Treatment of foreign applicants by Non-European countries

Similar to Europe, Israel will consider foreign applicants from countries within the European Union or whose data protection legislations are similar to those of the European Union. New Zealand will also consider foreign applications for access to data where the country’s privacy legislation offers equivalent protections to that of New Zealand.

Further, New Zealand shared two examples where it was necessary to arrange for the sharing of identifiable personal health data across borders. First, there was a need for New Zealand data holders to be able to access cloud computing services offered by service providers in Australia and vice versa. To enable the sharing of cloud computing service providers for the processing of identifiable personal health data, New Zealand and Australia developed cloud computing guidelines which impose the same requirements for data security and protection on organisations in both countries. Second, there has been the need to share identifiable data for cancer research, as there is high population mobility between Australia and New Zealand, as well as cross-border care seeking. For such research to be approved there must be significant benefits of the research results for New Zealand and the requesting researcher must have the informed consent of the data subjects.

In the United States, there is no distinction under HIPAA for foreign entities requesting access to data. Foreign researchers can apply for and receive access to identifiable microdata. Such a disclosure requires the approval of a research ethics board as it would for any domestic applicant. Disclosures may, however, be prohibited by policy.

In the United States, in the past, a foreigner could apply for access to de-identified microdata within the NCHS Andre secure remote data access system. However, this practice ended when the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) entered into force in 2011. This law applies to all statistical agencies and statistical units at the federal level and it requires them to supervise and control the use of the data they hold. The interpretation of the law was that access to data by foreigners via Andre might not constitute sufficient supervision and control. Foreign applicants remain welcome to follow the same approval process as domestic applicants, but they can only be granted access to data within the Research Data Centres. Similarly, the AHRQ also offers foreign applicants access to de-identified microdata within its facility only.

In Canada, disclosure of de-identified health data are subject to any applicable jurisdictional legislative requirements under which the data were collected originally. CIHI may disclose de-identified data to recipients located outside of Canada except where prohibited by law or by agreement. All disclosures must be reviewed internally by CIHI and approved by CIHI’s President and CEO. In some cases, approval from the appropriate Ministry of Health may also be required. Given the additional risk associated with providing data outside the country, it may be necessary to provide further data treatment to reduce re-identification risk, such as less geographic level. The data disclosure agreement and associated data security obligations would be the same as for a domestic applicant.

The principle in Korea is to be restrictive on the approval of access to de-identified data from foreign applicants. Data related to the medical services received in Korea is viewed as too sensitive to be shared outside of the country. However, it may be possible to approve the sharing of a sample of the population. In general, the data would only be shared with a foreign government or international organisation when required by treaty or another international agreement.

Legislation in Singapore protects patients in Singapore. If data subjects have provided consent, then it is clear that data sharing with a foreign entity could be approved. The concern is how a data breach in a foreign country would be addressed. In cases where there is not consent of data subjects, it may be possible to share anonymised data, but the concern is how the terms of the data sharing agreement with a foreign entity could be enforced. This is not a clearly defined area and decisions on project approval involving foreign entities is determined on a case by case basis and depends on the risk of re-identification and the protections of the security of the data that would be in place.