreign entities are described in the Data Protection Act. This act requires that processing is only undertaken outside the European Economic Area (EEA) if there are guarantees of a satisfactory level of protection for personal data. Thus it is possible under law for approved sharing of identifiable personal health data. De-identified data can also be shared but a distinction is drawn between completely anonymised information and microdata that has had direct identifiers supressed but still carries a re-identification risk. Such data still require that the foreign country guarantees a satisfactory level of protection for personal health data.

Sweden provided a further caveat. In Sweden, while a foreign public authority may be approved access to de-identified microdata if they are under similar legislative protections to an EU or EEA country, further criteria for approval would be the interest of the Swedish state in the project proposed. It is preferred if the foreign authority can collaborate with a Swedish researcher so that access to microdata can take place within Sweden and only aggregated and non-confidential study results are shared with the foreign authority.

Multi-country projects that require data sharing are still rare in Switzerland and it can be difficult to judge if the legal framework of a non-European state is equivalent or not. Most multi-country projects are parallel studies where Swiss researchers analyse the Swiss data and report only non-confidential statistical results or aggregated data outside of the country.

Iceland indicated that the Data Protection Authority maintains a list of countries where data sharing is permissible and this list includes all countries following the European Directive 95/46. While most approved sharing involves anonymised or de-identified data, Iceland provided an example where the sharing of identifiable data was required. Nordic countries have a legal obligation to inform one another of the identity of health care professionals in receipt of a formal reprimand. The purpose of this requirement is to inform other health systems that may consider the individual for employment.

In Denmark, the sharing of de-identified data with a foreign applicant requires approval of the Data Protection Authority and can involve a signed agreement among the countries involved. For example, there is a signed agreement to a data sharing arrangement between Denmark and the European Union, Switzerland and Norway.