News

In the process of healthcare services, data collection often goes hand in hand with patient-initiated or routine hospital treatments. However, as technology advances and commercialisation demands grow, clinical data that was originally only used for diagnosis and treatment is increasingly being put into other scenarios, such as pharmaceutical research and development, insurance pricing, and marketing. This raises the question of compliance with secondary data use: when the patient authorises or implicitly permits the collection of information for diagnosis and treatment, does the subsequent use still comply with legal requirements?

01 Typical scenarios of secondary use

As the application of medical data continues to expand, its secondary use has become a key factor in driving the development of the healthcare industry. However, the secondary use of data also raises a number of compliance issues. The following are three major secondary utilisation scenarios:

a. Pharmaceutical research: Pharmaceutical or biotech companies want to obtain clinical samples and patient data for new drug development or efficacy evaluation. If the hospital's collaboration with the company goes beyond the scope of the original patient information, the basis of legality must be reconfirmed.

b. Risk assessment for insurance companies: Commercial insurance companies often need to collect a wide range of medical records, genetic tests, and consultation records for the purpose of accurate pricing or risk screening based on the health data of their policyholders or insured persons. Once docked with a third-party health platform, how to ensure data subject authorisation and privacy security becomes the primary challenge.

c. Commercial health app marketing: Some health management apps provide exercise monitoring and nutritional advice on the surface, but secretly sell a large amount of information collected on users' health indicators and disease histories to related companies for advertising. If the user's ‘individual consent’ has not been obtained, it is a serious violation of the Personal Data Protection Law or the GDPR's sensitive data protection norms.

02 Differences in the basis of legitimacy and ‘compatibility of purposes’

The GDPR introduces the principle of limitation and compatibility of the purposes of data processing in Articles 5 and 6, i.e. a new purpose of processing can be extended if it is ‘compatible’ with the original purpose and is based on the same lawfulness basis, otherwise a new consent or other justified basis is required. For health data (special categories), the more stringent requirements of Article 9 of the GDPR must also be met.

China's Personal Insurance Law also emphasises ‘limited to the minimum extent necessary to achieve the purpose of the processing’, and if the purpose of the processing changes (e.g., from diagnosis and treatment to commercial advertisements), the individual's consent will need to be obtained again. This means that extended use from clinical to scientific research without clear legal authorisation or prior knowledge of the patient is likely to be considered ‘ultra-purpose use’. Doctors and researchers often question whether such frequent re-authorisation hinders research. Therefore, some experts have suggested the establishment of ‘public interest research exemptions based on strict ethics and de-identification’. Although such exemptions have not yet been detailed in the law and need to be improved, in practice, ethical review and de-identification have already become a common path for research projects to obtain and use data in a compliant manner, only that their ‘exemptions’ are not yet fully defined in the law. The specific level of legal effect and the scope of application of the ‘exemption’ still need to be further clarified.

03 Public Health and Scientific Research Exemptions

Article 9(2)(i)(j) of the GDPR provides a more flexible legal basis for public health and scientific research and other public interest scenarios. Health data can be processed without the need to obtain an individual's consent again, as long as there is a lawful authorisation, sufficient security guarantees (e.g. anonymisation or pseudonymisation) and supervision by an ethical or competent authority. This facilitates medical big data research, such as the prevention and control of infectious diseases and large-scale epidemiological surveys, in the public interest of society.

Article 13 of China's Individual Protection Law also lists situations such as news reporting, public opinion monitoring, and emergency response in the public interest without the need to obtain an individual's consent. However, the application of the scientific research exception is relatively narrow and lacks detailed provisions such as those in the GDPR. In practice, most research projects still require patients to sign a written consent form. If it is not possible to contact each patient, the data can only be de-identified and ethically examined to avoid the requirement of ‘individual consent’.

04 Compliance Risks and Case Alerts

In Europe, there have been cases where hospitals have been penalised for sharing patient data on a large scale with third-party research organisations because they did not inform patients at the time of collection that the data would be used for such scientific research. Even if the goal is noble public research, the legal process cannot be ignored.

In China, some so-called ‘digital healthcare companies’ may privately sell user medical data to insurance or healthcare marketers, and end up being subject to administrative or criminal penalties. The Personal Insurance Law imposes severe penalties for the illegal sale of sensitive information, with fines of up to 50 million yuan or 5% of the previous year's turnover; serious cases may also involve the offence of infringing on citizens' personal information.

05Response: Explicit, Multi-Level Authorisation and De-Identification

a. Explicit authorisation: When a patient first signs a healthcare service agreement, transparent instructions on research or subsequent use should be added; if there are significant changes, consent should be sought a second time.

b. Multi-level authorisation: Healthcare providers can provide different ‘authorisation levels’, so that patients can independently choose whether they want to allow clinical use only, or whether they want to participate in scientific research projects, or whether they want to allow AI model training, and so on.

c. De-identification: Early adoption of pseudonymisation or anonymisation of data with potential for secondary use, to mitigate the potential impact on individual privacy and reduce compliance barriers.

d. Review and Filing: Conduct a DPIA/PIPI prior to large-scale research or commercial collaborations to assess risks, keep records of the review, and file with regulatory authorities or ethics committees as necessary.

Overall, ‘legitimacy basis’ and ‘purpose compatibility’ are the key challenges in secondary data utilisation. Before sharing or reusing health data, medical institutions, research institutes, and commercial platforms should ask themselves: Is it still within the scope of the original legitimate purpose? Have they obtained the explicit consent of the data subject or legal authorisation in the public interest? Has the data been subject to the necessary security precautions and anonymisation? The answers to these questions determine whether the project can be implemented smoothly and directly reflect the organisation's respect for patients' rights.

Special Announcement:

This article was originally written by the lawyers of JIA LAWYER Law Firm and represents only the author's own views, and shall not be regarded as a formal legal opinion or advice issued by JIA LAWYER Law Firm or its lawyers. If you need to reproduce or quote any content of this article, please indicate the source.