Hello and welcome to the SHE esearch podcast. I'm your host. Diego Silva, Before introducing our guests, I want to acknowledge that I'm recording on the unceded Gadigal country. This is and willcontinue to be Aboriginal land. I pay my respects to those who have and continue to care for country. Today, I'm joined by Vittoria Porta, the doctoral candidate with the Ethox Centre at the University of Oxford. We're going to be discussing her paper titled 'A qualitative comparison of data infrastructure for COVID-19: Health-related data lessons for the European Health Data Space' which was published in the Journal of Policy Studies. Vittoria, welcome.
Hello, thank you. Thank you for inviting me today.
My absolute pleasure. To get us started, I was hoping you could tell us a little bit about the main findings and argument of the paper?
Yes, absolutely. So just to start, I would like to acknowledge that this paper is funded, and it has been like, produced in collaboration with the IEO, which is the European Institute for Oncology based in Milan, and Ethox, of course, where I'm studying, I'm doing my PhD at the moment, and together with also colleagues from four different European countries. So we had many colleagues that help us in doing this amazing work. And yeah, the paper is very big empirical work that we did, trying to tackle the data infrastructure that manage the health-related data collected during the pandemic, and the findings and what we trying to give to the public and well, basically based on, tackle the challenges and the opportunities that we can, that they emerge from the new European Health Data Space regulation. That is a regulation that has been approved by the European Commission in 2024 and we try to yes, tackle these challenges and opportunities. So in just like very few words, we'll be trying to tackle was the data access procedure and the data access mechanism that is very different between all these state infrastructure in these four different European countries. Namely, they are United Kingdom, which, I mean, is a bit controversial because it's not exactly in the European Union anymore, but is jointly and is strictly related to both the European Health Data Space and also because of geographical reason, and we have Italy and we have Denmark and Sweden. So the yeah, first of all, we have this very diverse data access procedure across all the European countries. And then, of course, we trying to tackle, now that the status quo is that different data access provision for corporate actors across countries, most of the data infrastructure are embedded in singularities and in their context. Okay, so, and the European Health Data Space is basically strive to standardise the procedure across all the countries. So this might disappear at some point. And of course, there's like at the status quo, a lack of ethics oversight in some countries, and this was something that we will we were able to see during the pandemic, especially. So tackling the COVID-19 data and, yeah, so these are, like the challenges and the status quo we're trying to map. And of course, the opportunities that the European Health Data Space in some way try to offer us is to, of course, streamline the access to the health data in Europe and the access of them. And then, of course, they, they try to facilitate the international access to all the singular health data in different countries by a variety of actors. So basically, the European Health Data Space is trying to give the opportunity to access all these data, right, in a kind of free way, in both, both like economically, and without, of course, all the data access barriers. But there are some challenges due to the status quo. So basically, since we have all this fragmentation in different countries because of the procedure that are now in place. For example, we, the European data space needs to restructure and reorganise completely the governance of the health data in Europe, and this can be costly and administratively very complex and well, of course, we don't also know how they they envisage to put all together different type of data that needs to be standardised at some point. So there are also technological challenges, so technical and technological challenges. If we think about the context where these infrastructure grows, of course, we might see some loss of local expertise and contextual expertise, because some of the infrastructure have been built in ages, and in those countries, they know how to collect the data, how to also establish the mechanism of collecting these data, so this might be lost at some point. And for the last point, the one that, of course, provide the access to different type of actors, such as Big Tech companies or private companies. Of course, these can be a challenge in terms of the unlimited data access to Big Tech corporation, which is sometimes we need to be careful on this when we talk about health data.
So you mentioned the European Health Data Space. I was wondering if you could just touch a little bit about what that actually is?
Yes. So the European Health Data Space is a regulation which is one of, like, the most important, like quoting, most important act that the European Commission can enact. So it means that this is a law that is going to be binding to all the European countries without, like, is going to be straightforwardly applied to all the European countries. And this is a regulation that has been proposed in 2022 and finally approved in 2024 and is going to change completely the rules on how we manage our health data. So this comes from an already history of legislation that the European Union tried to of course, it started regulating the data in general, personal data in general, with the GDPR, but now they're focusing on the health data, and is basically aiming at standardise and let everyone be aware of sharing their own health data for innovation and to improve quality and of care across all Europe, and is basically divided into two main parts, which is one is the primary access of data, so the one that you are giving to your doctor, and your doctor is able to see your data and gives you advice, as you can also like refer to another doctor, which is in another country, and they will be able to access your data. And the secondary use of data, which is the most sometimes controversial, is the one that you are not as a citizens, you're not in some way in control of the data, because the data will be reused for other purposes, such as innovation or research or something. So this is a secondary use, and this is the one use that we are focusing on in this paper.
So I wanted to follow up on a couple of points that you made in the paper, because I thought it was really interesting. I've said this before in another podcast, but I think one of the things I really enjoy about doing this is I get to learn about different people's projects that I wouldn't otherwise come across. There was something in particular around research ethics that I wanted to touch on. But before asking you the question about research ethics committees, I wanted to figure out a little bit more about research ethics committees in Europe. Could you describe what roles research ethics committees have in regards to reviewing protocols and what their legal rights and responsibilities are, and what oversight responsibilities they might have?
Yes, the research ethics committees in Europe, as far as I know, they are seen as oversight, kind of committees that they help in reviewing, especially clinical trials or experiments that requires, like, more oversight because of the use of personal data. When we talk about also personal data, there needs to be a differentiation, because not all the person's data are the same, and we have the GDPR that especially put some more attention into what, what are the health data. But also between health data, we have differentiation, because there are some health data that are particularly sensible, like the genomic data, for example, and all the legislation around like genomic data. So the ethics committee needs to oversight on this, and requires to be basically, yes, some independent body that helps to look at what, what is ethical or not, and especially for clinical trials, and especially for, yes, this type of more sensible kind of experiments. The problem ism I mean the problem, I'm starting like saying the problem because they are based on the national law. So there, there is not, for now, a unique law that regulates this kind of ethics committee. So we have some countries that have a specific national law and a specific role for this committee, while in other countries, there is no specific role so health specific law. So this means that the oversight of these committees changes a lot across countries and is very left to each member state.
Yeah, that's actually one of the... so I'm glad I asked that sort of preparatory question, as it were, kind of preliminary question, because that was exactly the sort of thing I was interested in. You mentioned at the beginning as well that one of the things that came out in your study is just the piecemeal way that the that the, that the platform is going to be sort of implemented and some of the struggles around what that might look like, sort of positives and negatives. So with regards to the research ethics committees, what role can it realistically be asked to play when it comes to helping regulate access to data within the European Health Data Space law and regulations and what role do you think they should play, at least in an ideal world?
Yes, and this is a very interesting question, because of two things. Firstly, the European Health Data Space regulation is really long piece of regulation. Okay, so it's made up of a lot of articles, and unfortunately, the word 'ethics' or 'ethics committee' doesn't really come up very frequently. So we don't really have an article that states, oh, this is going to be the role of the research ethics committee, unfortunately. So realistically, what we can imagine as role of this committee is in helping reviewing the data access request, together with a body which is called the Health Data Access Body, and this is a new feature of the European Health Data Space. So each member states needs to appoint a Health Data Access Body which is going to basically managing all the requests of accessing the data, and will also decide where to give the data or not, depends on who is asking for them. So realistically, since we don't really have an article that says this is going to be like the work of the ethics committee, we can imagine that they're going to help in reviewing the data access request, especially when the data could indirectly re-identifying individuals or impact some vulnerable groups, we can probably see that they're going to like ensure alignment with some broad ethical standards and the public interest in accessing these data and be as a tool that the Health Data Access Bodies can use when they are in doubt about some requests, basically. So, they will also like maybe assess some ethical justification of proposed secondary use, for example, because, of course, like in the European Health Data Space regulation, we have the allowed use and reuse of data and something that is not allowed, but of course, they are broad category, so they might be asked to review some of the purposes at some point by these, these Health Data Access Bodies. But unfortunately, we don't have an article that, yeah, states their role.
It's interesting, the every time you make a law, it strikes me that there's always something that either couldn't have been imagined or you could have imagined, but it was just too difficult to sort of get the wording right and get agreement to one, especially in a Pan-European situation, I would imagine that that includes part of the research ethics bit. I want to switch gears a little bit, but kind of picking up on just the complexity of law-making and the ethical ramifications of that. So you mentioned that in the paper that the European Health Data Space, I think you actually mentioned it as well a moment ago, came into effect in 2024 and in part, it as a response to COVID-19. So since then, of course, there's been a lot of changes in the geopolitical landscape, I would say, in Europe, for a number of reasons, not least of which is a growing sentiment to separate from the US and the American infrastructure, the decimation to the budgets of the World Health Organisation and global health organisations that might affect data sharing, should or when another pandemic occurs. At the same time, we are seeing some successes in the last few months. So the Pandemic Accord was agreed to, and it's going to go to the World Health Assembly shortly this month. We're recording prior to the to the Assembly, so it'll go for ratification. So my question is, has the last three or four months changed some of those social or local values that you spoke of and the practices therein that will be vital to the success of the European Health Data Space?
This is a very complex and interesting question. I mean, I'm gonna express my own opinion on this. First, what I want to tell you is not only the three, four last month that will change the European Health Data Space, you know, imagination, but the timeline of implementation of these regulation is more than 10 years. So they have already stated that it's going to take 10 to 12 years to implement these regulations, and this is already a sign that European Union is trying to make a law and try to regulate on something that is quickly changing, and the choices that they're making today, or they had already made last year, they're gonna impact the next, like 15 years, or at least 10 years. And this is already something that, for me, is a bit worrisome, because, as things are changing so quickly, how we can envisage something for the next 10 years, and they will probably make make some other changes or amendments. But what has been decided in 2024 is going to be like this for the next years. It's already decided. So we will see some changes, of course, in the implementation of the regulation, also because they need to set up enormous changes in all the data infrastructure. So technologically is going to be massive, but also, like technologically and technically, it's going to be something that will impact all the countries. But for me, speaking on the last three, four months' events, I think we will see again, like some Europe's commitment to building a bit of more secure and independent kind of health data system. So in this moment of instability, we want to be sure that our system is going to be long lasting. And they always have this idea of interoperation and interoperability between, you know, the Europe, the European countries, and other countries. But they want to be secure that they're going to make their own infrastructure that is secure, that is GDPR compliant, and everyone else must, in some way, adapt to this. I think at the beginning, was more on global view of interoperability, while now maybe is more on strengthen our regional governance of of data. So yes, they are leaving the door open to everyone who wants to comply with this regulation. And this is a bit of, you know, the Brussels effect. So European Union starts doing something, and everyone else, in some way, adapt this. This will happen with the GDPR. So a lot of countries then basically copy and paste the regulation to, you know, for their own data protection law to be compliant with what the European Union was proposing. So I would say, I'm a bit in the middle. I can see the willingness to open and to try to collaborate and to be, and the interoperability needs to be one of the most important thing. But on the other side, I would say that be more secure on our own regional infrastructure that then can talk to all the other people.
So I think your answer to the previous question kind of prompted me to think a little bit about trust. What role does trust play as a value for Europeans in the sharing of health data across European borders? So you mentioned, some countries have sort of more expertise and technical ability than others. There's going to be the need to harmonise to ensure that interoperability. But there's also sort of, you know, long standing beliefs about trust between different countries and the safety and security of that data, as you mentioned a moment ago, being so important. Does that factor in at all into some of the questions and debates about how this is all going to function in reality?
I mean, I think public trust will be essential. I think the European Union at this point where they have already made the regulation they now need to bring the public inside of the process. Otherwise this all envisaged kind of system will fall. Okay, so first of all, something that is really interesting is that there is an opt-out method in this system. So it's not an opt-in. And European citizens, if they don't want to take part into this, they will need to step outside, raising their hands. The European Health Data Space has not been really advertised in the next years, I mean, to the public. So there's not been really discussion, not even in the social media and in the newspapers. We have some countries, especially the Nordic country, the one that has, like, a long history of managing health data publicly and, you know, they they have already their infrastructure set up for, for, for this kind of, you know, this kind of thing. And they have already in their website, European Health Data Space implementation. You can check it out for all the news, but in other countries, is completely forgotten. So the citizens are not super aware of what is going on and what will be the future for for this, so I think the European Union now must advertise and inform the public to obtain their trust, because is yeah, is essential because we are talking about data that are absolutely sensible and needs to be treated with a lot of regard. But personally, I am not very confident that this will happen, not at least in the very short future. We might see it at the very end, when the implementation is set up, and then, yes, we will bring the public, but I think the public needs to be brought at the beginning of the process, because this is our infrastructure, and this is something that is on us, like citizens, more than just a state or super state kind of infrastructure.
You mentioned a moment ago, commercial interests, and it's a sort of a running theme within the paper itself. How should the European Health Data Space account for the growth and increased use of AI, especially, like I said, you point out towards the end of the paper the role of Big Tech companies in setting up data sharing infrastructure. So given the increased pace of of artificial intelligence, what role if any, will that play? And what does that mean from an ethics and the legal perspective?
Yes, yeah, this is like a big change, change that we are seeing every day. So it's a bit difficult to make some prediction. However, the European Union has already regulates on AI. Concurrently to the developing of the European Health Data Space, they made up the regulation on AI, which is the AI Act, which is going to be, you know, integrated in this legislation around personal data. So, yeah, we have on one side the AI Act, which has already been approved, and on the other side, we have the European Health Data Space. And the European Health Data Space is very clear, is you can so under the secondary use of data and the allowed use of data, there is the implementation of AI technologies, new algorithm testing and training, new algorithm is completely allowed under this regulation, so they don't see any problem, or at least, like the European Union has, imagine any problem with these as long as of course, this algorithm will not affect and will not create any damage to the citizens, of course. I mean, personally, I have some concerns around, first of all, how we can be sure that an AI might not develop after into so a repurposing of an AI model that at the beginning was completely fair and was developed for using health data of European citizens, and was developed with good intention, then be repurposed for other intention or other purposes that were not envisaged at the beginning. So this is my first concern. This is, has not being regulated, which is maybe a third use of health data at this point. And the second point, which is around like the access the data access by corporate for example, corporate institution. The status quo before the European Health Data Space was basically that the GDPR, the big statement of the GDPR was we are not going to share our data with someone who is not in in one of the European countries. And then there were some provision that allow these, so the first is like, no, but we can do that if you're compliant, for example. So if you have a law that is exactly the same as the GDPR, or if you come from, I mean, some certain countries, or there were some instances where this was okay, the European Health Data Space just say, you can send the request to the Health Data Access Body. And if your usage is going to be, if your usage is going to be fair, you can access the data. What we are worried is that this is going to probably, we're going to see a bit of sector creep. So basically, when you you have already a privilege in one sector, and you're going to overtake a privilege in another sector because you're exploiting your position in a market, and then you're going to basically, yeah, switch to another sector very easily. And there, the European Union never talks about money also, so financially is not going to be an expensiveprocedure, the accessing European data, and there are some fees involved. In the process, but they're not expensive, and what I'm wondering more is, where is the return to the public? So we're investing our money to create this infrastructure, and we are not setting high fees because we want everyone access our data, and then the private companies are going, I would say, fairly, train their algorithm and producing their own products that they will then sell to our market, and where is the return to the public? Yes, this is what I'm still wondering.
Yeah, I think the long-term ramifications, it's, I don't envy lawmakers when it comes to trying to put together laws around such technologies because of the rapid change of pace and just because people get creative about how to do things. But I do think he return on investment to the public is a really good point. Vittoria,what are you working on right now?
Right now, I'm finishing my PhD, and I'm not very distant to what I'm doing at the moment. So I'm working on how we can repurpose and reuse health data, especially collected in emergencies, for different uses. So for example, in policing, law enforcement and crime investigation. So I'm looking at all the possible inter-agency, data sharing situations and how we can manage them, and hopefully more in a more ethical and legal also way. So, yeah.
Well, I can speak for for the audience, we're really excited to, well, first of all, awesome and good luck, and we're really excited to see what comes of of your very important research, because this is a topic that's not going to go away. I want to thank Vittoria for joining us today, and I want to thank you for listening to this episode of the SHE Research Podcast. You can find the paper we discussed linked in this episode's notes along with the transcript. SHE Pod is produced by SHE Network and edited by Ella Dungey. I want to take this opportunity also to thank Regina Botros who has, for the last few years, been an amazing producer and has worked her magic on the many occasions I have not. You can find our other episodes on Spotify, RadioPublic, Anchor, or wherever you get your podcasts. Thanks again for listening. Goodbye.
