Article 46, Data permit, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)
1. Health data access bodies shall assess if the application fulfils one of the purposes listed in Article 34(1) of this Regulation, if the requested data is necessary for the purpose listed in the application and if the requirements in this Chapter are fulfilled by the applicant. If that is the case, the health data access body shall issue a data permit.
2. Health data access bodies shall refuse all applications including one or more purposes listed in Article 35 or where requirements in this Chapter are not met.
3. A health data access body shall issue or refuse a data permit within 2 months of receiving the data access application. By way of derogation from that Regulation […] [Data Governance Act COM/2020/767 final], the health data access body may extend the period for responding to a data access application by 2 additional months where necessary, taking into account the complexity of the request. In such cases, the health data access body shall notify the applicant as soon as possible that more time is needed for examining the application, together with the reasons for the delay. Where a health data access body fails to provide a decision within the time limit, the data permit shall be issued.
4. Following the issuance of the data permit, the health data access body shall immediately request the electronic health data from the data holder. The health data access body shall make available the electronic health data to the data user within 2 months after receiving them from the data holders, unless the health data access body specifies that it will provide the data within a longer specified timeframe.
5. When the health data access body refuses to issue a data permit, it shall provide a justification for the refusal to the applicant.
6. The data permit shall set out the general conditions applicable to the data user, in particular:
(a) types and format of electronic health data accessed, covered by the data permit, including their sources;
(b) purpose for which data are made available;
(c) duration of the data permit;
(d) information about the technical characteristics and tools available to the data user within the secure processing environment;
(e) fees to be paid by the data user;
(f) any additional specific conditions in the data permit granted.
7. Data users shall have the right to access and process the electronic health data in accordance with the data permit delivered to them on the basis of this Regulation.
8. The Commission is empowered to adopt delegated acts to amend the list of aspects to be covered by a data permit in paragraph 7 of this Article, in accordance with the procedure set out in Article 67.
9. A data permit shall be issued for the duration necessary to fulfil the requested purposes which shall not exceed 5 years. This duration may be extended once, at the request of the data user, based on arguments and documents to justify this extension provided, 1 month before the expiry of the data permit, for a period which cannot exceed 5 years. By way of derogation from Article 42, the health data access body may charge increasing fees to reflect the costs and risks of storing electronic health data for a longer period of time exceeding the initial 5 years.
In order to reduce such costs and fees, the health data access body may also propose to the data user to store the dataset in storage system with reduced capabilities. The data within the secure processing environment shall be deleted within 6 months following the expiry of the data permit. Upon request of the data user, the formula on the creation of the requested dataset shall be stored by the health data access body.
10. If the data permit needs to be updated, the data user shall submit a request for an amendment of the data permit.
11. Data users shall make public the results or output of the secondary use of electronic health data, including information relevant for the provision of healthcare, no later than 18 months after the completion of the electronic health data processing or after having received the answer to the data request referred to in Article 47.
Those results or output shall only contain anonymised data. The data user shall inform the health data access bodies from which a data permit was obtained and support them to make the information public on health data access bodies’ websites. Whenever the data users have used electronic health data in accordance with this Chapter, they shall acknowledge the electronic health data sources and the fact that electronic health data has been obtained in the context of the EHDS.
12. Data users shall inform the health data access body of any clinically significant findings that may influence the health status of the natural persons whose data are included in the dataset.
13. The Commission may, by means of implementing act, develop a logo for acknowledging the contribution of the EHDS. That implementing act shall be adopted in accordance with the advisory procedure referred to in Article 68(2).
14. The liability of health data access bodies as joint controller is limited to the scope of the issued data permit until the completion of the processing activity.