The dispute over the use of citizens’ health data for comparatively vague research purposes is in full swing. In Germany, ex-Federal Health Minister Jens Spahn (CDU) pushed through the Digital Supply Act (DVG) in 2019 against the resistance of medical groups, data and patient protection groups, civil rights activists and IT experts. Sensitive health data of all around 73 million people with statutory health insurance are to be transmitted in pseudonymised form to the Central Association of Statutory Health Insurance (GKV) and to the Research Data Center (FDZ), without those affected being able to object.
Frontal attack on informational self-determination
Critics have long suspected that the initiative was a “frontal attack” on the basic right of informational self-determination. In the spring of 2022, Constanze Kurz, spokeswoman for the Chaos Computer Club (CCC), and a patient suffering from a rare blood-clotting disease filed a lawsuit against the disclosure of their information such as diagnoses, sick leave, age, gender and place of residence by their health insurance companies to the GKV. They are supported by the Society for Freedom Rights (GFF), which coordinates both procedures.
The Berlin Social Court first heard Kurz’s lawsuit in October. The presiding judge Michael Kanert raised fundamental questions. He wants to clarify whether the purposes pursued by the legislature can also be achieved with limited data in decentralized storage, consent or the possibility of objection without any significant reductions in terms of the representativeness of the research results.
The cryptologist Dominique Schröder from the University of Erlangen-Nuremberg assumes this. At a hearing on the DVG, he had already demanded that calculations at the FDZ “only be carried out on encrypted data”. In view of the state of the art, a patient can easily release each individual processing via an app.
Lack of legal basis
“The whole procedure is designed in such a way that it has a structural security problem,” said Mainz constitutional lawyer Matthias Bäcker on the second day of the hearing in February. He represents Kurz as a lawyer. There is no adequate legal basis for processing the data in the FDZ. The transfer is therefore “not necessary”. The lawyer’s main objection to the planned centralized model was that it “inevitably leads to an increase in the security risk”. According to the specification, the data is once with the health insurance companies, but would then also be “published centrally elsewhere”. This leads to an “addition” of the dangers of cyber attacks.
According to Bäcker, however, research activities on decentralized data only held at the cash registers have the advantage that scientists can select instruments from the toolbox of current protection methods such as differential privacy. This means that the data is minimally noisy. The FDZ would thus become a “hub instead of a data dump”.
From the point of view of the German Network for Health Services Research (DNVF), however, the decentralized approach is ruled out. A restriction of the legally defined amount of data “would have significant negative effects on medical-scientific research and thus, in the future, on the German health system and medical care” of current and future patients. Restrictions, for example, “due to impractical encryption technologies or decentralization” of the FDZ inventory would be linked to great disadvantages for the citizens.
Data of persons with statutory health insurance at the research data center
The GVK-Spitzenverband, which serves as a collection point, has so far transmitted all of the health data from 2019 to the FDZ. Those from 2020 and 2021 are ready and should actually have already been transferred, but when setting up the infrastructure for data evaluation in secure virtual rooms, the center located at the Federal Institute for Drugs and Medical Devices (BfArM) suffered a setback, according to its head Steffen Hess: A problem with an external service provider led to delays.
The FDZ has been able to prepare for its function as a hub since 2019 with a smaller, pseudonymised data set. According to Hess, there were around 30 to 40 access applications from scientists. “So far, the interest in using the data provided by the research data center has been limited,” the authors of a study published in March know Study on data mining of the Office for Technology Assessment at the Bundestag. One reason is the delay of several years until the information is fed in, another is the narrow limits of access options. For example, medical device manufacturers have so far only been able to use the relevant data in cooperation with public research institutions, for example to train algorithmic systems.
What is missing: In the fast-paced world of technology, there is often the time to re-sort all the news and background information. At the weekend we want to take it, follow the side paths away from the current, try different perspectives and make nuances audible.
With the DGV and the expansion of the electronic patient file (ePA), which Federal Minister of Health Karl Lauterbach (SPD) is planning, interest in the FDZ is likely to increase. Great hopes were already attached to the ePA to bring together a wide range of health-related data, above all from treatment contexts, and to organize consent management for their forwarding for research purposes. According to the TAB researchers, the file has “particular data mining potential” that, in addition to the medical treatment data, the information stored by the health insurance companies and, in the future, “individually collected vital data on a personal basis” could also be collected.
