The Law on Medical Documentation Requires Amendment

The President of the Personal Data Protection Office, Mirosław Wróblewski, has appealed to the Minister of Health, Jolanta Sobierańska-Grenda, and the Minister of Science and Higher Education, Marcin Kulasek, to incorporate provisions into national legislation that safeguard personal data in the context of sharing medical documentation for scientific purposes.

This appeal stems from concerns raised by medical and scientific communities, as well as the Medical Research Agency, regarding the interpretation and application of the Patient Rights Act and the Act on Higher Education and Science, particularly in relation to the use of medical data for research.

According to President Wróblewski, changes to national law are essential to ensure compliance with EU regulations, including the European Health Data Space (EHDS), the Data Governance Act, and the Artificial Intelligence Act. The legal basis for processing data necessary for scientific research may be found in Article 9(2)(j) of Regulation 2016/679 (GDPR), in conjunction with Article 26(4) of the Patient Rights Act and Articles 469b(2–4) of the Higher Education and Science Act. However, current national regulations are inconsistent and raise interpretative concerns. Moreover, their scope does not meet the needs of scientific research or medical services.

Under existing legislation (Article 26 of the Patient Rights Act), it is prohibited to share personal data from medical records in a manner that allows identification of the individual concerned. Therefore, such documentation may only be shared for research purposes if the personal data is anonymised. Medical data includes special categories of personal data (as defined in Article 9 of the GDPR) and often reveals additional sensitive information beyond health status. It may also contain data about third parties.

President Wróblewski emphasises that anonymisation must be irreversible and carried out with respect for confidentiality and data integrity.

However, with the advancement of medical sciences and emerging technologies, many stakeholders highlight the need to access medical documentation for scientific purposes in a way that prevents patient identification by the data recipient, but allows pseudonymisation—i.e., encryption of data.

The European Data Protection Board (EDPB) states that pseudonymised data, which can be linked to an individual using additional information, should still be considered personal data—even if the additional information held by the pseudonymising controller has been deleted. According to the EDPB, pseudonymised data only becomes anonymous when the conditions for anonymity are fully met.

Pseudonymisation serves as a safeguard for the rights and freedoms of data subjects in the context of scientific research and should be reflected in legislation governing this area of data processing.

Currently, the legislator has not provided adequate regulations for pseudonymisation, allowing only anonymisation when sharing medical documentation for scientific purposes (Article 26 of the Patient Rights Act). The law does not permit exceptions for sharing personal medical data for research, allowing only non-personal data. This means that research findings—such as those that could be relevant to the treatment of a specific patient—cannot be linked to that individual and therefore cannot inform their treatment plan.

Meanwhile, the GDPR allows personal data processing for scientific purposes under certain conditions, including both anonymisation and pseudonymisation. The EHDS Regulation (Article 66(2) and (3), and Recital 72) also permits secondary use of health data in anonymised form, and in specific, well-justified cases, in pseudonymised form. The importance of anonymisation and pseudonymisation is further underscored by the AI Act and the Data Governance Act.

Appropriate national legislation is needed in this area. Since current regulations only allow the sharing of non-personal health data for research, a legal basis must be established for sharing pseudonymised personal medical data, ensuring data security in line with GDPR and EHDS requirements.

To uphold the principles of lawfulness, fairness, and transparency, the national legislator must implement EU rules on secondary use of health data by creating clear and precise legal solutions that guarantee the protection of personal health data, including the requirement to maintain professional confidentiality. These solutions must also align with the constitutional order of the Republic of Poland (Articles 47 and 51 in conjunction with Article 31(3)).

President of teh Personal Data Protection Office also notes that implementing EHDS will require a broader review of national legislation. Some laws, such as those on the health information system and publicly funded healthcare services, may not meet the standards set by EU regulations.

Additionally, drafting legal regulations in this area requires a data protection impact assessment to ensure compliance with GDPR, balance risks to individual rights and freedoms, and provide appropriate safeguards.

Should legislative work commence on these matters, President Wróblewski has pledged expert support from the Personal Data Protection Office.